Features
Resources
Feature · Enterprise
Someone registered a domain that looks like yours. They have hosting. They have an SSL certificate. They might even have MX records for sending email as "you." Phishing Sentinel finds them before your customers do.
No credit card required · 7-day trial · Full Enterprise access
Right now, there are domains registered that look almost exactly like yours. Some are one character off. Some swap a Latin letter for an identical-looking Cyrillic character. Some use your brand name with a different TLD. And some of them have web hosting, SSL certificates, and mail servers — everything an attacker needs to impersonate your organization.
These look-alike domains power phishing campaigns, business email compromise, credential harvesting, and brand impersonation attacks. Your customers get an email from "your" domain. Your employees get a wire transfer request from "your CFO." Your partners log into what looks like "your" portal. By the time anyone notices, the damage is done.
The question isn't whether look-alike domains exist for your brand. They do. The question is whether you know about them — and whether you know which ones are actually dangerous.
Using dnstwist, Phishing Sentinel generates thousands of domain permutations using 17+ techniques — from simple typos to sophisticated homograph attacks.
Each permutation is checked for active registration and DNS resolution. Only real, registered domains with active infrastructure are surfaced — not theoretical possibilities.
Each discovery is scored 0–100 based on its infrastructure (hosting, email, SSL) and technique (homograph, typosquat, TLD swap). High-threat variants surface first.
Continuous monitoring catches new registrations, infrastructure changes, and domain reactivation. Batched alerts are delivered through your configured notification channels.
Attackers have dozens of ways to create a domain that looks like yours. Phishing Sentinel checks for all of them — and shows you exactly which technique each look-alike domain uses.
Replaces characters with visually identical characters from other alphabets — Cyrillic "а" for Latin "a", Greek "ο" for Latin "o". Nearly impossible to detect by eye.
Example: exаmple.com (Cyrillic "а")
Swaps adjacent characters to mimic common typing errors. Catches real typos your users make.
Example: examlpe.com
Removes single characters from the domain name — easy to miss, especially with doubled letters.
Example: examle.com
Swaps characters with nearby keys or similar-looking alternatives (1 for l, rn for m).
Example: examp1e.com
Flips single bits in domain characters, exploiting hardware-level memory errors that cause occasional DNS misresolution.
Example: axample.com
Appends characters to the domain name to create plausible-looking variants.
Example: examples.com
Inserts additional characters at various positions within the domain name.
Example: exaample.com
Repeats characters in the domain — a simple technique but effective for common brands.
Example: exammple.com
Replaces vowels with other vowels to create phonetically similar domains.
Example: exomple.com
Inserts hyphens into the domain to create legitimate-looking subvariants.
Example: ex-ample.com
Uses your domain name as a subdomain with different TLDs or base domains.
Example: example.com.attacker.com
Registers your exact domain name under different top-level domains.
Example: example.net, example.co
Combines common dictionary words with your domain name to create believable variants.
Example: example-login.com
Finding look-alike domains is step one. Understanding which ones are actually dangerous, tracking them over time, and having the evidence to act — that's the hard part.
Phishing Sentinel uses dnstwist to generate and check thousands of domain permutations using 17+ techniques. It finds registered look-alike domains with active DNS infrastructure — not theoretical possibilities, but real threats that exist right now.
Only registered domains with active DNS records are surfaced. This means every result in your dashboard represents a real domain that someone has paid to register and is actively hosting — a strong signal of malicious or at minimum suspicious intent.
Every look-alike domain is scored based on its actual infrastructure and the attack technique used. Active web hosting, email capability, SSL certificates, and visual similarity all contribute to the score — helping you prioritize the most dangerous threats.
A domain with web hosting + MX records + an SSL certificate using a homograph technique scores near 100 because it has everything needed for a convincing phishing attack. A parked TLD-swap domain without DNS scores near 0. You focus on what matters.
For every active look-alike domain, Phishing Sentinel maps the complete hosting infrastructure: IP addresses, ASN and hosting provider, geographic location, SSL certificate details, and mail server configuration.
This intelligence is critical for takedown requests, abuse reports, and incident response. Knowing that a phishing domain is hosted on a specific provider in a specific country gives you the information you need to act — and to demonstrate the threat to registrars and hosting providers.
Phishing Sentinel doesn't just discover threats — it tracks them through their entire lifecycle. New domains are flagged. Active domains are monitored for infrastructure changes. Taken-down domains are watched for reactivation.
