Detection alone is not enough. A monitoring product that surfaces 200 new variants per day without ranking them is just a noise generator. The work that makes detection useful is the scoring pipeline that tells you which hits are 90 (act now), which are 50 (watch), and which are 10 (renew next year or drop).
Every hit from our zone-file ingest runs through an LLM-plus-heuristic ensemble that weighs registrant pattern, DNS infrastructure, content classification when the site is live, homoglyph distance, and historical abuse on similar setups. Calibration runs on real outcomes, not gut feel.
What the score weighs
- Registrant pattern including privacy proxy use, registrar choice, registration timing
- DNS infrastructure including name server reputation, IP address history, MX configuration
- Content classification when the site is live (vision plus text LLM)
- Homoglyph distance including mixed-script Unicode lookalikes
- Historical abuse on similar setups (same name server, same registrant fingerprint)
How it drives the workflow
The score routes the workflow. 70+ flags same-day operator review. 50-69 queues for end-of-week review. Below 50 enters the watchlist. You see the 90s first, the 50s when you have time, and the 10s never.
Buyer pain we address
- Analyst triage cannot keep up with detection volume at brand portfolios above 50 marks
- False positives erode trust in monitoring and the team starts ignoring alerts
- Risk priority is inconsistent across analysts and shifts depending on who is on shift