Brand Protection
Datazag Brand Protection detects brand impersonation in stages: before DNS exists, when DNS and infrastructure appear, when a website becomes visible, and when the customer confirms or de-escalates the finding.
Datazag is not a takedown service. We provide staged alerts, the evidence pack, abuse contacts and incident updates so your organisation or authorised partner can manage blocking, abuse reporting, legal review, takedown requests and de-escalation.
Example incident
Brand impersonation detected before DNS. Polling active. The alert will update when DNS and website evidence appears.
Incident contains
What gets delivered
Brand protection is not a separate report. Datazag opens and updates an alert incident as the infrastructure matures, evidence appears and the customer confirms whether the finding is malicious, legitimate or irrelevant.
Trigger
Suspicious brand match, DGA-style pattern or high-entropy naming signal before DNS records exist.
Delivered
An early alert opens an incident with the observed domain, matched brand or watchlist, naming signals, classification and polling status.
Status: New / polling
Trigger
DNS records appear after polling, or DNS changes expose hosting, mail, nameserver, IP, ASN or provider context.
Delivered
The incident is rescored using DNS and infrastructure context to rule the finding in or out, update severity and attach reason codes.
Status: Monitoring / investigating / block notice
Trigger
A website appears, redirects activate or page content becomes available for capture and review.
Delivered
The alert is updated with screenshot evidence, computer-vision page analysis, brand-logo checks and T&Cs or privacy-policy capture where present.
Status: Evidence pack
Trigger
The customer recognises the finding as legitimate, authorised, duplicate, irrelevant or known-good.
Delivered
The incident can be de-escalated at any point. The reason is retained so partner sites and approved campaigns reduce future noise.
Status: De-escalated
Service boundary
Datazag identifies brand impersonation, maintains the incident record and supplies the evidence pack and abuse contacts. The organisation or its authorised partner remains in control of provider contact, legal decisions, takedown requests and customer communications.
Detection, staged alerts, polling, incident updates, reason codes, evidence pack, abuse contacts and lifecycle updates.
Blocking decisions, abuse desk contact, registrar/provider requests, legal review, takedown requests and customer communication.
MSSPs, ESPs and agencies can use Datazag alerts and evidence inside their own managed response or customer-facing service model.
Incident anatomy
The exact evidence depends on the maturity of the finding. A pre-DNS incident may contain naming evidence only; a mature incident may contain DNS, infrastructure, website, logo and policy-page evidence.
A persistent identifier for the finding, evidence and status history.
Brand impersonation, platform impersonation, keyword or related-infrastructure incident class.
New, polling, monitoring, investigating, evidence pack, action requested, resolved or de-escalated.
The protected brand, subsidiary, client, product, executive, supplier or platform context.
Domain, subdomain, IP, certificate, hosting provider, ASN and related infrastructure where available.
The signals that explain why the incident escalated, including naming, DNS, infrastructure, website and visual evidence.
DNS, certificate, hosting, website, screenshot, brand-logo check, redirect, abuse-contact and relationship context.
Monitor, investigate, block, prepare evidence, use supplied abuse contacts, or de-escalate if legitimate.
De-escalation
The de-escalate button is important. It lets the customer mark legitimate partner sites, approved campaigns and known-good infrastructure before or after DNS, website and evidence updates appear.
Incident control
When a finding is an authorised partner, campaign or supplier site, the customer can de-escalate it instead of treating it as malicious. The reason is retained in the incident history and can reduce future noise.
A supplier, agency, reseller, franchisee or fulfilment partner is authorised to use the brand or campaign domain.
The domain is part of an approved marketing, support, onboarding, payment or customer-success workflow.
The asset belongs to the organisation, a trusted provider or a previously approved platform footprint.
The finding duplicates an existing incident or matches a term that is not relevant to the protected brand.
Alert deliverables
The same underlying detection can produce an operational incident, an evidence pack, lifecycle updates and a de-escalation trail.
A structured alert record with current status, protected entity, observed asset, severity, classification, reason codes and next action.
A response-ready bundle of DNS, certificate, hosting, website, screenshot, logo-check, abuse-contact and relationship evidence where available.
Alert updates when DNS records appear, infrastructure activates, content appears, provider context changes or related assets are found.
A clear route to mark legitimate partner sites, authorised campaigns, duplicates or known-good infrastructure so future noise is reduced.
Incident states
A customer should be able to tell whether an incident is pre-DNS, being polled, ready for action, under review, resolved or de-escalated as legitimate.
First detected before or after DNS exists and awaiting routing or review.
No DNS records or no website yet. Datazag keeps checking for DNS, hosting, website and content changes.
Low-confidence or early-stage infrastructure being watched for activation, DNS, hosting or content changes.
Analyst, customer or partner review is needed before action.
High-confidence infrastructure is suitable for block-list, SIEM, SOAR or customer-warning workflows.
Evidence and abuse contacts are being packaged so the organisation can manage its own provider, registrar or legal response.
The customer, authorised partner, abuse desk, registrar or provider has been asked to take action by the organisation managing the case.
The infrastructure is no longer active, has been remediated or has reached the agreed closure condition.
The finding is accepted as a legitimate partner site, known-good campaign, irrelevant match, duplicate or below action threshold.
Delivery routes
Brand protection can be consumed as portal alerts, webhook/API events, evidence-pack exports or partner-branded alert services.
A live incident list with status, evidence, timeline, de-escalation controls and customer-specific context.
Structured alert events and incident updates for customer portals, ticketing, SIEM, SOAR and partner platforms.
A shareable bundle of evidence and abuse contacts for the organisation to use in provider, registrar, legal or internal response.
MSSPs, ESPs and agencies can package staged alerts, evidence updates and de-escalation workflows under their own customer experience.
Use cases
The incident model makes brand protection alerts useful for internal teams, MSSPs, ESPs, agencies and portfolio owners.
Track protected brands, products, executives, subsidiaries and customer-facing domains as updateable alert incidents.
Deliver client-facing staged alerts, evidence packs, abuse-contact support and response coordination as a recurring service.
Offer customers brand and platform impersonation alerting as a premium trust and deliverability service.
Monitor brand, domain and supplier exposure across subsidiaries, acquired assets, parked domains and legacy properties.
Next step
Start with the brands, domains, platforms and suppliers you want monitored, then define which alert states, evidence packs, de-escalation rules and delivery routes fit your response model.