Dallas, Texas, USA

Follow on

SNARE.

DOMAIN SURVEILLANCE

Adversaries register the domain that looks like yours before they phish your customers. SNARE finds it first — scores it, fingerprints its infrastructure, and tells you the moment it appears on the wire.

RUN THE SCANNER

HOW IT WORKS

DETECTION SOURCES

PERMUTATION CLASSES

SCORE RESOLUTION

CLOUD DEPENDENCIES

THE INSTRUMENT

A desktop tool that watches the world for domains that look like yours, and tells you when one shows up.

SNARE does one job. It generates every plausible squat of a domain you care about, checks the public infrastructure for evidence those squats actually exist, scores what it finds, and remembers everything so the second scan knows what changed since the first.

FORM FACTOR

Native desktop application built on PyQt6. Runs on the analyst's workstation. No SaaS account, no telemetry, no data leaves the machine.

STORAGE

Local SQLite database. Every scan is preserved. Every newly-discovered domain is flagged as new on first sight and only on first sight.

INPUTS

A list of target domains. Optional pattern rules (regex, keyword, edit-distance, combosquat) for include / exclude filtering.

OUTPUTS

A scored queue of suspect domains with registrar, registration date, resolved IPs, MX records, web liveness, abuse contact, optional screenshots — and a generated takedown notice when you're ready to file one.

INTEGRATIONS

SMTP, Slack webhooks, Microsoft Teams webhooks. Optional SecurityTrails and VirusTotal for passive DNS enrichment. Optional Playwright for screenshot capture.

THREE INDEPENDENT SOURCES

Three vantage points on the same problem. Coverage gaps in one are covered by the others.

Every detection source has a blind spot. Certificate Transparency misses domains that haven't been issued a cert. Permutation misses the squats nobody could have guessed. Passive DNS misses what commercial telemetry didn't capture. SNARE runs all three and deduplicates the results.

SRC.01

CERTIFICATE TRANSPARENCY

Every TLS certificate issued anywhere is logged publicly. SNARE queries crt.sh for every subdomain of every target — and finds the squat the moment its operator provisions a cert for it.

    SOURCEcrt.sh
  
    SIGNALCert issued
  
    CONFIDENCEHigh

SRC.02

DNS PERMUTATION

Twelve mutation classes — typos, homoglyphs, Cyrillic look-alikes, leet substitutions, TLD swaps, combosquats — generated from each target and resolved against public DNS in parallel. Only the ones that actually exist make it to the queue.

    SOURCE8.8.8.8 / 1.1.1.1
  
    SIGNALA / MX Record
  
    CONFIDENCEVariable

SRC.03

PASSIVE DNS

Optional enrichment via SecurityTrails and VirusTotal. Surfaces domains the permutation engine didn’t predict and certificates the operator never issued.

    SOURCEVendor APIs
  
    SIGNALObserved in the Wild
  
    CONFIDENCEHigh

THE PERMUTATION ENGINE

Twelve Mutation classes. Every squat your adversary is likely to register, before they do.

The permutation engine encodes every documented squatting technique in the literature, plus the Cyrillic and combosquat variants that most generators omit. For a single target it produces hundreds of candidates, sometimes thousands. The DNS resolver discards every one that doesn't actually exist.

Character Deletion

acme.com → acm.com

Character Doubling

acme.com → accme.com

Transposition

acme.com → acem.com

QWERTY Adjacency

acme.com → scme.com

Homoglyph (Latin)

acme.com → àcme.com

Cyrillic Look-alike

acme.com — visually identical IDN

Leet substitution

acme.com → 4cme.com

Vowel Swap

acme.com → ocme.com

TLD Variation

acme.com → acme.co / .io / .xyz

Hyphen Insertion

acme.com → ac-me.com

Combosquat (prefix / suffix)

acme.com → login-acme.com

Combosquat (subdomain)

acme.com → login.acme-portal.com

WEIGHTED RISK SCORING

Every hit gets a number from zero to one hundred. The model is open. You can read every weight.

// SIGNAL	DESCRIPTION	MAX POINTS
edit_distance_1	One character away from target	+40
edit_distance_2	Two characters away	+25
nrd_under_7d	Registered in the last week	+30
nrd_under_30d	Registered in the last month	+20
cyrillic_chars	IDN homograph indicator	+20
high_risk_tld	.tk / .ml / .ga / .cf / .gq / .pw / .cc	+15
mx_active	Mail infrastructure provisioned — BEC capable	+15
web_active	Resolves to a live A record	+10
leet_substitution	Numeric character substitutions	+10
brand_embedded	Target brand as prefix or suffix	+10
ct_issued	TLS certificate confirmed via CT logs	+5

LOW

0–29

Likely noise. Worth keeping but not worth chasing today.

MEDIUM

30–49

Worth a glance. Watch for state changes on the next run.

HIGH

50–69

Open the screenshot. Read the registrar record. Decide.

CRITICAL

70–100

File the takedown. SNARE has already drafted it.

WHAT YOU GET

The whole capability set. Nothing behind a paywall, nothing gated by tier.

SNARE is one application with one feature set. Every capability listed below is in the binary that ships.

F.01

Pattern filtering

Include and exclude rules using regex, keyword, edit-distance, or combosquat pattern. Suppress your own subdomains before they pollute the queue.

F.02

Delta detection

SQLite history flags new (domain, target) pairs on first sight. The second scan only alerts on what the first one didn't already know about.

F.03

Newly-registered domain scoring

Configurable lookback window. Domains registered inside the window get a scoring boost — and a flag in the takedown notice.

F.04

RDAP enrichment

Modern structured registration data via rdap.org with per-TLD routing. Falls back to python-whois for TLDs without RDAP support.

F.05

Abuse contact extraction

The registrar's actual abuse email — walked out of the RDAP entity tree, including the nested-under-registrar case that breaks most tools.

F.06

Headless screenshot capture

Optional Playwright integration captures the live squat as a PNG — HTTPS first, HTTP fallback, ignores cert errors. Evidence for the takedown packet.

F.07

Multi-Channel Alerting

SMTP, Slack incoming webhook, Microsoft Teams incoming webhook. Each channel testable independently from the configuration UI.

F.08

Takedown notice generation

Formal abuse report drafted against the registrar — evidence summary, infrastructure findings, NRD status, CT certificate confirmation. Ready to send.

Pricing for SNARE

$79

One time License

Purchase Now