Frequently Asked Questions.

Domain monitoring is the process of continuously scanning public domain data sources, including domain registrations, DNS records, and certificate transparency logs, to identify lookalike domains and other infrastructure that could be used to attack your brand. The goal is to surface impersonation domains before they go live with phishing content. DomainGuard runs domain monitoring as the foundation of the Owl tier.

A lookalike domain is one registered to visually or semantically resemble a legitimate brand domain, with the intent to deceive customers, employees, or partners. Common patterns include character substitution (rn for m), punycode and IDN homoglyphs, added words (acme-support.com), or alternative top-level domains. Lookalike domains usually precede a phishing or fraud campaign by hours or days.

Brand impersonation is when threat actors create digital assets that pretend to be a legitimate brand to deceive its audience. It spans lookalike domains, fake mobile apps, fraudulent social media accounts, copycat customer support handles, sponsored search ads pointing at fake support pages, and dark-web mentions of stolen brand assets. Brand impersonation usually follows the customer's funnel: search, social, app stores, email, and direct outreach.

Attack-surface monitoring is the continuous discovery, inventory, and monitoring of an organization's externally facing systems, including subdomains, exposed services, certificates, cloud infrastructure, and the technologies running on them. The goal is to know what an external attacker can see, identify exposures the day they appear, and close them before they are exploited. DomainGuard delivers attack-surface monitoring through the Guardian tier.

A phishing site takedown is the formal process of reporting a malicious site to its domain registrar, hosting provider, and adjacent abuse-handling services so the site is removed from the internet. It involves identifying the responsible parties via WhoIs and ICANN, gathering documented evidence of the malicious activity, and submitting abuse reports through the right channels. DomainGuard handles takedowns end to end as part of the Owl tier.

DomainGuard identifies the responsible domain registrar via the ICANN lookup tool and IANA ID, gathers screenshot and infrastructure evidence of the phishing activity, and submits a formal abuse report to the registrar. We also report the phishing URL to Google Safe Browsing and other adjacent services so users are warned away even before the registrar acts. We document the full timeline so your team has an audit trail.

From malicious-intent detection to takedown request submission, our fastest takedowns are under 120 seconds. Average times to actual site removal are measured in hours, not days, and depend on the registrar's responsiveness and the venue. Fast takedowns typically come from registrars with mature abuse desks. Slow takedowns happen when the registrar is offshore or unresponsive, in which case we escalate through Google Safe Browsing and ICANN.

Documented evidence of the malicious activity. At minimum: screenshots or screen recordings of the phishing site capturing the impersonating domain, the brand or institution being impersonated, and the phishing payload (credential form, fake support number, malware download). Network indicators help: SSL certificate details, DNS records, hosting infrastructure. Registrars require this to act, and DomainGuard handles the documentation for you.

Continuous data harvesting and analysis algorithms filter the bulk of non-threats automatically. Every alert that reaches you is reviewed by a human analyst before it lands in your inbox. We commit to that step because false positives erode trust and waste your team's time. The trade-off is that DomainGuard sees more, flags less, and what we flag is actionable.

Owl is core domain monitoring: lookalike detection, automated takedowns, and certificate transparency tracking. Shield is brand and identity surface monitoring across app stores, social media, the dark web, and key-employee accounts. Guardian is external attack-surface monitoring covering subdomains, exposed services, certificates, and tech stack. Tiers run in parallel when stacked. Most customers start with Owl and add Shield or Guardian as their needs grow.

No. Owl is the foundation that almost every customer starts with. Shield and Guardian extend coverage into brand surface and external attack surface respectively. Tiers run in parallel when stacked, so adding Shield to Owl means both run continuously and findings flow into one workflow. Most customers run two or three tiers together depending on what they need monitored.

API Integration pushes DomainGuard threat intelligence into your existing security stack. Detections, takedown events, and asset changes flow via API into SOAR, SIEM, ticketing, and chat tools. It works alongside any of the three monitoring tiers. Common destinations include Splunk, Sentinel, Cortex XSOAR, ServiceNow, and Slack. The result is fewer dashboards to watch and faster response in your existing workflows.

Yes. Managed monitoring (Owl, Shield, Guardian, and API Integration) is a continuous service that watches your external surface 24/7. Consulting engagements are project-based work delivered by our practitioners: penetration tests, application security assessments, social-engineering simulations, cloud reviews, and detection validation. Most customers run consulting and monitoring together so monitoring catches threats between engagements.

Domain monitoring focuses on infrastructure attackers register to impersonate your brand: lookalike domains, certificates, and DNS records. Attack-surface monitoring focuses on infrastructure you own that is exposed to the internet: subdomains, services, ports, and tech stack. Domain monitoring asks what attackers are doing in your name. Attack-surface monitoring asks what you are exposing that an attacker can find. Both are external visibility; the surfaces are complementary.

In-house works when you have a dedicated brand-protection or external-monitoring team with budget for tooling, headcount, and 24/7 coverage. Managed monitoring works for everyone else, which is most organizations. DomainGuard handles data ingestion, analyst time, and takedown workflow so your team owns response, not collection. Managed is typically faster to stand up (days, not months) and cheaper at the scales most security teams operate at.

Monitoring is subscription-based, sized by the number of brands and domains monitored and the tiers selected. Consulting engagements are fixed-fee per project, scoped during a discovery call. Retainers offer pre-purchased consulting hours at a discounted rate. We share a written quote and statement of work before any engagement starts so there are no surprises during the work or in the final invoice.

We will run a complimentary scan of a domain you own and walk you through the findings during a discovery call. The scan covers lookalike domains, exposed services, and brand-impersonation indicators we surface from public sources. There is no commitment to subscribe afterward. If the findings warrant continuous monitoring, we will scope it then.

Each engagement is scoped during a discovery call. Pricing is fixed-fee for project-based work and reflects the size and complexity of the target environment. We share a written scope and statement of work before any engagement starts so there are no surprises during testing or in the final invoice. Combined engagements (penetration testing plus application security, for example) are scoped and priced as one project.

Mid-to-large enterprises with high-value brands, domains, or trademarks. Customers span financial services, fintech, healthcare, retail, SaaS, manufacturing, higher education, and pharmaceutical data. Sizes range from regional credit unions and community banks to global manufacturers and century-old financial institutions. If a brand or domain is worth impersonating, monitoring is worth running.