Brand Protection Snapshot Report

Redacted preview of a Brand Protection Snapshot we deliver within 48 business hours of brand submission. Identifying details replaced with fictional names (company: Acme SaaS, brand: Acme, domain: acmesaas.io). Findings, severity ratings, and remediation guidance reflect the actual scan output. Sensitive details are marked [REDACTED].

2 vectors, founder-reviewed, free. Typosquatting and lookalike domains, plus leaked credentials tied to your corporate email domain. Full 4-vector monthly coverage (adds fake mobile apps and phishing infrastructure) is bundled with the Security Retainer.

Get My Free Snapshot

Why this is HTML, not a downloadable PDF: You generate the PDF from this page using your browser's Save as PDF. No file download from us, no embedded JavaScript, no tracking pixels. Inspect the source if you want. Everything is served from cybersecify.com.

CYBERSECIFY Secure Your Digital Future
Brand Protection Snapshot Report

Acme SaaS Pvt. Ltd.

Sample report demonstrating Brand Protection Snapshot delivery format.

Brand MonitoredAcme
Corporate Domainacmesaas.io
Scan Period2026-05-22 to 2026-05-24
Report Versionv1.0

CONFIDENTIAL. This document contains information that is confidential and proprietary. Neither this document nor the information herein may be reproduced, used, or disclosed to or for the benefit of any third party without the prior written consent of Cybersecify Consulting (OPC) Private Limited.

Document Details

ClientAcme SaaS Pvt. Ltd. (fictional)
Brand MonitoredAcme
Corporate Email Domainacmesaas.io
Scan Period2026-05-22 to 2026-05-24
Report Delivered2026-05-24
Report Versionv1.0 (Brand Protection Snapshot: Free)
Prepared ByCybersecify
Reviewed ByAshok S Kamat (Co-founder)
Vectors Covered2 of 4 (free tier). Full 4-vector monthly bundled with Security Retainer.

Executive Summary

This Brand Protection Snapshot scanned the Acme brand across two vectors: typosquatting and lookalike domain registrations, and leaked credentials in public breach corpuses tied to the acmesaas.io corporate email domain. The scan ran across the 48-hour window 2026-05-22 to 2026-05-24. A founder reviewed all findings before delivery.

Key Statistics

VectorItems FoundCritical / HighMedium / Low
Typosquatting + Lookalike Domains422
Leaked Credentials (acmesaas.io domain)514
Total936

Top 3 Priority Findings

  1. Active typosquat with MX records pointed at SendGrid (BP-001). Domain acmesass.io registered 2026-04-18 via Namecheap, currently resolves to a parked page but has active MX records on SendGrid relay infrastructure. This means the registrant can send mail-from support@acmesass.io targeting your customers. Severity: Critical.
  2. Recent breach exposure for executive account (BP-005). Leaked credential pair for ceo@acmesaas.io surfaced in the 2026-03 Phantom Solutions breach dump (verified via HaveIBeenPwned + DeHashed). Password is the bcrypt hash variant; if reused on Acme infrastructure, account takeover risk. Severity: Critical.
  3. Lookalike domain spelling variant registered 11 days ago (BP-002). Domain acme-saas.io registered 2026-05-13 via Porkbun, currently no MX or A records but registration pattern matches active typosquatter campaigns we have tracked against other SaaS brands in the past 90 days. Severity: High.

Strategic Recommendation

Two of the four findings require action within 7 calendar days. The BP-001 typosquat with active mail infrastructure should be reported to SendGrid abuse desk and the domain registrar (Namecheap) within 48 hours. The BP-005 leaked CEO credential should trigger immediate password rotation and 2FA enforcement on all accounts using that email address. For ongoing visibility into the full 4-vector spectrum (this snapshot covers 2 of 4: fake mobile apps and phishing infrastructure are excluded), the Security Retainer (INR 24,999/month) provides monthly scans plus 10 hours of founder-led security consulting.

