Brand Protection Snapshot Report
Redacted preview of a Brand Protection Snapshot we deliver within 48 business hours of brand submission. Identifying details replaced with fictional names (company: Acme SaaS, brand: Acme, domain: acmesaas.io). Findings, severity ratings, and remediation guidance reflect the actual scan output. Sensitive details are marked [REDACTED].
2 vectors, founder-reviewed, free. Typosquatting and lookalike domains, plus leaked credentials tied to your corporate email domain. Full 4-vector monthly coverage (adds fake mobile apps and phishing infrastructure) is bundled with the Security Retainer.
Why this is HTML, not a downloadable PDF: You generate the PDF from this page using your browser's Save as PDF. No file download from us, no embedded JavaScript, no tracking pixels. Inspect the source if you want. Everything is served from cybersecify.com.
Acme SaaS Pvt. Ltd.
Sample report demonstrating Brand Protection Snapshot delivery format.
CONFIDENTIAL. This document contains information that is confidential and proprietary. Neither this document nor the information herein may be reproduced, used, or disclosed to or for the benefit of any third party without the prior written consent of Cybersecify Consulting (OPC) Private Limited.
Document Details
| Client | Acme SaaS Pvt. Ltd. (fictional) |
|---|---|
| Brand Monitored | Acme |
| Corporate Email Domain | acmesaas.io |
| Scan Period | 2026-05-22 to 2026-05-24 |
| Report Delivered | 2026-05-24 |
| Report Version | v1.0 (Brand Protection Snapshot: Free) |
| Prepared By | Cybersecify |
| Reviewed By | Ashok S Kamat (Co-founder) |
| Vectors Covered | 2 of 4 (free tier). Full 4-vector monthly bundled with Security Retainer. |
Executive Summary
This Brand Protection Snapshot scanned the Acme brand across two vectors: typosquatting and lookalike domain registrations, and leaked credentials in public breach corpuses tied to the acmesaas.io corporate email domain. The scan ran across the 48-hour window 2026-05-22 to 2026-05-24. A founder reviewed all findings before delivery.
Key Statistics
| Vector | Items Found | Critical / High | Medium / Low |
|---|---|---|---|
| Typosquatting + Lookalike Domains | 4 | 2 | 2 |
| Leaked Credentials (acmesaas.io domain) | 5 | 1 | 4 |
| Total | 9 | 3 | 6 |
Top 3 Priority Findings
- Active typosquat with MX records pointed at SendGrid (BP-001). Domain
acmesass.ioregistered 2026-04-18 via Namecheap, currently resolves to a parked page but has active MX records on SendGrid relay infrastructure. This means the registrant can send mail-fromsupport@acmesass.iotargeting your customers. Severity: Critical. - Recent breach exposure for executive account (BP-005). Leaked credential pair for
ceo@acmesaas.iosurfaced in the 2026-03 Phantom Solutions breach dump (verified via HaveIBeenPwned + DeHashed). Password is the bcrypt hash variant; if reused on Acme infrastructure, account takeover risk. Severity: Critical. - Lookalike domain spelling variant registered 11 days ago (BP-002). Domain
acme-saas.ioregistered 2026-05-13 via Porkbun, currently no MX or A records but registration pattern matches active typosquatter campaigns we have tracked against other SaaS brands in the past 90 days. Severity: High.
Strategic Recommendation
Two of the four findings require action within 7 calendar days. The BP-001 typosquat with active mail infrastructure should be reported to SendGrid abuse desk and the domain registrar (Namecheap) within 48 hours. The BP-005 leaked CEO credential should trigger immediate password rotation and 2FA enforcement on all accounts using that email address. For ongoing visibility into the full 4-vector spectrum (this snapshot covers 2 of 4: fake mobile apps and phishing infrastructure are excluded), the Security Retainer (INR 24,999/month) provides monthly scans plus 10 hours of founder-led security consulting.
