Norcube
DashboardWebsite
Brand Monitor

Brand Monitor

24/7 monitoring of Certificate Transparency logs for typosquats and lookalike domains.

Not verified yet

Brand Monitor watches public Certificate Transparency (CT) logs for domains that look like your brand. When someone registers a lookalike and provisions a TLS certificate – which they essentially have to, to host a real phishing page – the issuance appears in CT logs within seconds, and Brand Monitor flags it.

Why CT? Because virtually every modern domain that hosts a real site gets a certificate (Let's Encrypt is free and ubiquitous), and CT logs are public, append-only, and exhaustive. Watching them is a near-comprehensive view of "what new domains went live this minute".

What you configure

A watcher is a keyword + match rules. See Watchers and hits for the full shape.

Roughly: you provide a brand keyword (e.g. norcube), an optional allowlist of known legitimate matches, and a notification email. Brand Monitor produces a hit for every CT log entry whose domain matches your keyword by:

  • Substring – the keyword appears verbatim (norcube-login.com).
  • Homoglyph – visually similar letter substitutions (n0rcube.com, norсube.com with a Cyrillic 'с').
  • Typosquat – common typo patterns (narcube.com, norcubr.com).
  • Subdomain abuse – your brand as a subdomain of an unrelated domain (norcube.attacker.com).
  • Lookalike TLD – brand on an unusual TLD (norcube.xyz).

Risk scoring

Each hit gets a score from 0 to 100 combining:

  • How similar the domain is to your keyword.
  • The certificate's issuing CA.
  • The hosting platform (some hosts have higher abuse rates).
  • The domain's age (brand-new is more suspicious).
  • (Optional) An AI content check – DomainRadar visits the page and decides whether it impersonates your brand.

Set a minimum notification score on each watcher (default 30). Hits under the threshold are recorded but don't email.

Optional AI content check

Toggling AI content check on a watcher means Brand Monitor visits the flagged domain, runs LLM-based analysis on the page content, and decides whether it's a real impersonation or a coincidence.

This costs extra per check (a few cents to ~20¢ depending on page size) but dramatically reduces false-positive emails. Use it for high-noise watchers on common brand words.

Behaviour and edge cases

  • A new watcher starts catching hits immediately. It doesn't retroactively scan historical CT logs.
  • One hit per (domain, watcher) – not per cert. If the same domain re-issues certs (cron-renewing Let's Encrypt every 60 days), Brand Monitor doesn't re-alert.
  • Alert delivery is transactional email. If your inbox provider blocks unfamiliar senders, alerts may land in spam – add alerts@norcube.com to your safe senders.
  • Watchers are billed for the time they're active. Free-tier allowance and per-hour rates for additional watchers (and AI checks) are on the pricing page.

Generate brandable names

Describe what you're building; AI proposes domain candidates; DomainRadar checks them all.

Watchers and hits

The atomic units of Brand Monitor – what you configure, what you receive.

On this page

What you configureRisk scoringOptional AI content checkBehaviour and edge casesRelated
Edit on GitHub