NEW The Analyst Copilot now drives the whole investigation: scan, pivot, export, from one chat. See it work →
CoreSight
How it works Product Compare Watch the tour Log in Join the waitlist

See the whole network behind a suspicious domain.

CoreSight turns one scan into a forensic profile: tech stack, infrastructure, archives, threat intel, and an LLM-verified "was this built by AI?" verdict.

Then it clusters every related domain into a labeled campaign on a live investigation graph.

https:// Scan a domain →
Watch the 2-minute tour
2,847,193domains profiled · 14,203 campaigns mapped · last scan: 4s ago
Works even when the site is down, blocked, or hiding behind a captcha · No headless-browser babysitting · STIX 2.1 / MISP export built in
SCROLL TO INVESTIGATE
// WHY NOW

Fake sites used to take days to build. Now they take minutes.

AI site-builders collapsed the cost of a convincing storefront, brokerage, or bank clone to a single prompt. Operators no longer run a scam site. They run fleets of them, rotated faster than takedowns can keep up. Detecting one site is table stakes. The value is mapping the fleet, and CoreSight was built for exactly that.

Minutes, not days

The time it takes to clone a brand with an AI builder. CoreSight detects the builder's fingerprints in the DOM.

Fleets, not sites

One operator, dozens of domains sharing certs, trackers, and backends. CoreSight pivots on all of them.

One tool, not five

Enrichment, graphing, typosquat discovery, and export live in the same case. No swivel-chair between feeds and canvas.

// PHASE 01 · SCAN

One scan in. A campaign out.

01 Scan.

Paste a domain. CoreSight fetches the live page (or recovers it from webtrace.io and the ChronoVault archive if the origin is down or blocking bots) and builds a full profile: tech matrix, DNS/RDAP, TLS certs, cookies, favicon hashes, trackers, threat intel, IP reputation, archive history.

02 Pivot.

Every scan emits infrastructure fingerprints: cert SANs, tracker IDs, Nimbase/Appcore projects, AI-builder markers, TI campaign tags. The Pivot Index correlates them across your case; find more reaches outward to certledger, webtrace, and ThreatMesh to surface domains you haven't scanned yet.

03 Map & report.

The Investigation Graph auto-clusters domains that share discriminating infrastructure into labeled campaigns with glass-box confidence on every edge. Export the story as STIX 2.1, MISP, GraphML, or a pre-filled abuse report to the registrar.

Start your first case, free →
suspicious-broker.example SCAN COMPLETE
Tech matrix
Atomik Nimbase ShieldWall TRK-8XK21
Platform SiteForge · deterministic DOM fingerprint
AI Genesis
87
LLM-verified
Threat intel ThreatMesh pulse: FleetPhish-2026 · MalTrace: clean · VT: 3/94
Certificates certledger · 14 certs · 9 SANs
Archive ChronoVault: first capture 41 days ago · 6 snapshots
IP intel AbuseTrack 62% · NoiseFloor: unknown · 3 open ports
13 collectors · 1 synchronous request · no job queue
pivot index · case CS-0173 4 FINGERPRINTS
Cert SAN
sha256:9f2c41ab…e77d · via certledger
12 domains find more →
Tracker ID
TRK-8XK21 · via webtrace.io
7 domains find more →
Backend project
nimbase:xyzkq · via script URLs
5 domains find more →
Visual fingerprint
favicon:-1190759676 · murmur3
9 domains find more →
reverse pivots → certledger · webtrace.io · ThreatMesh · 18 ghost domains surfaced
investigation graph 1 CAMPAIGN · 12 DOMAINS
CAMPAIGN: nimbase xyzkq · favicon -1190759676 suspicious-broker
confirmed suspected possible
STIX 2.1 MISP abuse draft →
// CAPABILITIES

Everything an investigation needs, natively.

AI Genesis Scanner

An LLM-verified verdict on whether a site was generated by an AI builder, grounded in deterministic evidence: platform fingerprints, image metadata, code patterns, and the page itself. Never a black-box score: the reasoning ships with the number.

Investigation Graph

Domains, IPs, certs, pivots, and TI tags on a force-directed canvas. Auto-labeled campaign clusters, propagated risk scoring with a "why" breakdown, path tracing between any two nodes.

Pivot Search

A terse, composable query language over everything you've scanned. Client-side, instant.

asn:shieldwall and aiscore>=70

Analyst Copilot

A tool-calling AI agent on every tab. It can query your session, scan new leads, run reverse pivots, and draft exports. Every action is approval-gated, RBAC-checked, and written to an immutable audit log.

Resilient by design

Blocked by ShieldWall? Site already taken down? The scan recovers via webtrace.io's rendered DOM, ChronoVault archives, RDAP, and certledger. "The site is down" still yields a rich profile.

Court-ready output

Cases, chain-of-custody audit logging, STIX 2.1 bundles, MISP events, GraphML for LinkCanvas/NodeView, and one-click abuse drafts addressed to the right registrar.

// POSITIONING

The middle nobody else occupies.

Data houses give you great feeds and no canvas. Graph tools give you a great canvas and no data. The two vendors that do both are six-figure, enterprise-only contracts. CoreSight ships scam-tuned enrichment and native, confidence-scored campaign clustering in one product, at an altitude and price built for the long tail of brand, fraud, and SMB security teams.

Data feeds
the big feed houses
Graph tools
the canvas tools
Enterprise TI
the six-figure suites
CoreSight
Scam-tuned enrichment
Native investigation graph
Auto-labeled campaign clustering
Partial
AI-builder detection
Price fits SMB / brand teams
Varies
Varies
Feature comparison based on public product documentation, June 2026.
Built for Fraud teams · Brand protection · CTI analysts · Domain investors

Your next takedown starts with one scan.