Scope and Methodology
Vectors Covered (Free Snapshot)
The free Brand Protection Snapshot covers two vectors out of our four-vector Brand Protection program. The full 4-vector monthly coverage is bundled with the Security Retainer.
| Vector | What We Scan | Tier |
|---|---|---|
| Typosquatting + Lookalike Domains | Permutation-based domain generation (substitution, addition, omission, transposition, homoglyph, bitsquatting), live registration check via WHOIS, DNS resolution, MX presence, A/AAAA records, hosting platform fingerprinting. | Free Snapshot + Retainer |
| Leaked Credentials | Public breach corpus search for any email address ending in @acmesaas.io. Sources: HaveIBeenPwned API, DeHashed, IntelX (limited free tier). Severity scoring based on breach recency, password format (plaintext vs hash vs salted hash), and account role. | Free Snapshot + Retainer |
| Fake Mobile Apps | Google Play + Apple App Store + third-party Android stores (APKMirror, APKPure, Aptoide) search for apps using your brand name, logo, or developer identity. | Retainer-only (full BP) |
| Phishing Infrastructure | Active phishing kit detection (PhishTank, OpenPhish), SSL certificate transparency log monitoring for new domains using your brand, brand abuse on social platforms (LinkedIn, X, Telegram). | Retainer-only (full BP) |
Risk Rating Definitions
| Severity | Definition |
|---|---|
| Critical | Active infrastructure (MX records, hosting, phishing kit installed) that can be weaponised within 24 hours. Immediate action required. |
| High | Recently registered or recently dumped, no active infrastructure yet but registration pattern matches active campaigns. Action recommended within 7 calendar days. |
| Medium | Older registration with no active threat signal, but worth monitoring. Periodic re-check via monthly Retainer scans. |
| Low | Informational. Pattern-similar domain but unlikely to be targeted at your customers. Awareness only. |
Limitations of the Free Snapshot
- This snapshot is a point-in-time scan, not continuous monitoring. New typosquats registered after 2026-05-24 will not appear in this report.
- Leaked credential search covers public breach corpuses only. Private dumps and dark web marketplaces are not covered in the free snapshot. The Retainer adds dark web monitoring.
- The free snapshot is limited to 2 of 4 vectors as listed above. Fake mobile apps and phishing infrastructure (which are typically where the highest-impact attacks land) are not scanned in the free tier.
- Takedown assistance (registrar abuse reports, platform takedown filings, legal counsel coordination) is not included in the free snapshot. The Retainer includes guidance on takedown for findings flagged Critical or High.
Vector 1: Typosquatting + Lookalike Domains
acmesass.io: Active typosquat with mail infrastructure
| Domain | acmesass.io |
|---|---|
| Permutation Type | Character addition (double "s") |
| Registrar | Namecheap, Inc. |
| Registered | 2026-04-18 (35 days before scan) |
| Current State | Parked page resolving to Namecheap landing |
| MX Records | Active. MX 10 mx1.sendgrid.net |
| A Records | Resolves to Namecheap parking IPs (192.64.119.21) |
| SSL Cert | Let's Encrypt cert issued 2026-04-20 for acmesass.io + www.acmesass.io |
| WHOIS Privacy | WhoisGuard protected: registrant identity hidden |
Why this matters. The combination of recent registration, parked landing page, active MX records on a transactional mail provider (SendGrid), and a valid SSL cert is the standard pre-attack staging pattern for a credential phishing or BEC (business email compromise) campaign. The attacker can send mail from any address @acmesass.io that will appear visually similar to your domain in mobile inbox previews (Gmail mobile truncates long domains, increasing the convincingness).
Recommended action.
- Within 24 hours: Report to SendGrid abuse (abuse@sendgrid.com) with this finding attached. SendGrid's terms prohibit typosquatting setup and they typically suspend within 24-48 hours.
- Within 48 hours: File abuse report with Namecheap (abuse@namecheap.com). Namecheap typically requires trademark registration proof; if you have a Trademark registration for "Acme" in any class covering software services, attach it.
