Frequently Asked Questions

MOORLI BrandGuardDiagnostic is an outside-in audit that finds lookalike domains targeting your brand and prioritizes the ones that matter most.

You provide your brand domain. We generate lookalike variants, preflight them, and evaluate the included candidates across registration, DNS, web, mail, SSL, similarity, and corroborating reputation signals. Domains are then classified as Active Threat Signals, Defensive Hold, Parked, Inactive, or Available based on observable web, mail, registration, SSL/TLS, similarity, and corroborating reputation evidence.

Typosquatting is when someone registers a domain that closely resembles your brand. Those domains are often used for phishing, credential theft, impersonation, or fraud.

Most companies find these domains late. MOORLI helps you find them earlier, before they become a bigger problem.

Our engine applies a fast preflight across discovered candidates, then evaluates 36 rules across 9 categories for each lookalike candidate included in your report:

• Registration & Ownership (6 rules): RDAP data, registration date, expiry, privacy protection, registration metadata completeness, squat registrar patterns
• DNS Resolution & Hosting (5 rules): Resolution, nameserver, redirect, and hosting signals used to help prioritize review
• Web Presence & Content (6 rules): Live content, login forms, brand mentions, parked-page signals, and other corroborating web indicators
• Mail Infrastructure (7 rules): MX, SPF, DMARC, DKIM selector probes, mail-provider, hosted mail-routing, and email-first pattern signals. Passive mode does not perform SMTP catch-all acceptance testing.
• SSL/TLS Configuration (4 rules): Browser-trusted certificate presence, free CA usage, cert age, brand mention in cert SANs
• Reputation & Corroboration (4 rules): External reputation checks are used as supporting evidence, not as standalone proof
• Similarity & Permutation Type (2 rules): Edit distance, homoglyph/keyboard-adjacent classification
• Composite Signals (1 rule): Combined high-risk indicator patterns
• Risk Classification (1 rule): Final risk classification based on observed signals

When you enter your brand domain, our engine generates a pool of lookalike candidate domains using deterministic permutation logic: typosquats, keyboard-adjacent substitutions, vowel swaps, character doubling/dropping, prefix/suffix additions, hyphenation variations, and TLD variations.

Those candidates are then triaged using similarity and preflight signals so the report focuses on the highest-priority domains included in your selected tier — 10 for Free, 50 for Standard, or 100 for Executive — rather than a long list of theoretical permutations.

Most scans finish within a few minutes, depending on the package and the number of included candidates.

Generally no. The audit relies on publicly available infrastructure signals (DNS records, RDAP/WHOIS data where available, HTTP responses, and SSL certificate metadata). We do not send emails, log into systems, or perform penetration testing. You are still responsible for using the service for a legitimate business purpose and in compliance with applicable laws and policies.

The scan involves standard DNS queries, RDAP lookups, and HTTPS connections. Third-party operators may still log or analyze that traffic, so we do not claim invisibility — only that the audit is non-intrusive and limited to publicly observable data.

No. Scores are informational and based on public signals at scan time. A domain classified as low risk today could show active threat signals tomorrow. Scores reflect observable infrastructure and public signals at scan time — not confirmed malicious intent. Please review the Disclaimer for important limitations.

The free tools typically check one lookalike domain at a time and require you to already know what to look for. MOORLI BrandGuardDiagnostic is built for automated discovery at scale:

• Automated Discovery: We generate and test thousands of permutations — you just provide your brand domain.
• Deep Multi-Signal Analysis: 36 rules across 9 categories, not just a DNS lookup.
• Risk Classification: Every domain is classified as Active Threat Signals, Defensive Hold, Parked, Inactive, or Available. Active Threat Signals means active observable indicators, not confirmed malicious intent.
• Reporting Options: Free includes HTML + PDF. Executive adds the PPT deck.

Yes, when you have a legitimate business purpose. MSPs frequently run scans for their clients' brands as part of assessments or recurring reviews. The audit uses publicly observable data, but you remain responsible for how you use the report and any actions you take based on it.

Free Scan ($0):

• 1 brand domain scanned
• Up to 10 lookalike candidates analyzed
• HTML + PDF reports
• No PPT deck and no rescan
• One free scan per account

Standard ($499):

• 1 brand domain scanned
• Up to 50 lookalike candidates analyzed
• HTML + PDF reports
• No rescan included

Executive ($799):

• 1 brand domain scanned
• Up to 100 lookalike candidates analyzed
• HTML + PDF reports + PPT deck
• One 30-day rescan included
• Broader candidate coverage + executive deliverables

Executive is best when you want broader coverage, a presentation-ready deliverable, and a rescan.

Free Scan: HTML report + PDF report (up to 10 lookalike candidates)

Standard tier: HTML + PDF reports

Executive tier: HTML + PDF reports + PPT deck

The PPT deck is built for leadership updates and client presentations, with summary charts and prioritized findings.

Executive tier includes one complimentary rescan within 30 days of your original audit. This lets you:

• Detect newly registered lookalike domains since your last scan
• Verify that remediation actions were effective
• Show progress/improvement in a follow-up board presentation

The rescan covers the same brand domain and re-discovers lookalike candidates from scratch, so newly registered or newly activated lookalikes can be surfaced if they are observable at scan time.

Yes. We offer one free scan so you can see the format before you buy. It covers up to 10 lookalike candidates and includes HTML + PDF only.

The Free Scan is a preview for 1 brand domain with up to 10 lookalike candidates. It uses the same core engine and includes HTML + PDF only.

Free reports are marked as "FREE SNAPSHOT" within the report. Limited to one free scan per account.

The Free Scan is intended to be one-time per user/account.

Yes. MSPs/Agencies frequently run brand impersonation audits for their clients and present the report as part of a security engagement. Your first agency pack purchase automatically enables white-label branding configuration on your account — you can then customize reports with your own logo, colors, and agency name. Once enabled, white-label stays active even if you purchase additional one-time credits.

MSPs/Agencies can purchase credits in bulk at discounted rates: ~10% off for 3-packs, 20% off for 5-packs, and 30% off for 10-packs. Your first agency pack purchase also unlocks white-label branding configuration. See the Pricing page or For MSPs page for current packages.

No. Agency credits never expire. Use them at your own pace.

White-label branding lets you customize reports with your agency name, logo, brand colors, and contact info — so you can present the reports to clients under your own brand.

How to unlock it: Your first agency pack purchase (any size, any tier) automatically enables white-label configuration on your account. After that, you can configure your branding in the dashboard and all future reports — whether generated from agency credits or one-time credits — will support your custom branding.

No. Pricing is one-time per audit/report. There are no recurring contracts unless explicitly offered in writing.

No refunds once processing begins, except where required by law. If a paid audit fails because of a MOORLI-side delivery issue and no usable report is produced, we may restore the consumed audit credit for a replacement run. This is not a cash refund. Please see our Terms of Service.

The Service is provided “as-is” and is for informational and educational purposes only. Liability is limited as described in our Terms and Disclaimer, including a cap at the amount paid for the audit/report giving rise to the claim (to the extent permitted by law).

All data is processed and stored on Google Cloud (Firebase, Firestore, Cloud Storage) with encryption in transit and at rest. We treat your audit reports and brand data as confidential. See our Privacy Policy for full details.

Report files are stored for 90 days in your dashboard for access and re-download. Download links may refresh periodically and should not be treated as permanent URLs. After the retention window, report files may be automatically deleted. Audit metadata (scores, timestamps) is retained longer for your history unless you request deletion.

You can reach us at support@moorli.io.