How to protect your brand with domain monitoring

Learn how to get automatic alerts when someone registers a domain similar to your brand name. Real-time RDAP monitoring explained.

Monitoring new domain registrations for names similar to your brand is possible today through automated tools, and it takes minutes to set up. The problem is simple but serious: a competitor or malicious actor can register acme-shop.com, acme.co, or acmeshop.net in under five minutes. Without an alert system, you might discover it weeks or months later, by which point the damage is done. This article covers which domains to watch, how alerts work technically, and what to do when one fires.

Why manual checks fall short

A brand in 2026 realistically needs to watch dozens of domain combinations: multiple TLDs, common typos, hyphenated versions, prefixes like "get" or "try", and homoglyph variants. Running a daily WHOIS lookup on each of these by hand is not practical at any scale.

Beyond the workload problem, traditional WHOIS is increasingly useless as a data source.

The limits of classic WHOIS

Since GDPR came into effect, most registrars mask registrant data behind privacy proxy services. A WHOIS lookup on a freshly registered .com today returns something like:

Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Whois Privacy Service
Registrant Email: contact@privacyprotect.org

The registration date is there, but identifying whether the registrant is a threat or a coincidence requires more context. You also cannot query WHOIS in bulk without hitting rate limits and IP bans.

What RDAP brings instead

RDAP (Registration Data Access Protocol, defined in RFC 7480 and 7483) is the modern replacement for WHOIS. It returns structured JSON that machines can parse reliably, includes event timestamps (registration, expiration, last changed), and exposes the registrar's name in a consistent format. A typical RDAP response looks like this:

{
  "objectClassName": "domain",
  "handle": "2138514_DOMAIN_COM-VRSN",
  "ldhName": "acme-shop.com",
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "2026-07-15T08:23:11Z"
    },
    {
      "eventAction": "expiration",
      "eventDate": "2027-07-15T08:23:11Z"
    }
  ],
  "entities": [
    {
      "roles": ["registrar"],
      "vcardArray": ["vcard", [["fn", {}, "text", "NameCheap, Inc."]]]
    }
  ]
}

This is queryable programmatically, parseable without custom parsers per registrar, and far more automation-friendly than WHOIS.

Which domains to monitor for your brand

The scope of what to watch can be broken into four categories:

Typosquatting variants are domains formed by common keyboard errors: one letter inserted, removed, substituted, or transposed. If your brand is "Acme", watch acmme.com, acne.com, acmee.com, amce.com.

Alternative TLDs are the same second-level domain under a different extension: acme.net, acme.co, acme.io, acme.app. The .co extension deserves particular attention because it is visually close to .com and has been used in high-profile phishing campaigns.

Prefix and suffix patterns are the most dangerous in practice because they can deceive even careful users: getacme.com, acme-app.com, tryacme.com, acme-login.com, acme-official.com.

Homoglyphs use Unicode characters that look identical to standard ASCII letters. The Cyrillic "а" (U+0430) is visually indistinguishable from the Latin "a" (U+0061) in most fonts.

Prioritizing TLDs by risk level

TLD	Risk level	Reason
.com	Critical	Default assumption; 70%+ of direct type-in traffic
.co	High	Visually close to .com; used in phishing campaigns
.net	Medium	Broadly recognized; occasional brand confusion
.io	Medium	Standard in tech; confusion with .com growing
.app	Medium	Common for mobile and SaaS products
.xyz, .top, .tk	Lower	Frequent in phishing but less likely to deceive

ccTLDs for your primary markets (.fr, .de, .co.uk) should also be included if you operate regionally.

How new-registration alerts work

The alert pipeline in Domain Sentinel has four steps: a new domain matching a watched pattern appears in an RDAP registry endpoint, Domain Sentinel queries that endpoint on a regular schedule, the new registration is compared against your watchlist patterns, and an alert is sent through your configured channel (email or webhook).

RDAP endpoints are publicly available for all major registries. The ICANN RDAP lookup service at rdap.org aggregates most gTLDs and delegates to the appropriate registry for ccTLDs.

What a useful alert contains

A high-quality alert includes: the detected domain name, the registration date, the registrar, a similarity score indicating how close the new domain is to your brand name, and a direct link to the full RDAP record. An alert that just says "acmme.com was registered" forces you to go look up the details manually. The similarity score and registrar data are what let you triage in seconds.

Setting up monitoring with Domain Sentinel

The setup process is straightforward:

Add your brand name or primary domain to a watchlist in Domain Sentinel.
Configure the patterns you want to monitor: typo variants, TLD alternatives, homoglyphs, and structural patterns (prefixes/suffixes).
Choose your alert channel: email works for most teams; webhook integrations work if you want alerts in Slack or PagerDuty.
Review the first batch of results. Some detections will be irrelevant (a legitimate business with a similar name in an unrelated sector). Mark these as "harmless" to clean up future alert noise.

The dashboard keeps a full history of detections, so you can track whether a suspicious domain has become more active over time.

What to do when an alert fires

Not every detected domain is a threat. Triage into three categories:

Harmless registration: a business in an unrelated sector with a similar name, or a personal site. Archive the alert and move on.

Probable cybersquatting: the domain is inactive or redirecting to a competitor, and the registrant appears to hold other brand-similar domains. Document everything now: RDAP data, registration date, your trademark records. Consider contacting the registrar and, if the pattern is clear, initiating a UDRP procedure.

Active phishing: the domain hosts a page that imitates your brand to harvest credentials or payments. Report immediately to the registrar's abuse contact (available in RDAP data), submit the URL to Google Safe Browsing (safebrowsing.google.com/safebrowsing/report_phish) and Microsoft SmartScreen, and notify your users if you have reason to believe they have already been targeted.

Configuring a watchlist takes under five minutes in Domain Sentinel. Reactive monitoring does not replace defensive registration of your most critical variants, but no one can register every possible variant in advance. The difference between being alerted in three hours versus three months is the difference between a manageable incident and a reputational crisis.