D3 All features
Risk, Reputation & Brand Monitoring

Know who is targeting your brand
before they cause damage

D3 combines active typosquatting detection in domain scans with continuous brand monitoring via ICANN zone files — and cross-references every finding against global reputation and blocklist feeds.

Typosquatting Detection

Every D3 scan generates all plausible lookalike domain variants using 12 mutation techniques, DNS-verifies each one, and cross-references registered variants against WHOIS data to distinguish defensive registrations (same owner) from external threats.

The 12 mutation techniques

Character omissiondroping.com

One character removed from the SLD.

Character transpositiondmoain.com

Two adjacent characters swapped.

Character substitutiond0main.com

ASCII homoglyphs: o→0, i→1, s→5.

Character insertiondomaain.com

Extra character inserted at any position.

Double characterdoomaan.com

Any character repeated consecutively.

Adjacent key typosxomain.com

QWERTY keyboard neighbour substituted.

Hyphenationdo-main.com

Hyphen inserted at any position.

TLD variationdomain.net

Same SLD, different TLD.

Combosquattingdomain-login.com

Brand name combined with common keywords.

IDN/Unicode homoglyphsdοmain.com

Cyrillic or Greek lookalike characters (xn-- Punycode). Visually identical — highest phishing risk.

RN/M confusionrnodern.com

The character pair 'rn' is visually identical to 'm' in many fonts.

Vowel swapdamain.com

Each vowel replaced with every other vowel.

Risk scoring per variant

Critical

IDN/Unicode homoglyph — visually indistinguishable from the original. Active website or MX records present.

High

Homoglyph or substitution variant. Domain actively resolves — likely in use for phishing or BEC.

Medium

Registered variant with DNS activity. Adjacent key, transposition or omission technique.

Low

Registered but no active DNS. Likely defensively registered or parked.

WHOIS owner comparison: For every registered variant, D3 queries RDAP to compare nameservers, registrant organisation and registrar against the original domain. Variants with the same owner are marked as defensively registered — reducing false positives and focusing attention on genuine threats.

Brand Monitoring

Typosquatting detection runs when you trigger a scan. Brand Monitoring runs continuously — processing ICANN zone files overnight so you are alerted the moment a new lookalike domain is registered, before the attacker can activate it.

1
Brand fingerprinting
You define a brand keyword (e.g. your company name or product). D3 generates all plausible domain variants using the same 12 mutation techniques used in typosquatting scans.
2
Daily zone-file processing
D3 connects to ICANN's Centralized Zone Data Service (CZDS) and processes zone files for hundreds of gTLDs overnight. Every newly registered domain across .com, .net, .org and hundreds of others is checked against your keywords.
3
Mutation matching
Incoming zone-file domains are matched against your brand keyword variants. Exact matches, substitution variants and homoglyph variants are all caught.
4
DNS enrichment
Every match is DNS-resolved to check whether the domain is actively used — A/AAAA records (live website), MX records (email-capable, higher BEC risk), NS records (delegated).
5
Risk classification & alerting
Matches are risk-scored and you receive an alert. High-risk matches (active website, MX records, IDN homoglyphs) are flagged separately from passive registrations.

Coverage note: Brand Monitoring via CZDS covers gTLDs that participate in ICANN's zone file access programme (.com, .net, .org and hundreds of others). ccTLDs (.nl, .de, .be etc.) are not covered by CZDS. Real-time domain scan detection covers all 1081 TLDs.

Reputation & Blocklist Checks

Every D3 scan checks the domain and its resolved IP addresses against four authoritative threat intelligence feeds. A listed domain or IP is a strong indicator of phishing, spam infrastructure or malware distribution — relevant both for evaluating a target domain and for verifying the reputation of your own.

Spamhaus SBL

Spamhaus Block List — IP addresses that have sent spam or are under the control of spam operators.

Spamhaus XBL

Exploits Block List — IP addresses of hijacked PCs, proxy servers and third-party exploits.

Spamhaus DBL

Domain Block List — domains found in spam messages, operated by spammers or listed for other policy reasons.

Google Web Risk

Google's threat intelligence feed for phishing pages, malware distribution sites and unwanted software.

Run a scan on your brand now

Free account. 3 trial credits. No credit card required.

Create free account All features
Products
ValuationDue DiligenceSecurity AuditAvailability/defensePricing
Features
Features overviewRisk, Reputation & Brand MonitoringTechnical & Security AnalysisAudit-grade Reporting
Developers
API & MCP DocumentationAPI Reference (PDF)MCP Integration GuideOpenAPI Spec (JSON)
Company
About D3Data SourcesD3 Certified ReportContactPress informationPrivacy PolicyTerms & Conditions
© 2026 Veniatis · D3 Domain Due DiligenceSiriusstraat 4, 7622 VZ Borne · The NetherlandsAudit-ready. Evidence-based. Exportable.Built by AgenticDevelopment