Datazag

Brand Protection

Detect brand impersonation and update the alert as evidence appears.

Datazag Brand Protection detects brand impersonation in stages: before DNS exists, when DNS and infrastructure appear, when a website becomes visible, and when the customer confirms or de-escalates the finding.

Datazag is not a takedown service. We provide staged alerts, the evidence pack, abuse contacts and incident updates so your organisation or authorised partner can manage blocking, abuse reporting, legal review, takedown requests and de-escalation.

Example incident

INC-1782384515-13ec9b

Brand impersonation detected before DNS. Polling active. The alert will update when DNS and website evidence appears.

Polling DNS + website
De-escalate any time

Incident contains

Status
Timeline
DGA / entropy
DNS score
Infra score
Screenshot
Abuse contacts
De-escalation

What gets delivered

Four alert updates from one brand-protection incident.

Brand protection is not a separate report. Datazag opens and updates an alert incident as the infrastructure matures, evidence appears and the customer confirms whether the finding is malicious, legitimate or irrelevant.

1

Pre-DNS alert

Trigger

Suspicious brand match, DGA-style pattern or high-entropy naming signal before DNS records exist.

Delivered

An early alert opens an incident with the observed domain, matched brand or watchlist, naming signals, classification and polling status.

Status: New / polling

2

DNS and infrastructure alert update

Trigger

DNS records appear after polling, or DNS changes expose hosting, mail, nameserver, IP, ASN or provider context.

Delivered

The incident is rescored using DNS and infrastructure context to rule the finding in or out, update severity and attach reason codes.

Status: Monitoring / investigating / block notice

3

Website and evidence-pack alert update

Trigger

A website appears, redirects activate or page content becomes available for capture and review.

Delivered

The alert is updated with screenshot evidence, computer-vision page analysis, brand-logo checks and T&Cs or privacy-policy capture where present.

Status: Evidence pack

4

Customer de-escalation update

Trigger

The customer recognises the finding as legitimate, authorised, duplicate, irrelevant or known-good.

Delivered

The incident can be de-escalated at any point. The reason is retained so partner sites and approved campaigns reduce future noise.

Status: De-escalated

Service boundary

Detection and evidence, not outsourced takedown.

Datazag identifies brand impersonation, maintains the incident record and supplies the evidence pack and abuse contacts. The organisation or its authorised partner remains in control of provider contact, legal decisions, takedown requests and customer communications.

Datazag provides

Detection, staged alerts, polling, incident updates, reason codes, evidence pack, abuse contacts and lifecycle updates.

Customer manages

Blocking decisions, abuse desk contact, registrar/provider requests, legal review, takedown requests and customer communication.

Partners can package

MSSPs, ESPs and agencies can use Datazag alerts and evidence inside their own managed response or customer-facing service model.

Incident anatomy

What each alert incident can contain.

The exact evidence depends on the maturity of the finding. A pre-DNS incident may contain naming evidence only; a mature incident may contain DNS, infrastructure, website, logo and policy-page evidence.

Incident ID

A persistent identifier for the finding, evidence and status history.

Classification

Brand impersonation, platform impersonation, keyword or related-infrastructure incident class.

Current status

New, polling, monitoring, investigating, evidence pack, action requested, resolved or de-escalated.

Customer / brand

The protected brand, subsidiary, client, product, executive, supplier or platform context.

Observed asset

Domain, subdomain, IP, certificate, hosting provider, ASN and related infrastructure where available.

Reason codes

The signals that explain why the incident escalated, including naming, DNS, infrastructure, website and visual evidence.

Evidence

DNS, certificate, hosting, website, screenshot, brand-logo check, redirect, abuse-contact and relationship context.

Recommended action

Monitor, investigate, block, prepare evidence, use supplied abuse contacts, or de-escalate if legitimate.

De-escalation

The customer can de-escalate at any point.

The de-escalate button is important. It lets the customer mark legitimate partner sites, approved campaigns and known-good infrastructure before or after DNS, website and evidence updates appear.

