Most brand-protection tools are graded on how many domains they surface. We're graded on the opposite: how few false alarms reach you, and how fast a confirmed impersonation is taken offline. This page documents how the system works and the metrics we report — so the moat is something you can inspect, not just a claim.
How we detect
Detection is passive. We never probe your systems or anyone else's; we watch the public signals where impersonation surfaces first:
- Certificate Transparency logs — every new TLS certificate naming your brand, often logged within minutes of issuance, before a phishing site is weaponized.
- DNS and domain registrations — newly registered and newly resolving lookalikes, including parked domains turning live and mail-capable (
MX) impostors. - Permutation generation — typosquats, homoglyph/IDN confusables, TLD swaps, combosquats, and bitsquats derived from your brand and keywords.
Active scanning runs only against assets you've attested you own. That line stays bright.
How we attribute
A list of domains that contain your name is noise. The work is deciding which ones are actually impersonating you, and being able to defend that decision.
Every candidate gets a risk score (0–100) and an impersonation confidence — High, Medium, or Low — with the full rule trace attached. You see why something was flagged: the confusable-skeleton match, the live host, the mail record, the certificate, the registration age. The same defensible trail goes to the registrar reading your abuse report.
How we suppress false positives
This is the actual product. Anyone can generate permutations; the hard part is removing the large majority of matches that are harmless — your own infrastructure, partners and resellers, affiliates, CDNs, parked noise. We do it with:
- Allowlisting of your and your partners' domains.
- Infrastructure de-weighting for shared hosts and CDNs.
- Liveness and capability signals — a registered-but-dark domain is not the same threat as one with a live login page and active mail.
- Decay of dead and dormant candidates over time.
A finding only reaches you once it has survived suppression and scoring. Alert volume is not the goal; a clean, already-triaged queue is.
The two numbers we report
We commit to reporting two metrics to every customer, every month — and we lead with them because they're the ones that actually matter:
- False-positive rate — the share of high-confidence alerts that turn out not to be impersonation. We'd rather be measured on this than on how many domains we found.
- Time-to-disruption — not "time to alert," but time until the impersonating site is suspended, sinkholed, or delisted. The outcome you're paying for.
We publish these to you as measured numbers from your own program. We don't headline a single industry-wide figure we can't stand behind — the number that counts is the one from your account.
How takedowns work
Each confirmed finding becomes a routed takedown:
- Evidence packaging — screenshot, DOM, certificate, and hosting unmask, captured and timestamped.
- Channel routing — the correct registrar, host/CDN, or platform abuse path, resolved via RDAP, plus the right legal lever (phishing/malware, trademark, or UDRP/URS).
- Human sign-off — every notice is reviewed and signed by a person before it's sent. We never auto-fire a takedown.
That last point is deliberate. A takedown notice carries real liability (DMCA §512(f)), so a human is always in the loop — you're never the one who sent a wrongful notice.
What we don't do
- We don't sell raw discovery or a CSV of every domain containing your name.
- We don't actively scan systems you haven't attested you own.
- We don't auto-send takedown notices.
- We don't headline metrics we haven't measured.