ProductJanuary 28, 20265 min read
DomainWatch: Proactive Phishing Protection
How the DomainWatch module detects suspicious domains before they reach victims. Certificate Transparency, DNS analysis, and risk scoring.
NSAI Team
DomainWatch: Proactive Phishing Protection
Most anti-phishing systems work reactively β they block domains after someone has already become a victim. NSAI DomainWatch works differently.
How It Works
DomainWatch monitors Certificate Transparency (CT) Logs in real-time. When someone registers an SSL certificate for a domain similar to a protected brand, we detect it within minutes.
Analysis Pipeline
- Discovery β detecting new domains via CT logs and permutation generation
- Enrichment β collecting DNS, WHOIS, and TLS data
- Scoring β risk assessment from 0 to 100:
- Brand similarity: 35% weight
- Registration freshness: 20%
- Infrastructure: 25%
- Content: 20%
Example
When domain privatbank-secure.xyz appears:
- Similarity score: 89/100 (very similar to
privatbank.ua) - Freshness: registered 2 days ago
- Infra: hosted on cheap VPS, no DKIM
- Overall risk: 94/100 β CRITICAL
Who Is It For
DomainWatch is available on Business and Enterprise plans. Banks, fintech companies, and telecom operators already use it to protect their brands.
Learn more: Pricing | API Documentation
Want to check a suspicious message?