Status tracking follows the full lifecycle: New → Observed → Under Review → Reported → Taken Down. And if a "Taken Down" domain comes back online, it automatically reverts to "New" with a fresh alert. Attackers who re-register domains after takedowns are caught immediately.
Phishing Sentinel consolidates all changes per domain into a single, batched notification — new discoveries, status changes, and DNS infrastructure changes — delivered via email, Slack, Discord, or PagerDuty.
No notification fatigue. Each alert tells you exactly what changed, what the threat level is, and what the look-alike domain's infrastructure looks like. One notification per domain per scan cycle, with all the context you need to act.
Phishing Sentinel checks whether look-alike domains have SSL certificates — a critical indicator of phishing readiness. Domains with valid SSL certificates are far more dangerous because they display the padlock icon that users have been trained to trust.
For each host, Phishing Sentinel captures the SSL issuer, common name, expiration date, and whether the certificate is self-signed. This tells you whether the attacker obtained a legitimate certificate (via Let's Encrypt, for example) or is using a self-signed cert — and contributes to the threat score.
Not all look-alike domains are equally dangerous. A parked TLD-swap without DNS is less urgent than a homograph domain with web hosting, MX records, and a Let's Encrypt certificate. Phishing Sentinel scores each variant so you focus on what matters.
| Factor | Points | Why It Matters |
|---|---|---|
| Active web hosting (A/AAAA records) | +30 | Domain resolves to an IP address — someone is actively hosting content. |
| Email capability (MX records) | +25 | Domain can receive email — enables phishing email campaigns. |
| Nameservers configured (NS records) | +15 | Complete DNS infrastructure — indicates deliberate setup, not just a registration. |
| SSL certificate present | +10 | HTTPS enabled — phishing site displays the trusted padlock icon. |
| Homograph / IDN technique | +20 | Visually indistinguishable from the real domain — highest deception potential. |
| Typosquatting technique | +15 | Transposition, omission, or replacement — exploits common typing errors. |
| Character manipulation | +10 | Repetition or insertion — plausible but less targeted. |
| TLD or dictionary technique | +3–8 | Lower visual similarity but still brand-adjacent. |
Threat Score Examples
Homograph + A records + MX + SSL
Transposition + A records + MX
TLD-swap + A records only
Dictionary + no DNS
Phishing domains aren't static. They appear, get taken down, and come back under different hosting. Phishing Sentinel tracks every stage — and alerts you when the status changes.
Just discovered — requires your attention.
Acknowledged and being watched for changes.
Actively investigating the domain's intent.
Abuse report filed with registrar or hosting provider.
Domain no longer resolves — monitored for reactivation.
Marked as a false positive — hidden from active view.
Automatic Reactivation Detection
When a domain marked as "Taken Down" reappears with active DNS, Phishing Sentinel automatically reverts its status to "New" and sends a fresh alert. Attackers who re-register domains after takedowns don't get a free pass.
Finding a look-alike domain is only useful if you can act on it. Phishing Sentinel gives you the evidence you need for takedown requests, abuse reports, and incident response.
Example: Look-Alike Domain Intelligence
Variant Domain
exаmple.com (homograph — Cyrillic "а")
A Records
198.51.100.42
MX Records
mail.exаmple.com
Hosting Provider
AS12345 — HostCo LLC
Location
🇷🇴 Bucharest, Romania
SSL Certificate
Let's Encrypt · Valid
Threat Score
95 / 100
First Seen
April 18, 2026 · Last seen: 2 hours ago
DNS Infrastructure
A, AAAA, MX, and NS records resolved and tracked for every variant. See exactly what infrastructure the attacker has set up.
Geolocation & ASN
Country, city, coordinates, ASN number, and hosting organization via MaxMind GeoIP. Essential for abuse reports and understanding attacker patterns.
SSL Certificate Analysis
Certificate issuer, common name, expiration date, and self-signed detection. A valid Let's Encrypt cert on a phishing domain is a major threat escalation.
Complete Event Timeline
Every event logged: first discovery, DNS changes, status transitions, IP address additions. A full audit trail for each variant.
Your clients trust you to protect their domains. Phishing Sentinel gives you a centralized view of look-alike domains across every client's domain portfolio — grouped, scored, and alerting. When a new phishing domain appears targeting a client, you know before they do.
Business email compromise starts with a look-alike domain. An attacker registers a domain one character off from your CFO's email domain and sends wire transfer requests to your finance team. Phishing Sentinel catches these domains when they're registered — before the first email is sent.
