See attacks the moment
they surface.
Sentinel pulls from 45+ threat and intelligence feeds around the clock — phishing databases, malware URL lists, Certificate Transparency logs, DNS intelligence, and credential-breach dumps — and hands every match to an AI assessment step before it ever reaches your team.
Six feed categories. One exposure picture.
Every feed is normalized into the same threat record, so a phishing hit, a newly-issued lookalike certificate, and a breached credential set all show up in the same place — correlated, not scattered across six different dashboards.
Phishing databases
Live phishing URLs targeting your domains, your logo, and your lookalikes, sourced from the open phishing-feed community.
Malware URL feeds
Malicious payload hosts and drive-by download infrastructure that could be staged behind a brand-lookalike domain.
Threat-intel feeds
Indicators of compromise cross-referenced across the wider threat-intelligence community, not just your own sightings.
Certificate Transparency logs
Every public CA logs every certificate it issues. We watch that stream for new certs on domains that look like yours — often before a site is even live.
DNS intelligence
Resolution, hosting, and routing changes on tracked domains — a dormant lookalike that suddenly gets an MX record is a signal worth acting on.
Credential-breach intel
Breached credential sets that reference your domains, so account-takeover risk shows up as a brand-exposure signal, not a surprise.
What each category catches, and how fast
| Feed category | What it catches | Update cadence | Coverage |
|---|---|---|---|
| Phishing databases | Live phishing URLs | Real-time | Global |
| Malware URL feeds | Malicious payload hosts | Hourly | Global |
| Threat-intel feeds | Cross-community indicators of compromise | Real-time | Global |
| Certificate Transparency logs | New TLS certificates on lookalike domains | Real-time | All public CAs |
| DNS intelligence | Resolution & hosting changes | Real-time | Global |
| Credential-breach intel | Breached accounts referencing your brand | Daily | Global |
These six categories span 45+ individual feeds and sources, reconciled continuously by Sentinel.
The scanning pipeline
Continuous, not batch
Feeds are pulled around the clock rather than on a nightly schedule. A new phishing URL, a freshly-logged lookalike certificate, or a new breach dump enters the pipeline as soon as it’s public.
Parallel by design
All 45+ feeds are processed concurrently rather than queued one behind the next, so a volume spike on one feed doesn’t delay detection on the rest.
Deduplicated automatically
If three feeds report the same phishing domain, that’s one detection record — not three duplicate alerts landing in your team’s queue.
How we generate what to look for
Attackers rarely register your exact domain — they register something close enough to fool a rushed click. We generate and monitor the same permutation space they use. Examples below use a placeholder brand and are illustrative only.
Homoglyph substitution
Visually similar characters swapped in — zero for the letter O, Cyrillic look-alikes, “rn” standing in for “m.”
TLD swaps
The identical brand name registered under a different or unusual top-level domain.
Separator variations
Hyphens or underscores inserted into (or removed from) a brand name that normally reads as one word.
Character insertion, omission & transposition
Extra, missing, or swapped letters — close enough to survive a glance on a small screen.
Prefix / suffix combinations
The brand name wrapped in credibility words attackers know convert — “secure,” “login,” “verify,” “support.”
Detection → AI assessment → alert
Detection
A feed, a CT log, or a DNS change surfaces a domain, URL, or credential set matching your brand.
AI assessment
Deduplicated, checked against your safe-domains allowlist, and evaluated for real intent — registration age, active hosting, MX records.
Alert
Only what clears assessment reaches your team — with a natural-language brief on why it matters, not a raw feed row.
The reasoning layer behind the assessment step is covered in depth on the AI Agents deep dive.
False-positive management
Safe-domains allowlist
Mark your own CDNs, marketing partners, and dev environments safe once, and every future feed hit against them is filtered before it ever reaches an alert.
Cross-feed deduplication
The same domain reported by multiple feeds collapses into a single detection record instead of duplicate alerts competing for attention.
AI assessment as final filter
Before an alert is raised, the finding is evaluated for real intent — not just pattern match — so your queue stays weighted toward things worth acting on.
What a detection looks like
Illustrative example — not a real detection or customer.
Threat detection is one of four capabilities
See what’s already targeting your brand.
Run a free exposure scan in under five minutes, or talk to us about full deployment.