A typical phishing campaign follows a predictable timeline. Attackers register a lookalike domain (say, support-microsoftonline.com), obtain a Let's Encrypt certificate within minutes, and start sending phishing email within hours. Every public TLS certificate gets logged to Certificate Transparency within seconds of issuance. Brand-protection teams with CT monitors in place see the issuance before the first phishing email goes out, giving them a head start on the takedown.
Every public TLS certificate issued by a publicly trusted CA is logged to Certificate Transparency within seconds of issuance. CT was designed exactly so that a domain owner can detect when an unauthorized certificate is issued against their name, whether by a compromised internal process, a third-party CA mistake, or a malicious actor registering a lookalike domain. The data is public, free, and indexed by search interfaces like crt.sh and Censys. But the search interfaces do not push notifications. You have to come and ask, and by the time most security teams find out about a rogue certificate, the phishing campaign or unauthorized service is already operational.
This guide covers how CT logs work, the patterns worth watching for, and how to set up a continuous monitor that surfaces new certificate issuance against any domain within minutes.
Quick Setup
Enter your domain to preview both expected-issuance alerts and lookalike-domain warnings.
Why Monitor CT Logs
CT log monitoring is the highest-signal way to detect domain-impersonation attempts and unauthorized internal issuance. It is also one of the cheapest sources of asset inventory data.
Phishing Infrastructure Detection
Attackers who register lookalike domains routinely obtain a Let's Encrypt or Sectigo certificate within minutes of registration, because a valid TLS certificate is essentially mandatory for credible phishing. CT alerts can fire before the first phishing email is sent, giving brand-protection and SOC teams a real window to begin takedown.
Rogue Internal Issuance
A team spinning up a service with a TLS certificate without going through your standard provisioning process is detectable in CT before the service is even live. For organizations with formal certificate-management processes (HashiCorp Vault, AWS ACM, internal CA), CT monitoring of your owned domains acts as a continuous shadow-IT detector.
CA Mistakes and Misissuance
Misissued certificates by intermediate CAs are visible in CT and have triggered industry-wide trust changes in the past. Subscribers who notice misissuance against their domains can file reports that protect the broader ecosystem.
Subdomain Discovery for Asset Inventory
New subdomains your organization spins up are visible in CT, which is a useful asset-inventory complement. CT is often more complete than any internal asset register, especially in larger organizations.
How CT Logs Are Queried
CT log search interfaces aggregate logs from all major CAs. The most-used public interfaces:
https://crt.sh/?q={domain}
https://crt.sh/?q=%25.{domain}
https://search.censys.io/certificates?q={domain}The crt.sh URL with %25. (URL-encoded wildcard) captures every subdomain of a given domain. The Censys URL provides a similar interface with additional metadata. Both return tables of every certificate that includes the given pattern, with each new issuance appearing as a new row.
For very large domain footprints (hundreds of domains), the CT log APIs themselves are accessible directly, but for most organizations the search interfaces are easier to monitor and provide sufficient coverage.
Comparing Monitoring Approaches
| Approach | Cost | Latency | Coverage | Best For |
|---|---|---|---|---|
| Manual crt.sh refresh | Free | Hours to days | Per-domain effort | One-off investigations |
| Cert Spotter (SSLMate) | Free tier to paid | Minutes | Comprehensive | Single-organization use |
| Recorded Future / DomainTools | $50K+/year | Minutes | Comprehensive plus enrichment | Mature brand-protection programs |
| Custom CT log subscriber | Free + engineering | Real-time | Full log coverage | Teams with engineering capacity |
| PageCrawl on crt.sh | Free tier to $80/year | 5-15 minutes | Configurable per domain | SOC teams, brand protection, asset inventory |
SSLMate's Cert Spotter is the dedicated free CT monitor and is the right tool for many single-organization use cases. PageCrawl complements it by giving you the same alert into the same channel as your other security monitors (KEV, package releases, status pages), so the SOC sees one consistent stream.