Your customers log in to your platform every day. A convincing look-alike of your login page — with a valid SSL certificate and a domain that looks right at a glance — can harvest credentials at scale. Phishing Sentinel monitors for these domains so you can take action before your customers are targeted.
Phishing Sentinel provides a documented audit trail of every look-alike domain: when it was discovered, its DNS infrastructure over time, hosting providers, SSL certificates, and status changes. This is exactly the evidence you need for takedown requests, abuse reports, and compliance documentation.
17+
Domain permutation techniques
0–100
Threat score per variant
6
Lifecycle stages tracked
Enable Phishing Sentinel on your domains and get immediate visibility into the look-alike domains targeting your brand — scored, analyzed, and monitored.
No credit card required · 7-day trial · Full Enterprise access
Monitor 60+ record types across all authoritative nameservers.
40+ automated security checks with weighted scoring.
Track WHOIS changes and domain expiration dates.
Certificate discovery, expiration tracking, and TLS auditing.
Organize domains by client, environment, or business unit.
Email, Slack, Discord & PagerDuty alert channels.
Connect Claude & AI agents to your DNS monitoring.
A look-alike domain attack is when someone registers a domain name that closely resembles your legitimate domain — using typos, character swaps, homoglyphs, or TLD variations. These domains are used for phishing emails, credential harvesting, brand impersonation, and business email compromise (BEC). For example, if your domain is "example.com," an attacker might register "examp1e.com," "exarnple.com," or "example.co" to trick your customers, employees, or partners.
Phishing Sentinel uses dnstwist, the industry-standard domain permutation engine, to generate thousands of domain variations using 17+ techniques — including typosquatting, homographs (Cyrillic/Greek/Hebrew character substitution), bitsquatting, transposition, insertion, omission, and TLD swaps. It then checks which of those variations are actually registered and have active DNS infrastructure, giving you a prioritized list of real threats rather than theoretical possibilities.
A one-time scan shows you what exists today. Phishing Sentinel monitors continuously — rescanning on a schedule and alerting you when new look-alike domains appear, when existing ones change DNS infrastructure, when previously taken-down domains come back online, and when domains gain email capability (MX records) that could be used for phishing. The threat landscape changes daily; a domain that was parked yesterday could be weaponized tomorrow.
Each discovered look-alike domain receives a threat score from 0–100 based on its actual infrastructure and attack technique. Domains with active IP addresses score higher. Email capability (MX records) adds significant weight because it enables phishing emails. SSL certificates increase the score because they make phishing sites appear more legitimate. Visual similarity techniques like homograph attacks score highest because they are hardest for humans to detect. This prioritization helps you focus on the most dangerous variants first.
For every look-alike domain with active DNS, Phishing Sentinel resolves and displays: IP addresses (A and AAAA records), mail servers (MX records), nameservers (NS records), hosting provider ASN and organization name, geographic location (country, city, coordinates), SSL certificate details (issuer, common name, expiration, self-signed status), and a complete timeline of when each host was first and last seen.
Yes. Some discovered domains may be legitimate — subdomains you own, partner domains, or known services. You can mark any variant as "Suppressed" to remove it from your active threat view. Suppressed variants are excluded from future notifications but remain in the database so you can review them later if needed.
Phishing Sentinel is included with the Enterprise plan and is available during the 7-day free trial with full access. Personal plan users can upgrade to Enterprise to access look-alike domain monitoring alongside other advanced features like Security Center, Slack/Discord/PagerDuty notifications, API access, and team management.
Yes. Phishing Sentinel specifically detects internationalized domain name attacks, including Cyrillic, Greek, and Hebrew character substitution (homograph attacks). These are among the most dangerous look-alike techniques because characters like Cyrillic "а" are visually identical to Latin "a" but produce different domain names. Phishing Sentinel flags these with the highest threat technique scores.
Phishing Sentinel tracks the full lifecycle. When a previously active look-alike domain stops resolving, it is automatically marked as "Taken Down." If that same domain later reappears with active DNS infrastructure, Phishing Sentinel automatically changes its status back to "New" and sends a notification. This catches domains that were temporarily suspended but then re-registered or reactivated by the same or different threat actors.
Phishing Sentinel batches alerts per domain per scan cycle — you get one consolidated notification per domain covering all new discoveries, status changes, and DNS changes. Alerts are delivered through your configured notification channels: email, Slack, Discord, or PagerDuty. Each notification includes the variant domain, technique used, threat score, and DNS infrastructure summary.
The only question is whether you know about it. Start your free trial and find out in minutes.
Start Free Trial
Features
Resources