Scope and Methodology

Vectors Covered (Free Snapshot)

The free Brand Protection Snapshot covers two vectors out of our four-vector Brand Protection program. The full 4-vector monthly coverage is bundled with the Security Retainer.

VectorWhat We ScanTier
Typosquatting + Lookalike DomainsPermutation-based domain generation (substitution, addition, omission, transposition, homoglyph, bitsquatting), live registration check via WHOIS, DNS resolution, MX presence, A/AAAA records, hosting platform fingerprinting.Free Snapshot + Retainer
Leaked CredentialsPublic breach corpus search for any email address ending in @acmesaas.io. Sources: HaveIBeenPwned API, DeHashed, IntelX (limited free tier). Severity scoring based on breach recency, password format (plaintext vs hash vs salted hash), and account role.Free Snapshot + Retainer
Fake Mobile AppsGoogle Play + Apple App Store + third-party Android stores (APKMirror, APKPure, Aptoide) search for apps using your brand name, logo, or developer identity.Retainer-only (full BP)
Phishing InfrastructureActive phishing kit detection (PhishTank, OpenPhish), SSL certificate transparency log monitoring for new domains using your brand, brand abuse on social platforms (LinkedIn, X, Telegram).Retainer-only (full BP)

Risk Rating Definitions

SeverityDefinition
CriticalActive infrastructure (MX records, hosting, phishing kit installed) that can be weaponised within 24 hours. Immediate action required.
HighRecently registered or recently dumped, no active infrastructure yet but registration pattern matches active campaigns. Action recommended within 7 calendar days.
MediumOlder registration with no active threat signal, but worth monitoring. Periodic re-check via monthly Retainer scans.
LowInformational. Pattern-similar domain but unlikely to be targeted at your customers. Awareness only.

Limitations of the Free Snapshot

  • This snapshot is a point-in-time scan, not continuous monitoring. New typosquats registered after 2026-05-24 will not appear in this report.
  • Leaked credential search covers public breach corpuses only. Private dumps and dark web marketplaces are not covered in the free snapshot. The Retainer adds dark web monitoring.
  • The free snapshot is limited to 2 of 4 vectors as listed above. Fake mobile apps and phishing infrastructure (which are typically where the highest-impact attacks land) are not scanned in the free tier.
  • Takedown assistance (registrar abuse reports, platform takedown filings, legal counsel coordination) is not included in the free snapshot. The Retainer includes guidance on takedown for findings flagged Critical or High.

Vector 1: Typosquatting + Lookalike Domains

BP-001 Critical

acmesass.io: Active typosquat with mail infrastructure

Domainacmesass.io
Permutation TypeCharacter addition (double "s")
RegistrarNamecheap, Inc.
Registered2026-04-18 (35 days before scan)
Current StateParked page resolving to Namecheap landing
MX RecordsActive. MX 10 mx1.sendgrid.net
A RecordsResolves to Namecheap parking IPs (192.64.119.21)
SSL CertLet's Encrypt cert issued 2026-04-20 for acmesass.io + www.acmesass.io
WHOIS PrivacyWhoisGuard protected: registrant identity hidden

Why this matters. The combination of recent registration, parked landing page, active MX records on a transactional mail provider (SendGrid), and a valid SSL cert is the standard pre-attack staging pattern for a credential phishing or BEC (business email compromise) campaign. The attacker can send mail from any address @acmesass.io that will appear visually similar to your domain in mobile inbox previews (Gmail mobile truncates long domains, increasing the convincingness).

Recommended action.