- Within 7 days: Consider defensive registration of
acmesass.com,acmesass.net, and other common TLD variants of this permutation if budget allows. - If your team uses DMARC, ensure your DMARC reject policy is enforced. This will not stop attackers spoofing from the typosquat domain (they own it), but it limits domain-of-record abuse.
acme-saas.io: Recently registered hyphen variant
| Domain | acme-saas.io |
|---|---|
| Permutation Type | Hyphen insertion |
| Registrar | Porkbun LLC |
| Registered | 2026-05-13 (11 days before scan) |
| Current State | No website, no DNS records configured yet |
| MX Records | None |
| Pattern Match | Hyphen-variant registrations targeting SaaS brands in May 2026 are correlated with the threat actor we internally track as TA-2026-HypensQuad, who registers in clusters of 12-25 domains and weaponises 30-90 days post-registration. |
Why this matters. The domain is not actively weaponised today, but the registration pattern is consistent with attacker pre-staging. By the time MX records are added and a phishing kit is installed, you have 24-72 hours of attack runway. Catching this now means the takedown clock starts before the campaign launches.
Recommended action. Add this domain to your monitoring list with weekly re-checks. If MX records or hosting appear, escalate to Critical and file abuse reports per BP-001 process. The Security Retainer's monthly Brand Protection scan would surface this change automatically.
acmesaa.io: Character omission variant
| Domain | acmesaa.io |
|---|---|
| Permutation Type | Character omission (final "s") |
| Registrar | GoDaddy |
| Registered | 2024-09-08 (around 20 months ago) |
| Current State | Resolves to a GoDaddy domain-for-sale landing page |
| MX Records | None |
| Asking Price | USD 850 listed on GoDaddy |
Why this matters. Domain is registered but parked for resale. Lower urgency than active staging, but if you can acquire it for under USD 1000, defensive registration is cheap insurance. If not acquired, monitor monthly for ownership change or activation.
acrnesaas.io: Homoglyph (rn for m)
| Domain | acrnesaas.io |
|---|---|
| Permutation Type | Homoglyph substitution ("rn" visually resembles "m" in some fonts) |
| Registrar | Dynadot, LLC |
| Registered | 2025-11-22 |
| Current State | No DNS records, no website |
Why this matters. Homoglyph attacks are common but typically lower-impact because they require the target to visually misread in a specific font. Monitor monthly. No immediate action needed unless MX records appear or hosting changes.
Vector 2: Leaked Credentials (acmesaas.io)
Search across public breach corpuses returned 5 unique email addresses ending in @acmesaas.io with associated credential or PII exposure. Sources: HaveIBeenPwned API, DeHashed (free tier), IntelX (free tier). Hash formats and breach dates verified where the source disclosed them. Account roles inferred from email prefix; actual roles should be confirmed with the account owners.
ceo@acmesaas.io: Executive account in 2026-03 Phantom Solutions breach
ceo@acmesaas.io | |
| Breach Source | Phantom Solutions (data analytics SaaS) breach disclosed 2026-03-14 |
| Data Exposed | Email, bcrypt password hash, full name, phone number, last login timestamp |
| Password Format | bcrypt with $2b$10$ rounds: moderate computational cost to brute-force, but rainbow-table resistant |
| Reuse Risk | If the CEO uses the same password on other accounts (Gmail, Slack, AWS Console, GitHub), those are also compromised. |
Recommended action within 24 hours.
- Contact the account owner directly. Confirm password rotation across all systems where this email is used.
- Enforce 2FA / hardware key (YubiKey, Titan) on all CEO accounts.
- Audit recent login history on Google Workspace, Microsoft 365, AWS Console, GitHub, Slack, and the company's primary SaaS stack for anomalies.
