discover_brand_domains
Discover all domains belonging to a brand by analyzing certificate, DNS, redirect, and mail-policy signals. Provide an exact seed domain to expand the portfolio.
Instructions
Discover all domains that belong to a brand's portfolio by aggregating certificate, DNS, redirect, and mail-policy signals. Use when asked what domains are part of a brand portfolio, or to find all domains related to a brand. Pass the EXACT seed domain verbatim — do NOT normalize or substitute a canonical domain.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| depth | No | Discovery depth. standard is default; deep expands candidate seeding and enrichment fanout. | |
| domain | Yes | The exact seed domain to expand, scanned verbatim (e.g., example.com). Do NOT normalize, resolve, or substitute a brand's canonical/main domain — pass the literal domain the user named (e.g. pass `clau.de`, not `anthropic.com`). Use `brand_aliases` for related brand labels. | |
| format | No | Output verbosity. Auto-detected if omitted. | |
| signals | No | Signal modules to invoke. Defaults to all 12 discovery/enrichment signals. | |
| planner_mode | No | Planner mode for staged discovery fanout. observe emits metrics; enforce applies candidate-backed signal caps. | |
| brand_aliases | No | Optional public brand aliases to seed, such as product or legal-entity labels. | |
| force_refresh | No | Bypass cache and run a fresh check. Useful after DNS changes. | |
| discovery_mode | Yes | Discovery mode. "classic" (default, BSL-licensed) runs the public signal-sweep pipeline. "tiered" layers Tier 0 (tenant-declared portfolio), Tier 1 (infrastructure-graph), and Tier 2 (declared-evidence) lookups in front of the legacy sweep, falling back to Tier 3 (the existing sweep) only on cache miss / very_stale fingerprint / uncovered caller candidates. Tiered mode requires private BlackVeil service bindings — BSL self-hosts should leave this on "classic". | classic |
| dkim_selectors | No | Optional DKIM selectors to probe. Defaults to a built-in common-selector list. | |
| min_confidence | No | Drop candidates whose combined confidence falls below this threshold (0-1, default 0.5). | |
| candidate_domains | No | Optional candidate domains supplied by the caller for corroboration. | |
| ownership_verified | No | Caller attests that the seed domain is owned or authorized for scanning. Required when discovery_mode is "tiered" and the caller is not an enterprise/owner/partner principal. Prevents unauthorized mass reconnaissance via deep tier lookups. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| score | Yes | ||
| passed | Yes | ||
| category | Yes | ||
| findings | Yes |