  1. Within 24 hours: Report to SendGrid abuse (abuse@sendgrid.com) with this finding attached. SendGrid's terms prohibit typosquatting setup and they typically suspend within 24-48 hours.
  2. Within 48 hours: File abuse report with Namecheap (abuse@namecheap.com). Namecheap typically requires trademark registration proof; if you have a Trademark registration for "Acme" in any class covering software services, attach it.
  3. Within 7 days: Consider defensive registration of acmesass.com, acmesass.net, and other common TLD variants of this permutation if budget allows.
  4. If your team uses DMARC, ensure your DMARC reject policy is enforced. This will not stop attackers spoofing from the typosquat domain (they own it), but it limits domain-of-record abuse.
BP-002 High

acme-saas.io: Recently registered hyphen variant

Domainacme-saas.io
Permutation TypeHyphen insertion
RegistrarPorkbun LLC
Registered2026-05-13 (11 days before scan)
Current StateNo website, no DNS records configured yet
MX RecordsNone
Pattern MatchHyphen-variant registrations targeting SaaS brands in May 2026 are correlated with the threat actor we internally track as TA-2026-HypensQuad, who registers in clusters of 12-25 domains and weaponises 30-90 days post-registration.

Why this matters. The domain is not actively weaponised today, but the registration pattern is consistent with attacker pre-staging. By the time MX records are added and a phishing kit is installed, you have 24-72 hours of attack runway. Catching this now means the takedown clock starts before the campaign launches.

Recommended action. Add this domain to your monitoring list with weekly re-checks. If MX records or hosting appear, escalate to Critical and file abuse reports per BP-001 process. The Security Retainer's monthly Brand Protection scan would surface this change automatically.

BP-003 Medium

acmesaa.io: Character omission variant

Domainacmesaa.io
Permutation TypeCharacter omission (final "s")
RegistrarGoDaddy
Registered2024-09-08 (around 20 months ago)
Current StateResolves to a GoDaddy domain-for-sale landing page
MX RecordsNone
Asking PriceUSD 850 listed on GoDaddy

Why this matters. Domain is registered but parked for resale. Lower urgency than active staging, but if you can acquire it for under USD 1000, defensive registration is cheap insurance. If not acquired, monitor monthly for ownership change or activation.

BP-004 Low

acrnesaas.io: Homoglyph (rn for m)

Domainacrnesaas.io
Permutation TypeHomoglyph substitution ("rn" visually resembles "m" in some fonts)
RegistrarDynadot, LLC
Registered2025-11-22
Current StateNo DNS records, no website

Why this matters. Homoglyph attacks are common but typically lower-impact because they require the target to visually misread in a specific font. Monitor monthly. No immediate action needed unless MX records appear or hosting changes.

Vector 2: Leaked Credentials (acmesaas.io)

Search across public breach corpuses returned 5 unique email addresses ending in @acmesaas.io with associated credential or PII exposure. Sources: HaveIBeenPwned API, DeHashed (free tier), IntelX (free tier). Hash formats and breach dates verified where the source disclosed them. Account roles inferred from email prefix; actual roles should be confirmed with the account owners.

BP-005 Critical

ceo@acmesaas.io: Executive account in 2026-03 Phantom Solutions breach

Emailceo@acmesaas.io
Breach SourcePhantom Solutions (data analytics SaaS) breach disclosed 2026-03-14
Data ExposedEmail, bcrypt password hash, full name, phone number, last login timestamp
Password Formatbcrypt with $2b$10$ rounds: moderate computational cost to brute-force, but rainbow-table resistant
Reuse RiskIf the CEO uses the same password on other accounts (Gmail, Slack, AWS Console, GitHub), those are also compromised.

Recommended action within 24 hours.

  1. Contact the account owner directly. Confirm password rotation across all systems where this email is used.
  2. Enforce 2FA / hardware key (YubiKey, Titan) on all CEO accounts.
  3. Audit recent login history on Google Workspace, Microsoft 365, AWS Console, GitHub, Slack, and the company's primary SaaS stack for anomalies.
  4. If the CEO uses a password manager, confirm the master password is unique and 2FA is enforced.
BP-006 Medium

support@acmesaas.io: Shared inbox in 2024-08 Wibblewell SaaS breach

Emailsupport@acmesaas.io
Breach SourceWibblewell SaaS (customer support helpdesk vendor) breach disclosed 2024-08-22
Data ExposedEmail, plaintext password (older breach before they migrated to argon2)
Password FormatPlaintext: high reuse risk if not rotated already
Account RoleLikely shared inbox for customer support tickets. Multiple team members may have used this password.

