CONTINUOUS INTERNET TELEMETRY24H DRIFT1,955 material changesacross 1,762 domains · -123 vs yesterdayDNS DRIFT16 domains changed DNS providertop destination alidns.com · +1 vs yesterdayEMAIL DRIFT8 domains switched email providertop destination google.comCERT DRIFT46 domains switched issuing CA24hNOW1,820 curated domains not answering+694 vs yesterdayERRORS13,006 responded with an errorlast probe · 5xx / 404 / TLSTHROTTLED35,004 throttled or blocked our scanner429 rate-limit / 403 bot-block24H DRIFT1,955 material changesacross 1,762 domains · -123 vs yesterdayDNS DRIFT16 domains changed DNS providertop destination alidns.com · +1 vs yesterdayEMAIL DRIFT8 domains switched email providertop destination google.comCERT DRIFT46 domains switched issuing CA24hNOW1,820 curated domains not answering+694 vs yesterdayERRORS13,006 responded with an errorlast probe · 5xx / 404 / TLSTHROTTLED35,004 throttled or blocked our scanner429 rate-limit / 403 bot-block

DomainDrift for security teams

Watched domains land as evidence, not screenshots.

The watchlist is yours: the estate, the brands, the lookalike candidates your tooling generates. The job is that when any of them drifts, it lands with a timestamp and a signature, routed where your team works, instead of a screenshot pasted in a ticket.

A DNS change detection alert tool the SOC can route

Subscribe a webhook to a domain or a whole group and every material change arrives as signed JSON: the plane, the value before, the value after, when it was observed. Set the significance floor per subscription so noise never pages the on-call.

Typosquat domain monitoring: bring your candidate list

DomainDrift watches the list you bring. Generate lookalike candidates with your own tooling, paste the output into a group, and from that moment each candidate is under continuous watch. When one starts resolving, gains mail records, or changes registration, that is a signed drift event. DomainDrift does not generate the candidates; it is the watch that makes your list mean something.

Per-plane signed events

DNS, registration, certificates, reachability: each plane is observed and signed separately, and receipts chain scan to scan. When an event matters, the evidence is already in the shape an incident writeup needs: what was observed, when, under which published key.

Re-check from your own browser

On any domain page the probe panel reruns the checks client side: your resolver over DNS over HTTPS, the registry over RDAP, your own route to the host. Corroborate the signed record from a second vantage point before you act on it, and verify any receipt at /verify.

Check the record yourself

Every observation is Ed25519 signed the moment it is made and chained to the previous scan, against published keys. The verifier checks any receipt in your browser, and on any domain page the probe panel reruns the live checks from your own network: your resolver, the registry, your own route to the site. A signature proves who observed something and that the record has not been altered since. DomainDrift puts its name on every observation, permanently.

Start free

A free account puts 5 of your own domains under watch in a group, with signed webhook alerts on change and the complete signed record open. Paid plans raise the dials; pricing is on its own page.

Watching something we have not built for yet? Tell us what you would watch.