Incident control

De-escalate legitimate site

When a finding is an authorised partner, campaign or supplier site, the customer can de-escalate it instead of treating it as malicious. The reason is retained in the incident history and can reduce future noise.

Legitimate partner site

A supplier, agency, reseller, franchisee or fulfilment partner is authorised to use the brand or campaign domain.

Approved campaign

The domain is part of an approved marketing, support, onboarding, payment or customer-success workflow.

Known-good infrastructure

The asset belongs to the organisation, a trusted provider or a previously approved platform footprint.

Duplicate or irrelevant

The finding duplicates an existing incident or matches a term that is not relevant to the protected brand.

Alert deliverables

Four outputs from one alert workflow.

The same underlying detection can produce an operational incident, an evidence pack, lifecycle updates and a de-escalation trail.

Incident record

A structured alert record with current status, protected entity, observed asset, severity, classification, reason codes and next action.

StatusSeverityReason codesNext action

Evidence pack

A response-ready bundle of DNS, certificate, hosting, website, screenshot, logo-check, abuse-contact and relationship evidence where available.

DNSCertificateScreenshotAbuse contacts

Lifecycle updates

Alert updates when DNS records appear, infrastructure activates, content appears, provider context changes or related assets are found.

DNSInfrastructureContentResolved

De-escalation control

A clear route to mark legitimate partner sites, authorised campaigns, duplicates or known-good infrastructure so future noise is reduced.

LegitimatePartner siteKnown-goodSuppress

Incident states

Status makes the alert journey understandable.

A customer should be able to tell whether an incident is pre-DNS, being polled, ready for action, under review, resolved or de-escalated as legitimate.

New

First detected before or after DNS exists and awaiting routing or review.

Polling

No DNS records or no website yet. Datazag keeps checking for DNS, hosting, website and content changes.

Monitoring

Low-confidence or early-stage infrastructure being watched for activation, DNS, hosting or content changes.

Investigating

Analyst, customer or partner review is needed before action.

Block notice

High-confidence infrastructure is suitable for block-list, SIEM, SOAR or customer-warning workflows.

Evidence pack

Evidence and abuse contacts are being packaged so the organisation can manage its own provider, registrar or legal response.

Action requested

The customer, authorised partner, abuse desk, registrar or provider has been asked to take action by the organisation managing the case.

Resolved

The infrastructure is no longer active, has been remediated or has reached the agreed closure condition.

De-escalated

The finding is accepted as a legitimate partner site, known-good campaign, irrelevant match, duplicate or below action threshold.

Delivery routes

Send alerts where the response happens.

Brand protection can be consumed as portal alerts, webhook/API events, evidence-pack exports or partner-branded alert services.

Portal alerts

A live incident list with status, evidence, timeline, de-escalation controls and customer-specific context.

Webhook / API alerts

Structured alert events and incident updates for customer portals, ticketing, SIEM, SOAR and partner platforms.

Evidence pack export

A shareable bundle of evidence and abuse contacts for the organisation to use in provider, registrar, legal or internal response.

Partner-branded alert service

MSSPs, ESPs and agencies can package staged alerts, evidence updates and de-escalation workflows under their own customer experience.

Use cases

Designed for teams that need response, not just discovery.

The incident model makes brand protection alerts useful for internal teams, MSSPs, ESPs, agencies and portfolio owners.

Corporate brand protection

Track protected brands, products, executives, subsidiaries and customer-facing domains as updateable alert incidents.

MSSP managed service

Deliver client-facing staged alerts, evidence packs, abuse-contact support and response coordination as a recurring service.

ESP customer protection

Offer customers brand and platform impersonation alerting as a premium trust and deliverability service.

Portfolio and M&A review

Monitor brand, domain and supplier exposure across subsidiaries, acquired assets, parked domains and legacy properties.

Next step

Define the alert workflow around your brand estate.

Start with the brands, domains, platforms and suppliers you want monitored, then define which alert states, evidence packs, de-escalation rules and delivery routes fit your response model.