Lookalike Domain Intelligence Platform

Stop Lookalike Domain
Attacks Before They Strike

ThreatScoutDomains continuously discovers, monitors, and analyses domains impersonating your brand — typosquatting, homograph attacks, combo-squatting, and more — giving your security team the intelligence to act first.

Access Platform How It Works
50+ Mutation Algorithms
7 Threat Categories
< 2s Evidence Collection
24/7 Continuous Monitoring
Platform Capabilities

Everything your SOC team needs

From automated discovery to evidence-backed risk assessment, ThreatScoutDomains covers the full threat-domain lifecycle.

Automated Discovery

Generates thousands of lookalike candidates using typosquatting, insertion, deletion, transposition, homoglyph substitution, TLD swaps, and more.

Evidence Collection

Automatically gathers DNS records, HTTP response headers, SSL certificates, screenshots, and full HTML snapshots for each threat candidate.

Risk Assessment

Analysts review evidence and assign risk scores (New → Reviewing → Confirmed → Dismissed) with a full audit trail of every status change.

Continuous Monitoring

CLI-driven discovery and collection pipelines can be scheduled (cron) to run daily, keeping your threat intelligence fresh without manual effort.

Analyst Dashboard

Real-time overview of total candidates, unreviewed items, high-risk detections, and recent activity — purpose-built for SOC and brand protection teams.

Export & Reporting

Export threat intelligence as CSV for SIEM ingestion, ticketing system integration, or management reporting with one click.

Security-First Design

Session hardening, CSRF protection, bcrypt authentication, brute-force lockout, and path-traversal prevention built into every layer.

Screenshot Evidence

Visual snapshots of live lookalike sites let analysts quickly confirm phishing pages, brand impersonation, and credential harvesting portals.

Threat Coverage

Every attack vector, covered

The platform generates and monitors candidates across all known lookalike domain techniques.

Typosquatting Homograph / IDN Attacks Combosquatting Bitsquatting TLD Substitution Subdomain Abuse Addition / Insertion Deletion / Omission Transposition Double-Letter Repetition Vowel Swap Hyphenation Variants Keyword Prefix/Suffix Brand + Service Phishing Pages Credential Harvesting
cli/discover.php — live discovery output
$ php cli/discover.php --brand acmecorp --tld com,net,org,io
──────────────────────────────────────────────────
Brand: acmecorp
TLDs: com, net, org, io
Algorithms: typo, tld_swap, addition, deletion, transposition, homoglyph, combo
──────────────────────────────────────────────────
[+] acmec0rp.com DNS: LIVE HTTP: 200 OK
[+] acmecorp.net DNS: resolves HTTP: timeout
[+] acme-corp.io DNS: LIVE HTTP: 301 → phish.tk
[+] acmecorps.com DNS: NXDOMAIN
...
──────────────────────────────────────────────────
Total generated: 1,247 Saved to DB: 1,247 Active threats: 38
Workflow

From seed to takedown in three steps

A simple, repeatable process — automated where possible, analyst-led where it matters.

01

Seed & Configure

Define your brand name and target TLDs. Run cli/seed.php or use the API to add monitored brands. Set up a cron job for daily reruns.

02

Discover & Collect

The discovery engine generates all candidate domains. Evidence Collector resolves DNS, checks HTTP status, captures screenshots, and stores HTML snapshots automatically.

03

Investigate & Act

Analysts review evidence in the web dashboard, assign risk ratings, and escalate confirmed threats to legal, registrar abuse, or SIEM via CSV export.

About the Creator

Built from real frustration

Godson Chittilappilly

Godson Chittilappilly

Security Engineer & Entrepreneur

Love to be Part of this Race

Why ThreatScoutDomains exists

Hi, I'm Godson Chittilappilly — a security engineer passionate about threat intelligence, brand protection, and building tools that close the gap between detection and response. I designed and built ThreatScoutDomains as a self-hosted alternative to expensive vendor platforms, putting real analyst control back in the hands of the teams who need it most.

ThreatScoutDomains was born out of a recurring pain every security team eventually hits — you know attackers are spinning up lookalike domains to phish your users and impersonate your brand, but you have no practical way to find them before the damage is done.

Enterprise brand-monitoring products exist, but they're expensive, opaque, and hand control to a vendor. Open-source scripts exist, but they're one-off and leave all the heavy lifting to the analyst. There was nothing in between: a self-hosted, full-lifecycle platform that any security team could own end-to-end.

Manual monitoring doesn't scale Checking lookalike domains one by one is impractical when attackers register hundreds at a time.
Enterprise tools are cost-prohibitive Brand-protection SaaS platforms often cost tens of thousands of dollars per year — out of reach for most teams.
Delayed detection means more victims A phishing domain that runs undetected for even 48 hours can compromise hundreds of users.
No analyst control over the workflow Vendor tools decide what's a threat. ThreatScoutDomains puts your analysts in charge of triage, evidence, and escalation.

Ready to protect your brand?

Sign in to your ThreatScoutDomains instance and start monitoring now.

Sign In to Dashboard