- If the CEO uses a password manager, confirm the master password is unique and 2FA is enforced.
support@acmesaas.io: Shared inbox in 2024-08 Wibblewell SaaS breach
support@acmesaas.io | |
| Breach Source | Wibblewell SaaS (customer support helpdesk vendor) breach disclosed 2024-08-22 |
| Data Exposed | Email, plaintext password (older breach before they migrated to argon2) |
| Password Format | Plaintext: high reuse risk if not rotated already |
| Account Role | Likely shared inbox for customer support tickets. Multiple team members may have used this password. |
Recommended action. Rotate the password immediately if not done since 2024-08. Confirm with the support team that no one is still using the old credential. Move from shared password to individual logins with role-based access if feasible.
finance@acmesaas.io: Generic alias in 2025-02 ThorpeMint breach
finance@acmesaas.io | |
| Breach Source | ThorpeMint (accounting SaaS for SMBs) breach disclosed 2025-02-09 |
| Data Exposed | Email, SHA-256 password hash, billing address |
| Password Format | SHA-256: fast to brute-force with GPU rigs. Treat as effectively compromised. |
Recommended action. Rotate the password. If this is a shared alias, confirm with the team owner that all users have rotated their stored credentials in password managers.
jane.doe@acmesaas.io: Individual account in 2026-01 BackdoorBox breach
jane.doe@acmesaas.io | |
| Breach Source | BackdoorBox (self-hosted file sharing platform) breach disclosed 2026-01-30 |
| Data Exposed | Email only (no password). Email-only exposures are lower risk but increase phishing targeting. |
| Password Format | N/A: email-only exposure |
Recommended action. Inform the account owner. Heighten phishing awareness for this individual. No password rotation needed since no password was exposed.
noreply@acmesaas.io: Transactional alias in 2023-11 OldStackSaaS breach
noreply@acmesaas.io | |
| Breach Source | OldStackSaaS marketing platform breach disclosed 2023-11-04 |
| Data Exposed | Email + plaintext password from a long-since-deprecated marketing tool |
| Account Role | Transactional alias used as a sender address for automated notifications. Typically does not have inbox access. |
Recommended action. Verify the account is decommissioned at OldStackSaaS. If your team still uses any account at OldStackSaaS, rotate. Otherwise informational.
Summary Recommendations
Within 24 to 48 hours
- File SendGrid abuse report on BP-001 (active typosquat with MX records).
- File Namecheap abuse report on BP-001.
- Rotate password and enforce 2FA on the CEO account exposed in BP-005.
- Confirm BP-006 password rotation occurred since the 2024-08 Wibblewell breach.
Within 7 calendar days
- Decide on defensive registration of BP-001 (
acmesass.com,acmesass.net) and BP-003 (acmesaa.ioavailable for USD 850). - Rotate passwords on BP-007 (finance alias, SHA-256 breach).
- Add BP-002 (recently registered hyphen variant) to weekly re-check list.
- Confirm DMARC reject policy is enforced on acmesaas.io.
Within 30 calendar days
- Subscribe to the Security Retainer (INR 24,999/month) for monthly recurring 4-vector Brand Protection scans (adds fake mobile apps and phishing infrastructure to the 2 vectors covered here).
- Document a brand abuse takedown playbook so that when the next finding lands, response time is under 24 hours.
- Audit DMARC, SPF, and DKIM configuration on acmesaas.io to ensure spoofing protection is enforced at the receiving end.
Limitations and Disclaimers
All findings in this sample report are fictional. Any resemblance to real domains, real breach sources, real individuals, or real organisations is coincidental. Real reports replace these fictional details with your actual findings.
Free Snapshot scope. This is a point-in-time scan covering 2 of 4 Brand Protection vectors. The full 4-vector monthly coverage (adds fake mobile apps and phishing infrastructure) is bundled with the Security Retainer (INR 24,999/month).
Takedown assistance. Free Snapshot reports include guidance on takedown steps but do not include direct takedown filing or legal coordination. The Security Retainer includes founder-led takedown coordination for findings rated Critical or High.
Founder review caveat. The founder review removes false positives where verifiable and prioritises findings. It is not a substitute for the client's own context. We do not have access to your customer data, internal architecture decisions, or threat model. Apply judgement when prioritising fixes.
Drop Your Brand. We Send the Report in 48 Hours.
Same format. Founder-reviewed. Free, no obligation. Your data is not sold or shared.