Recommended action. Rotate the password immediately if not done since 2024-08. Confirm with the support team that no one is still using the old credential. Move from shared password to individual logins with role-based access if feasible.

BP-007 Medium

finance@acmesaas.io: Generic alias in 2025-02 ThorpeMint breach

Emailfinance@acmesaas.io
Breach SourceThorpeMint (accounting SaaS for SMBs) breach disclosed 2025-02-09
Data ExposedEmail, SHA-256 password hash, billing address
Password FormatSHA-256: fast to brute-force with GPU rigs. Treat as effectively compromised.

Recommended action. Rotate the password. If this is a shared alias, confirm with the team owner that all users have rotated their stored credentials in password managers.

BP-008 Low

jane.doe@acmesaas.io: Individual account in 2026-01 BackdoorBox breach

Emailjane.doe@acmesaas.io
Breach SourceBackdoorBox (self-hosted file sharing platform) breach disclosed 2026-01-30
Data ExposedEmail only (no password). Email-only exposures are lower risk but increase phishing targeting.
Password FormatN/A: email-only exposure

Recommended action. Inform the account owner. Heighten phishing awareness for this individual. No password rotation needed since no password was exposed.

BP-009 Low

noreply@acmesaas.io: Transactional alias in 2023-11 OldStackSaaS breach

Emailnoreply@acmesaas.io
Breach SourceOldStackSaaS marketing platform breach disclosed 2023-11-04
Data ExposedEmail + plaintext password from a long-since-deprecated marketing tool
Account RoleTransactional alias used as a sender address for automated notifications. Typically does not have inbox access.

Recommended action. Verify the account is decommissioned at OldStackSaaS. If your team still uses any account at OldStackSaaS, rotate. Otherwise informational.

Summary Recommendations

Within 24 to 48 hours

  • File SendGrid abuse report on BP-001 (active typosquat with MX records).
  • File Namecheap abuse report on BP-001.
  • Rotate password and enforce 2FA on the CEO account exposed in BP-005.
  • Confirm BP-006 password rotation occurred since the 2024-08 Wibblewell breach.

Within 7 calendar days

  • Decide on defensive registration of BP-001 (acmesass.com, acmesass.net) and BP-003 (acmesaa.io available for USD 850).
  • Rotate passwords on BP-007 (finance alias, SHA-256 breach).
  • Add BP-002 (recently registered hyphen variant) to weekly re-check list.
  • Confirm DMARC reject policy is enforced on acmesaas.io.

Within 30 calendar days

  • Subscribe to the Security Retainer (INR 24,999/month) for monthly recurring 4-vector Brand Protection scans (adds fake mobile apps and phishing infrastructure to the 2 vectors covered here).
  • Document a brand abuse takedown playbook so that when the next finding lands, response time is under 24 hours.
  • Audit DMARC, SPF, and DKIM configuration on acmesaas.io to ensure spoofing protection is enforced at the receiving end.

Limitations and Disclaimers

All findings in this sample report are fictional. Any resemblance to real domains, real breach sources, real individuals, or real organisations is coincidental. Real reports replace these fictional details with your actual findings.

Free Snapshot scope. This is a point-in-time scan covering 2 of 4 Brand Protection vectors. The full 4-vector monthly coverage (adds fake mobile apps and phishing infrastructure) is bundled with the Security Retainer (INR 24,999/month).

Takedown assistance. Free Snapshot reports include guidance on takedown steps but do not include direct takedown filing or legal coordination. The Security Retainer includes founder-led takedown coordination for findings rated Critical or High.

Founder review caveat. The founder review removes false positives where verifiable and prioritises findings. It is not a substitute for the client's own context. We do not have access to your customer data, internal architecture decisions, or threat model. Apply judgement when prioritising fixes.

Drop Your Brand. We Send the Report in 48 Hours.

Same format. Founder-reviewed. Free, no obligation. Your data is not sold or shared.