catchPhi.sh
Certificate Transparency Monitoring

Catch phishing domains minutes after the certificate is issued.

CatchPhi.sh keeps eyes on the global CT log firehose so you don’t have to. Define domains, regex patterns, and homoglyph rules, then deliver alerts by webhook or inbox—no infrastructure, no brittle scripts.

Start your 14-day trial See how it works →

12M+

Certificates reviewed per day

60s

Average webhook lead time

Daily recap preview

  • login-brand-secure.com

    Matched regex /brand.*login/ · Issued 12 minutes ago

  • support-bränd-payments.io

    Detected via homoglyph variant · WHOIS country: NL

  • app-brand-helpdesk.cloud

    Edit distance match ≤2 · Risk score: elevated

Why teams choose CatchPhi.sh

Everything you need to watch CT logs without the toil

Built for security engineers, founders, and researchers who want actionable visibility, not another dashboard to babysit.

Regex, domains, and homoglyphs in one place

Track exact domains, partial matches, regex patterns, and Unicode lookalikes without juggling separate tools. CatchPhi.sh automatically generates risky variants and keeps them up to date.

Alerts where your team already works

Send daily recaps to email for leadership, real-time webhooks to automation, or both. Pipe matches into Slack, SIEM, or your own scoring pipeline in minutes.

Purpose-built for lean security teams

No infrastructure or software to maintain and keep running. Just ship a list of patterns and get actionable intel before phishing kits go live. Restrict alerts to new domains to limit noise.

How it works

Ship rules in minutes. Let us watch the firehose.

From first pattern to first alert, the entire setup takes less than the time it takes to provision a server.

Step 1

Define the rules that matter

Add domains, keywords, regex patterns, and typo variants that map to your brand or clients. Toggle homoglyph detection and edit distance thresholds per rule.

Step 2

Stream or summarize notifications

Choose real-time webhooks for automation or daily email recaps for easy review. Every payload includes enrichment data so you can triage in seconds.

Step 3

Respond before phishing lands

CatchPhi.sh flags suspicious certificates minutes after issuance, giving you time to takedown or warn customers before campaigns ramp up.

Pricing

Predictable pricing that scales with your monitoring needs

Try CatchPhi.sh free for 14 days. Upgrade when you are ready to automate takedowns and alerts.

Starter

$9/mo

Hobbyists, indie hackers, and small startups.

  • Up to 5 monitoring rules
  • Up to 100 matches/alerts per month
  • Daily email summary
  • Homoglyph and typo-squat detection
Start 14-day trial

Growth

$19/mo

SMEs and security-conscious companies.

  • Up to 20 monitoring rules
  • Up to 1,000 matches/alerts per month
  • Daily email + webhook delivery
  • Priority processing
Monitor your brand

Team

$29/mo

Security teams and agencies.

  • Up to 50 monitoring rules
  • Up to 5,000 matches/alerts per month
  • Daily email + webhook delivery
  • Priority processing
Talk with us

Pro

$99/mo

MSSPs and agencies needing higher capacity.

  • Expanded limits for rules and matches
  • White-label options
  • Dedicated support
  • Custom integrations
Contact sales

Loved by lean teams

Testimonials from people shipping fast security wins

“We replaced a pile of bash scripts with CatchPhi.sh. Our webhook feed drives a Slack bot that lets engineers flag phishing domains before marketing even sees them.”

Security engineers

Seed-stage SaaS company

“Regex + homoglyph matching means we can pivot on brand clusters and see campaigns unfold in real time without maintaining CertStream infrastructure.”

Threat researchers

Independent research lab

“We onboard new clients in under an hour and resell CatchPhi.sh monitoring as part of our phishing resilience package.”

MSSP teams

Boutique security agency

FAQ

Answers to the questions teams ask before switching

Need something else? Email contact@catchphi.sh and we’ll help you get started.

We rely on our own Certificate Transparency scanning, indexing and searching service and normalize certificate data so you only see leaf certificates relevant to your rules. No need to run your own ingestion stack.

Real-time webhooks fire within minutes of CT log publication. Daily recaps summarize everything that matched in the last 24 hours so leadership can review without noise.

Yes. Every rule supports Unicode homoglyph detection and configurable edit distance. CatchPhi.sh generates risky variants and checks them alongside your literal domain or regex patterns.

Webhook payloads and emails include WHOIS snapshots, DNS answers, and AI-backed risk scores when available so you can quickly prioritize takedowns.

Webhook delivery is the primary integration path today. CSV and REST exports are on the roadmap—reach out if you need early access.

Ready to catch phishing certificates before they go live?

Join developers, security engineers, and researchers using CatchPhi.sh to keep an eye on the CT firehose.

Create your account Talk with a human →