Setting Up CT Monitoring in PageCrawl
Step 1: Build the crt.sh URL for each domain you own
Use the pattern https://crt.sh/?q=%25.example.com (the %25 is a URL-encoded % wildcard) to capture every subdomain. For multi-domain organizations, build one monitor per owned domain.
Step 2: Add lookalike-domain monitors
For brand protection, build monitors for common lookalikes: typos (exampls.com), punycode variants, common substitutions (exampie.com with a lowercase L), and common second-level alternates. Each gets its own monitor.
Step 3: Set frequent checks
CT logs typically reflect issuance within minutes. A 15-minute check schedule catches new certificates before phishing infrastructure becomes operational. On the Free plan with 60-minute checks, you will catch most issuance within the hour, which is still meaningfully ahead of email-based campaign detection.
Step 4: Configure webhooks into your SOC tooling
Webhook payloads from PageCrawl can fire a Slack message, create a ticket, or trigger SOAR playbooks that begin domain-takedown workflows automatically. For mature SOCs, this is where the workflow value compounds.
Step 5: Use AI summaries to filter noise
PageCrawl's AI change summaries describe the new certificate in plain language: "Let's Encrypt issued cert for vpn-secure.example.com; new subdomain not seen previously." This dramatically improves signal-to-noise compared to raw row diffs.
Step 6: Group by purpose in folders
Use folders to organize: owned-domains, lookalikes, partner-domains. Per-folder alerts route to different channels (asset-inventory updates to a non-urgent channel, lookalike issuance to the SOC pager channel).
Worked Example: A Brand-Protection Monitor for a Large Org
Take a security team at a Fortune 500 company with 8 owned domains and 25 known lookalike patterns. The setup:
- Build 8 owned-domain crt.sh URLs with the
%25.wildcard. - Build 25 lookalike-pattern URLs.
- Bulk import into PageCrawl, tagged
ownedorlookalike. - Set 15-minute checks on lookalikes, hourly on owned.
- Route lookalike alerts to a
#brand-protectionSlack channel with webhook into the SOAR. - Route owned-domain alerts to a
#asset-inventorychannel for the platform team. - Configure the SOAR to automatically open a takedown ticket for any lookalike issuance.
Total cost: Standard plan at $80/year covers the 33 monitors with 15-minute checks. For a brand-protection function, the cost recovers itself the first time a phishing campaign is caught at issuance instead of after the first reported click.
Patterns Worth Watching For
Subdomains you do not recognize. Could be shadow IT, could be a phishing kit using a similar pattern. Either way, worth investigating.
Issuance from CAs you do not use. If your standard is DigiCert and a Let's Encrypt cert appears against an owned domain, investigate. Same for the inverse.
Wildcard certificates. Wildcards on your domains should always be expected and authorized. An unexpected wildcard is a high-priority signal.
Punycode and IDN domains. Lookalike domains using non-ASCII characters often appear in CT before they go live. Punycode-based lookalikes are particularly common for phishing.
Issuance bursts on lookalike patterns. Multiple lookalikes registered and issued within a short window often signal a coordinated phishing campaign.
Subject Alternative Name (SAN) anomalies. A certificate that lists unexpected additional names alongside your domain may signal a compromised CA process or a deliberate impersonation attempt.
Combining CT Monitoring With Other Signals
The full value of CT monitoring shows up when you pair it with other public security data.
Combine with the KEV catalog. Pair CT monitoring with our CISA KEV monitoring guide. A new subdomain appearing in CT that matches a vulnerable VPN or identity product surfaces compound risk.
Combine with package release monitoring. Use our PyPI and npm release monitor for supply-chain visibility. Phishing campaigns sometimes coincide with supply-chain compromise activity.
Combine with bug bounty scope. Pair with our bug bounty scope monitor. Scope expansions on a target program often produce a surge of certificates against new subdomains that are now in-scope for testing.
Combine with cloud status pages. Use our cloud status page monitor. Certificate misissuance is occasionally tied to provider incidents.
Use Cases
SOC and incident response. Real-time CT alerts feed phishing detection and domain-takedown workflows. For SOCs measuring mean-time-to-detect for phishing infrastructure, CT monitoring drops it from days to minutes.
