Know When Attackers
Target Your Brand

Every phishing site, every lookalike domain, every brand impersonation attempt requires an SSL certificate. CertStreamPRO monitors every Certificate Transparency log in real time — alerting your team the moment a threat is registered.

Start Monitoring View Example output

No contract. Cancel monthly subscriptions anytime. 31-day access also available.

5M+

Certificates monitored daily

40+

CT logs tracked

<5s

Average detection latency

99.9%

Service uptime

The Threat Landscape

Attackers register lookalike domains every day. Are you watching?

Phishing campaigns don't start when the first malicious email is sent — they start when the attacker registers a domain and obtains an SSL certificate. That certificate must be publicly logged under the Certificate Transparency standard enforced by all major browsers.

This creates a unique, real-time window of opportunity. By monitoring CT logs as they are written, your team can detect a threat in its preparation phase — before any emails are sent, before any customers are targeted.

CertStreamPRO aggregates every public CT log and delivers the data to you via a simple WebSocket stream — ready to feed into your SIEM, SOAR, or custom tooling.

Phishing sites go live in minutes

Once a certificate is issued, attackers can deploy a convincing site within hours — long before traditional threat feeds detect it.

Brand impersonation is rising

Typosquatting, homograph attacks, and subdomain abuse are increasingly common. Every variant of your domain is a potential attack vector.

CT logs are public — you should be reading them

All SSL certificates are publicly logged by law. CertStreamPRO turns this open-standard data into an actionable threat intelligence feed.

Use Cases

How security teams use CertStreamPRO

From SOC analysts to threat intelligence teams, our feed powers detection across the security stack.

Phishing Detection

Monitor for domains impersonating your brand the moment a certificate is issued — hours before phishing campaigns launch. Filter by keyword, fuzzy match, or exact domain pattern to surface only relevant threats.

Typosquatting Homograph attacks Subdomain abuse

Attack Surface Management

Continuously discover new subdomains and services being deployed across your organisation. Identify shadow IT, forgotten assets, and new infrastructure before attackers do. Every new certificate is a signal.

Subdomain discovery Shadow IT Asset inventory

Threat Intelligence Enrichment

Feed real-time certificate data directly into your SIEM, SOAR, or threat intelligence platform. Correlate newly issued certificates with known malicious infrastructure, C2 patterns, and indicators of compromise.

SIEM integration IOC correlation C2 detection

Brand Protection

Protect your customers and your reputation by detecting impersonation attempts before they do damage. Alert your legal or takedown team the moment a fraudulent domain is registered, giving you maximum time to respond.

Early warning Takedown support Customer safety

How It Works

Up and running in minutes

No infrastructure to manage. No complex setup. A single WebSocket connection delivers the data you need.

1

Subscribe to a Plan

Choose the data tier that fits your use case. Monthly or 31-day access. Your API key is provisioned instantly.

2

Connect via WebSocket

Open a persistent connection to our stream endpoint. Pass your API key in the X-API-Key header. Works with any language.

3

Build Your Detection Logic

Filter by keyword, domain pattern, or issuer. Route alerts to Slack, your SIEM, or a takedown workflow. The data is yours to use.

brand_monitor.py 
import websocket, json

# Detect phishing domains targeting your brand
WATCH = ["yourcompany", "your-company", "yourcompany-login"]

def on_message(ws, message):
    data = json.loads(message)
    for domain in data.get("data", []):
        if any(kw in domain for kw in WATCH):
            alert(f"⚠ Suspicious domain: {domain}")

websocket.WebSocketApp(
    "wss://certstream.jssecurityinsights.co.uk/domains-only",
    header={"X-API-Key": "your-key"},
    on_message=on_message
).run_forever()

Live Data

See exactly what you receive

Each WebSocket message is a JSON object. Choose your tier based on how much certificate detail your tooling needs.

Lowest bandwidth. Each message contains the domain names from a single certificate's SAN field — ideal for keyword matching at scale.

wss://.../domains-only 
{
  "data": [
    "bluweea.shopforje.com",
    "www.bluweea.shopforje.com"
  ],
  "message_type": "dns_entries"
}

Pricing

Billed monthly. Cancel anytime.

Domains Only

Domain names from every new certificate. Ideal for brand monitoring and phishing detection at scale.

£29.99 /month
  • All SAN domains from every certificate
  • Real-time WebSocket delivery
  • Lowest bandwidth — easiest to process
  • Certificate details
  • Certificate chain
Get Started
Most Popular

Lite Feed

Full leaf certificate details including issuer, fingerprints, and validity dates. No chain data.

£34.99 /month
  • All SAN domains from every certificate
  • Real-time WebSocket delivery
  • Issuer, fingerprints, validity dates
  • Subject & issuer metadata
  • Full certificate chain
Get Started

Full Feed

Complete certificate data including the full chain. For deep forensic analysis and advanced threat correlation.

£37.99 /month
  • All SAN domains from every certificate
  • Real-time WebSocket delivery
  • Issuer, fingerprints, validity dates
  • Subject & issuer metadata
  • Full certificate chain (DER encoded)
Get Started

All prices in GBP. Stripe handles local currency conversion at checkout.

Start protecting your organisation today

Connect to the stream in minutes. Your API key is provisioned the moment your payment is confirmed.