Hi HN folks, I’m building BrandRetina (brandretina.ai), an API-first service to catch high-fidelity spear-phishing that looks like your real internal portals..

Most scanners are great at "bad code" (malware/reputation), but lots of modern phishing is just a clean site that visually impersonates Okta/SSO/Workday/customer portals. SOC teams often end up doing the manual step: open urlscan screenshot -> eyeball it -> decide.

What BrandRetina does:

- You onboard a "Golden Registry" (verified screenshots of your real portals) - When a suspicious link comes in, your SOAR detonates it (e.g., urlscan.io) and gets a screenshot UUID - BrandRetina compares the screenshot against the Golden Registry (visual embeddings / similarity) and returns:

1) verdict (CLEAN/SUSPICIOUS/MALICIOUS) 2) similarity score 3) target portal + evidence flags (logo/layout/color/form signals)

Why it’s useful:

- Flags lookalikes even when the HTML/code is completely different - Removes the repetitive screenshot-review step - Fits existing workflows (SOAR/SIEM) instead of replacing them

I'd love feedback from SOC/IR/SecOps folks:

- Are screenshot-based verdicts something you’d trust in an automated playbook? - What evidence signals would make this actionable for you? - What sources besides urlscan would you want supported?

Docs: https://brandretina.ai/docs API base: https://api.brandretina.ai

Comments URL: https://news.ycombinator.com/item?id=46389187

Points: 1

# Comments: 0