Brand protection teams. Lookalike-domain issuance is one of the earliest signals of a coordinated phishing campaign. Same-day awareness lets brand protection initiate takedowns before significant victim activity.
Asset inventory and platform teams. CT monitoring of your own domains keeps your internal asset list synchronized with reality. For organizations with sprawling subdomain footprints, this is often the most accurate asset source available.
CA compliance and audit. Documented monitoring of CT logs for your domains supports SOC 2 and ISO 27001 evidence. Auditors increasingly ask about shadow-IT detection capabilities; CT monitoring is the standard answer.
M&A integration teams. Newly acquired companies often have unknown subdomain inventories. CT monitoring of the acquired entity's domain produces a complete picture inside a few weeks.
Security researchers. Patterns in CT issuance across an industry segment can reveal phishing-campaign infrastructure or coordinated CA mistakes.
Frequently Asked Questions
How quickly does a new certificate appear in CT? Public CAs are required to log certificates to CT before issuance is trusted by browsers. In practice, certificates appear in CT logs within seconds of issuance.
Does crt.sh cover all CT logs? Yes, crt.sh ingests from all the major CT logs. Censys provides a similar level of coverage. For very high-assurance use cases, monitoring multiple search interfaces or subscribing to the log APIs directly provides redundancy.
What about pre-certificates? CT logs include both pre-certificates and final certificates. Monitoring at the search-interface layer typically deduplicates these so you do not get double alerts.
Can I filter to specific CAs? crt.sh search supports CA filtering via URL parameters. Build the URL once with the appropriate filter and monitor that URL.
Do I need a paid plan? The Free plan supports 6 monitors at hourly checks, enough for a small set of owned domains and a few lookalikes. Standard at $80/year covers 100 monitors, enough for most brand-protection programs.
Will I get noise from routine certificate renewals? Yes, renewals appear as new certificates in CT. AI summaries can help distinguish renewals (same FQDN, same CA, similar metadata) from genuinely new issuance. For absolute precision, filter alerts in your SOAR by SAN comparison.
Choosing your PageCrawl plan
PageCrawl's Free plan lets you monitor 6 pages with 220 checks per month, which is enough to validate the approach on your most critical pages. Most teams graduate to a paid plan once they see the value.
| Plan | Price | Pages | Checks / month | Frequency |
|---|---|---|---|---|
| Free | $0 | 6 | 220 | every 60 min |
| Standard | $8/mo or $80/yr | 100 | 15,000 | every 15 min |
| Enterprise | $30/mo or $300/yr | 500 | 100,000 | every 5 min |
| Ultimate | $99/mo or $990/yr | 1,000 | 100,000 | every 2 min |
Annual billing saves two months across every paid tier. Enterprise and Ultimate scale up to 100x if you need thousands of pages or multi-team access.
At an engineering hourly rate, Standard at $80/year pays for itself the first time you catch a breaking API change, a deprecated endpoint, or a silent config change before it takes down production. 100 monitored pages is enough to cover the changelogs and docs of every third-party API your stack depends on. Enterprise at $300/year adds higher check frequency, 500 pages, and full API access. All plans include the PageCrawl MCP Server, which plugs directly into Claude, Cursor, and other MCP-compatible tools. Developers can ask "what changed in the Stripe API docs this month?" and get a summary pulled from your own monitoring history. Paid plans unlock write access so AI tools can create monitors and trigger checks through conversation, turning your tracked pages into a living knowledge base instead of a pile of alert emails.
Getting Started
Build a crt.sh URL for each domain you own (use the %25. wildcard prefix), add them to PageCrawl on a 15-minute schedule, and route webhooks into your SOC. Create a free account and the next certificate issued against your brand will trigger an alert in minutes.
Once owned-domain coverage is in place, expand to a curated list of lookalike patterns and pair with KEV and package-release monitors for a complete brand-protection picture. The Standard plan at $80/year covers a mature setup with room for sibling monitors on related security feeds. For SOCs and brand-protection teams that treat CT issuance as a first-class signal, the cost is rounding error against the cost of a single successful phishing campaign.