Brand protection
that catches clone sites before your customers do.

At 3:17 a.m. last Sunday, three domains were registered that look like yours. By 8 a.m., one was live — your logo, your favicon, a login form that posts to a Telegram bot. Your domain monitor never caught it — it never registered the name. It bought acme-secure-login.com, not acmе.com.

You'd never have known. Your customers would have.

Open dashboard → How we found it
The gap SECTION 01 / 07 >>>

That's the gap unclone closes.

Domain monitors watch the names. We watch the pages. Search engines, certificate transparency logs, and what the site actually looks like once it loads — acme-secure-login.com isn't a typo of your domain, it's a typo of your brand. Different problem. Different tool.

Replay · 03:17:00 SECTION 02 / 07 >>>
Discover 03:17:01
unclone://discover/queue SERP + CT TRIAGE — 09:30:14 acme-secure-login.comSERP · pos 4 · score 0.87ACTIONABLE→ verify acme-billing-support.netCT log · cert 14m old · score 0.81HIGH PRIORITY→ verify acme-reset-pw.ioSERP · pos 17 · score 0.62WATCHLIST→ verify reddit.com/r/acme/supportSERP · editorialDISCARDED acmedocs.ioCT · benign subdomainDISCARDED 5 ACTIONABLE · 37 DISCARDED window 09:30:00 → 09:30:14

Find clones before they go live.

AI-planned queries scan search engines every 30 minutes. Certificate transparency logs are polled continuously for lookalike domains. Every signal is enriched with DNS, TLS, and a full browser render — and triaged before it reaches the verification stage.

Verify 03:17:14
unclone://verify/acme-secure-login.com BASELINE vs SIGNAL BASELINE acme.com/login SIGNAL acme-secure-login.com 14 DIMENSIONS TEXT0.91 FORMS0.85 DOM0.65 IMAGES0.72 FAVICON1.00 PHONE0.33 SCRIPTS0.53 FINAL VERIFIER VERDICT ACTIONABLE Login form structure matches official. Favicon SHA256 identical. Support phone differs from official — likely credential phishing. confidence 0.94

AI vision confirms what rules miss.

Each signal is compared against your official pages across 14+ dimensions — text, forms, images, DOM, CSS, scripts, favicon. The verifier model then reads screenshots of both sites side-by-side and returns a verdict with confidence, evidence, and reasoning.

Enforce 03:17:29
unclone://campaigns/active ACTIVE CAMPAIGNS 14 OPEN · 6 CRITICAL · 8 HIGH #48 · ACME-SECURE-LOGIN.COMlogin flow · cert 14m · NS: cloudflareCRITICAL→ registrar abuseACT #47 · ACME-BILLING-SUPPORT.NETphone scam · NS: namecheapCRITICAL→ host abuse + legalACT #46 · ACME-RESET-PW.IOcred harvest · NS: porkbunHIGH→ registrar abuseACT #45 · ACMEDOCS-PRO.COMbrand match · low confidenceREVIEW→ monitorVIEW ALERTS WIRED SLACK EMAIL WEBHOOK

From detection to takedown in one workflow.

Case-worthy threats cluster into Cases with severity, evidence packages, and recommended reporting routes. Each Case is one click away from registrar abuse forms, hosting provider takedown channels, or legal handoff.

Monitor 03:48:00
unclone://monitor/acme SCAN ACTIVITY — LAST 24H 00:0006:0012:0018:00now ALERT FEED 04:11Re-scan completed · 42 SERPsOK 09:48Cert log match · acme-secure-login.comNEW 12:21Campaign #48 escalated to CRITICALHARD 14:03Baseline drift · acme.com faviconSOFT 17:42Manual scan dispatchedRUN NEXT SCAN in 04:12

Once you're a baseline, we never stop watching.

Every 30 minutes, search results re-run. Every 10 minutes, certificate transparency streams. Verified campaigns re-check daily. When anything shifts — a watched domain activates, a baseline page drifts, a phishing kit changes hands — it lands in your channel.

14+Comparison dimensions
30 minContinuous scan cycle
LLM + visionPer-signal verdict
Auto-routedSlack · email · webhook
But what about… SECTION 03 / 07 >>>
"…our domain monitor?"

It catches names that look like yours. Most clones don't try. They look like your brand, on a domain that doesn't.

