Brand Monitor
Real-time Certificate Transparency monitoring — how matching, scoring, enrichment, and AI verification work together.
Brand Monitor watches public Certificate Transparency (CT) logs for domains that contain — or nearly contain — your brand. To host a convincing phishing page an attacker essentially has to provision a TLS certificate, and every issued certificate lands in public, append-only CT logs within seconds. DomainRadar streams those logs continuously across the full set of usable CT logs, so a lookalike domain is flagged around the moment it gets its certificate — typically before the phishing page ever ships.
The pipeline, end to end
- Match. Every certificate's domains are tested against your enabled watchers' keywords — two match types, allowlist respected, duplicates suppressed.
- Record. A match becomes a hit: domain, keyword, match reason, certificate issuer, CT log, all domains on the certificate — plus an initial risk score.
- Enrich. For registrable domains, a full domain check runs automatically at high queue priority; the hit gains the registration date and the score adjusts (a domain registered in the last few days is a classic phishing signal).
- AI-verify (optional per watcher). DomainRadar visits the domain and has an AI judge the page: impersonation or coincidence, with risk level, indicators, and reasoning. If the page isn't live yet — common right after cert issuance — the check retries hourly for up to 48 hours until the site appears.
- Notify. If the final score meets the watcher's threshold, an alert email goes out (Configure alerts).
Everything is recorded regardless of notification — low-score hits sit in Detections for retrospective review.
How matching works
Two match types, shown on every hit as its match reason:
substring— the keyword appears verbatim in the domain (norcube-login.com,mynorcube.app). Case-insensitive.fuzzy— the domain contains something one edit away from your keyword (norcbue,n0rcube-style single substitutions, transpositions): Damerau–Levenshtein distance 1. Fuzzy matching only applies to keywords of five or more characters — shorter keywords would drown you in noise.
The allowlist on each watcher suppresses exact domains you already
own or trust, so norcube.com's own certificate renewals never page
anyone.
Risk scoring
Every hit carries a score from 0–100, built up in layers:
| Signal | Effect |
|---|---|
| Base | Every match starts with a small base score. |
| Exact substring match | Adds more than a fuzzy match — verbatim brand use is the stronger signal. |
| Free/low-friction certificate issuer | Adds — throwaway phishing infrastructure clusters on free CAs. |
Free hosting platforms (pages.dev, vercel.app, …) | Adds strongly — classic phishing hosting. |
| Registered within the last 7 days (from enrichment) | Adds — fresh registrations are disproportionately malicious. |
| No registrar data found (from enrichment) | Adds slightly. |
| AI verdict (if enabled) | High risk + confirmed impersonation adds the most of any single signal; medium adds a little; low adds nothing. |
The score maps to a level — low / medium / high — used for the badges and icon colours in Detections. Each watcher's minimum notification score (default 30) decides what's worth an email; the rest stays visible in the dashboard.
Optional AI content check
Enable AI content check per watcher and every hit gets a page-level verdict: DomainRadar fetches the site, extracts the visible content, and the AI returns a risk level, a brand impersonation yes/no, the indicators it saw ("Fake login form", "Credential harvesting"), and its reasoning — all shown on the hit and included in alert emails.
It costs per check (metered as AI content checks), and it's the single best lever against false-positive alerts on common-word keywords.
Behaviour and edge cases
- Watchers act forward, not backward. A new watcher starts matching new certificates within about half a minute; it doesn't scan historical CT logs.
- Duplicate suppression: the same certificate is never processed twice, and the same domain doesn't produce another hit for the same watcher within 24 hours. A certificate renewal months later is a new certificate and can produce a fresh hit — a reminder the domain is still active, not a bug.
- Deleting a watcher deletes all its hits. Disabling it just stops matching, history intact.
- Billing: enabled watchers are metered while active; AI content checks per run. Reviewing hits in the dashboard is free. Rates: pricing.
Related
- Set up Brand Monitor — create and tune a watcher.
- Watchers and hits — every field on both, and the Detections triage flow.
- Configure alerts — emails, thresholds, and noise control.