← Platform Overview
Capability 01 · Threat Detection

See attacks the moment
they surface.

Sentinel pulls from 45+ threat and intelligence feeds around the clock — phishing databases, malware URL lists, Certificate Transparency logs, DNS intelligence, and credential-breach dumps — and hands every match to an AI assessment step before it ever reaches your team.

45+
Feeds & sources
6
Feed categories
24/7
Continuous scanning

Six feed categories. One exposure picture.

Every feed is normalized into the same threat record, so a phishing hit, a newly-issued lookalike certificate, and a breached credential set all show up in the same place — correlated, not scattered across six different dashboards.

Phishing databases

Live phishing URLs targeting your domains, your logo, and your lookalikes, sourced from the open phishing-feed community.

Malware URL feeds

Malicious payload hosts and drive-by download infrastructure that could be staged behind a brand-lookalike domain.

Threat-intel feeds

Indicators of compromise cross-referenced across the wider threat-intelligence community, not just your own sightings.

Certificate Transparency logs

Every public CA logs every certificate it issues. We watch that stream for new certs on domains that look like yours — often before a site is even live.

DNS intelligence

Resolution, hosting, and routing changes on tracked domains — a dormant lookalike that suddenly gets an MX record is a signal worth acting on.

Credential-breach intel

Breached credential sets that reference your domains, so account-takeover risk shows up as a brand-exposure signal, not a surprise.

What each category catches, and how fast

Feed category What it catches Update cadence Coverage
Phishing databasesLive phishing URLsReal-timeGlobal
Malware URL feedsMalicious payload hostsHourlyGlobal
Threat-intel feedsCross-community indicators of compromiseReal-timeGlobal
Certificate Transparency logsNew TLS certificates on lookalike domainsReal-timeAll public CAs
DNS intelligenceResolution & hosting changesReal-timeGlobal
Credential-breach intelBreached accounts referencing your brandDailyGlobal

These six categories span 45+ individual feeds and sources, reconciled continuously by Sentinel.

The scanning pipeline

01

Continuous, not batch

Feeds are pulled around the clock rather than on a nightly schedule. A new phishing URL, a freshly-logged lookalike certificate, or a new breach dump enters the pipeline as soon as it’s public.

02

Parallel by design

All 45+ feeds are processed concurrently rather than queued one behind the next, so a volume spike on one feed doesn’t delay detection on the rest.

03

Deduplicated automatically

If three feeds report the same phishing domain, that’s one detection record — not three duplicate alerts landing in your team’s queue.

How we generate what to look for

Attackers rarely register your exact domain — they register something close enough to fool a rushed click. We generate and monitor the same permutation space they use. Examples below use a placeholder brand and are illustrative only.

Homoglyph substitution

Visually similar characters swapped in — zero for the letter O, Cyrillic look-alikes, “rn” standing in for “m.”

yourbrand.comy0urbrand.com

TLD swaps

The identical brand name registered under a different or unusual top-level domain.

yourbrand.comyourbrand.support

Separator variations

Hyphens or underscores inserted into (or removed from) a brand name that normally reads as one word.

yourbrand.comyour-brand.com

Character insertion, omission & transposition

Extra, missing, or swapped letters — close enough to survive a glance on a small screen.

yourbrand.comyuorbrand.com

Prefix / suffix combinations

The brand name wrapped in credibility words attackers know convert — “secure,” “login,” “verify,” “support.”

yourbrand.comsecure-yourbrand-login.com

Detection → AI assessment → alert

Detection

A feed, a CT log, or a DNS change surfaces a domain, URL, or credential set matching your brand.

AI assessment

Deduplicated, checked against your safe-domains allowlist, and evaluated for real intent — registration age, active hosting, MX records.

Alert

Only what clears assessment reaches your team — with a natural-language brief on why it matters, not a raw feed row.

The reasoning layer behind the assessment step is covered in depth on the AI Agents deep dive.

False-positive management

Safe-domains allowlist

Mark your own CDNs, marketing partners, and dev environments safe once, and every future feed hit against them is filtered before it ever reaches an alert.

Cross-feed deduplication

The same domain reported by multiple feeds collapses into a single detection record instead of duplicate alerts competing for attention.

AI assessment as final filter

Before an alert is raised, the finding is evaluated for real intent — not just pattern match — so your queue stays weighted toward things worth acting on.

What a detection looks like

Illustrative example — not a real detection or customer.

HIGH acme-secure-login[.]com
Detected viaCertificate Transparency logs
Registered36 hours ago
HostingActive, MX records present
Pattern matchPrefix/suffix combination
AI Assessment
“A certificate was issued 36 hours ago for a domain combining your brand name with ‘secure’ and ‘login’ — a pattern common in credential-phishing kits. The domain now resolves with active MX records, meaning it can both host a fake login page and send spoofed email. Recommended: initiate takedown evidence collection.”

See what’s already targeting your brand.

Run a free exposure scan in under five minutes, or talk to us about full deployment.