"…our SOC team?"

They can manually triage twenty or thirty candidates a day. Our intake queue regularly starts at two hundred.

"…false positives?"

Every verdict carries a confidence score, side-by-side screenshots, and a human-readable reason. You don't approve what you can't see.

Methodology SECTION 04 / 07 >>>
Stage 01

How signals come in

An LLM plans query variants per organization and runs them against Google every 30 minutes. Certificate transparency logs stream in parallel and get matched against your lookalike patterns. Forums, reviews, and benign subdomains are triaged out before anything reaches the verification stage — only artifact-valid Signals pass through.

Discover
Stage 02

Why rules run first, then vision

Each Signal is fingerprinted across 14+ dimensions — text, forms, DOM, images, scripts, favicon — and scored against your baseline. The Classifier Verdict handles obvious matches cheaply. What survives goes to the verifier model with image input, which reads screenshots of both sites side-by-side and returns a Final Verifier Verdict, confidence, and the evidence behind it.

Verify
Stage 03

From verdict to takedown

Actionable Signals become Cases with severity, evidence packages, and recommended reporting routes — registrar abuse, hosting provider takedown forms, or legal handoff. The Case is the unit of action: it carries everything an analyst would otherwise have to assemble by hand.

Enforce
Stage 04

What keeps running after detection

Baselines drift. Phishing kits change hands. Watched domains activate weeks after they were registered. Re-scans run on a schedule, re-verification fires on baseline changes, and severity routing decides what gets paged versus what just lands in the dashboard. The pipeline does not stop after a Case is opened.

Monitor
Pricing SECTION 05 / 07 >>>

One flat price. Every clone caught.

No analyst seat. No discovery call. No per-Case overage. Add a domain, watch the pipeline fill the queue, sleep through Sunday morning.

Annual billing · save 10%
Basic P-01

For one brand and a small team — the dashboard your domain monitor never gave you.

$249/ month

Monthly or annual · cancel anytime

Open dashboard →

What's included

  • 1 monitored brand · unlimited baseline pages
  • 3 team members · SSO available
  • Standard scan cadence — SERPs every 30 min, CT logs continuous
  • 14+ dimension comparison · AI vision verification
  • Slack, email, and webhook alerts · severity-routed
  • One-click registrar abuse, host takedown, legal handoff
Most popular
Growth P-02

For brands with sub-brands, regional domains, or a security team that wants real headroom.

$749/ month

Monthly or annual · cancel anytime

Open dashboard →

Everything in Basic, plus

  • 3 monitored brands · share baselines across them
  • 10 team members · role-based access
  • Increased scan cadence — tighter SERP and CT windows
  • Priority verification queue · faster time-to-Case
  • Watchlist for pre-activation domains
  • Evidence package exports for legal and insurance
Enterprise P-03

For portfolios, regulated industries, and security teams that need contracts before they need a dashboard.

Let's talk

Annual contract · custom terms

Contact sales →

Everything in Growth, plus

  • Unlimited brands and unlimited members
  • Custom scan cadence and verification budget
  • Dedicated takedown coordination
  • Security review, DPA, SSO/SCIM, audit logs
  • SLA-backed uptime and response
  • Named technical contact · Slack Connect
SetupAdd a domain. Pipeline runs in minutes.
BillingMonthly or annual. 10% off on annual.
SwitchUpgrade, downgrade, or cancel from the dashboard.
Integrations SECTION 06 / 07 >>>
Web · Hosted

Dashboard

The full pipeline with Case management, evidence packages, and one-click registrar reports. SSO. No analyst seat required.

Open dashboard →
Slack · channel + DM

Slack alerts

Critical Cases wake your security channel. Each alert links to the evidence package.

set up in /dashboard/notifications/
Webhook · signed

Webhooks & email

Stream Case events into your existing brand-security stack. Severity-based email routing for the rest.

POST your-webhook-url
03:17 — postscript SECTION 07 / 07 >>>

About those three domains from Sunday morning—

One was reported to the registrar by 9:14 a.m. The second went dark on its own — phishing-kit landlords get nervous when traffic doesn't arrive. The third is still being monitored. It may activate next week.

None of them reached a customer.

That's the dashboard you're about to open.

Open dashboard →