Free to start. No credit card. Your data stays in your case.

Scan a domain → Talk to us
Join the waitlist.

Access opens in waves. Reserve a seat and get the field notes while you wait: new pivot techniques, campaign write-ups, product updates. No fluff, easy out.

Join the waitlist
✓ You're on the list. We'll be in touch when your wave opens.
CoreSight

CoreSight. See the whole network.

Product Profiler Investigation Graph Analyst Copilot
Solutions Fraud investigation Brand protection Threat intel teams
Company About Contact Privacy Terms
© 2026 CoreSight · last scan: 4h ago
CoreSight · the 2-minute tour
CASE FILE · OPERATION LOCKBOX Close
Join the waitlist 02:00 · sound on
CoreSight · solutions
Close
// SOLUTIONS · FRAUD & SCAM INVESTIGATION

Map the fleet. Name the operator. File the takedown.

You know the site is fake in the first ten seconds. The next six hours are the problem. CoreSight compresses them into one case.

The grind you know
  Scam sites rotate faster than manual pivoting can follow.
  Evidence scattered across five tools doesn't survive scrutiny.
  Takedown letters take an hour each to draft and address.
How CoreSight fits

One scan fingerprints the site. The Pivot Index and reverse pivots surface the sisters. The graph clusters them into a labeled campaign with confidence on every edge. Export ships as STIX and MISP plus a pre-addressed abuse draft, while cases and the immutable audit log keep your chain of custody intact from first scan to courtroom.

INVESTIGATION GRAPH REVERSE PIVOTS ABUSE DRAFTS AUDIT LOG
Join the waitlist ← Back to CoreSight
// SOLUTIONS · BRAND PROTECTION

Find the clones before your customers do.

Your brand is the lure. Every fake storefront wearing your logo is fishing with your reputation, and you shouldn't learn about it from a phishing report.

The grind you know
  Typosquats register in bulk, faster than you can watch for them.
  AI builders make pixel-perfect fakes in minutes.
  You find out from a customer, after the damage is done.
How CoreSight fits

Typosquat discovery generates the candidates an operator would register against your brand: homoglyphs, omissions, TLD swaps, each one click to scan. The brand-bank favicon match flags visual impersonation the moment it appears. Watchlists rescan daily and badge exactly what changed, so the first clone you see is the first clone that exists.

TYPOSQUAT DISCOVERY FAVICON BRAND MATCH DAILY WATCHLISTS AI-BUILDER DETECTION
Join the waitlist ← Back to CoreSight
// SOLUTIONS · THREAT INTELLIGENCE TEAMS

Enrichment and the graph, finally in the same tool.

You already have feeds. You already have a canvas. What you don't have is the hour back you spend carrying indicators between them.

The grind you know
  Feeds without a canvas: great data, nowhere to think.
  Graph transforms you have to babysit run by run.
  Enterprise TI platforms priced for someone else's budget.
How CoreSight fits

MalTrace, OmniScan, ThreatMesh, AbuseTrack, and NoiseFloor enrich every scan. TI campaign tags become pivot primitives that cluster domains automatically. Everything exports to STIX 2.1 and MISP, and GraphML opens in the canvas you already run. The pivot query language works everywhere, including inside the Copilot:

asn:shieldwall and aiscore>=70 not verdict=clean
STIX 2.1 MISP GRAPHML PIVOT QUERY LANGUAGE
Join the waitlist ← Back to CoreSight
CoreSight · about
Close
// ABOUT

The middle was empty. So we built it.

Every fraud investigator knows the two-tool shuffle: a stack of enrichment feeds on one screen, a graph canvas on the other, and a copy-paste bridge made of coffee and patience in between. The vendors who solved both ends charge six figures and sell to enterprises, while AI site-builders hand scam operators fleet-scale infrastructure for the price of a prompt.

CoreSight is our answer: a scam-tuned enrichment engine and a native, confidence-scored campaign graph in one product, honest about its evidence at every step. Scores explain themselves. Clusters name their pivots. Missing data says missing, never pretends. And when an AI agent acts on your case, it asks first and signs the log.

We think the analysts defending the long tail deserve the same altitude of tooling as the Fortune 500: the brand teams, the SMB security folks, the solo fraud hunters. That's the product. That's the roadmap. That's the point.

Join the waitlist ← Back to CoreSight
CoreSight · privacy & data handling
Close
// PRIVACY POLICY

Your data stays in your case.

Last updated June 2026

Data residency

Cases, watchlists, and session state live in your deployment and your browser. Export and import them as portable, schema-validated JSON whenever you want. Nothing is shared across tenants, because there are no shared tenants.

Your keys, server-side

Provider API keys live in your deployment's environment and never reach the browser. Missing a key shows a setup nudge; nothing breaks, and nothing is faked to fill the gap.

Scanning safety

An SSRF guard sits on every scan path. Submissions to third-party enrichment providers are never made public — existing public records are reused first, new submissions are private or unlisted, and you can forbid outbound submissions entirely.

Access control

Role-based access control (admin / analyst / viewer) is enforced client- and server-side, including on every Copilot tool call. Sessions are signed and short-lived. Passwords are hashed with a modern, slow key-derivation function — never stored in the clear.

Chain of custody

An append-only, immutable audit log records every consequential action: who, what, when, and whether an AI agent did it. Secrets are redacted at write time.

AI guardrails

Every mutating or cost-incurring agent action requires inline human approval. Scraped and captured content is treated as untrusted input. Tool calls per turn are capped.

Contact

Questions about this policy or a data request: reach us via the waitlist form and mark it "privacy" — we respond directly, not through a ticket queue.

← Back to CoreSight