Most scanners are great at "bad code" (malware/reputation), but lots of modern phishing is just a clean site that visually impersonates Okta/SSO/Workday/customer portals. SOC teams often end up doing the manual step: open urlscan screenshot -> eyeball it -> decide.
What BrandRetina does:
- You onboard a "Golden Registry" (verified screenshots of your real portals) - When a suspicious link comes in, your SOAR detonates it (e.g., urlscan.io) and gets a screenshot UUID - BrandRetina compares the screenshot against the Golden Registry (visual embeddings / similarity) and returns:
1) verdict (CLEAN/SUSPICIOUS/MALICIOUS) 2) similarity score 3) target portal + evidence flags (logo/layout/color/form signals)
Why it’s useful:
- Flags lookalikes even when the HTML/code is completely different - Removes the repetitive screenshot-review step - Fits existing workflows (SOAR/SIEM) instead of replacing them
I'd love feedback from SOC/IR/SecOps folks:
- Are screenshot-based verdicts something you’d trust in an automated playbook? - What evidence signals would make this actionable for you? - What sources besides urlscan would you want supported?
Docs: https://brandretina.ai/docs API base: https://api.brandretina.ai