All products
Early Warning for Your Domain's TrustComing soon · beta access

Catch a rogue cert before your customers do.

Continuous Certificate Transparency monitoring at the edge. Detect rogue certificates, mis-issuances, and domain hijacking in real-time — before they impact your brand.

Monitor Your LogsView Log Sources

CT Sidekick

Problem & Solution

Built for what actually goes wrong

Pain point

Rogue Certificate Authorities issuing certificates for your domain without your knowledge or authorization.

Value pillar

Real-time polling of Google and Apple's global CT log lists to catch new issuances within minutes.

Pain point

Exceeding API limits or compute budgets when attempting to ingest millions of log entries daily.

Value pillar

Edge-native budget caps and tiered polling cadences (1m, 5m, 60m) designed for Cloudflare Free Tier efficiency.

Deep technical features

What ships in the box

Log Tile Streaming

Efficiently polls CT logs using a tile-based approach, mapping log segments to deterministic D1 storage ticks to stay under 100k daily write limits.

Multi-Tier Cadence

Enforces polling priorities across High-Value (Tier 1), Standard (Tier 2), and Archive (Tier 3) logs, ensuring critical infrastructure is audited with zero latency.

Retention-Optimized Store

Automated 14-day purging of audit matches ensures your D1 database remains lean, with opt-in pinning for persistent investigation evidence.

Security & Compliance

Built on enterprise-grade infrastructure

No raw DER certificates are stored — only the metadata your watchlist matches against. 14-day retention by default with opt-in pinning for investigations. Single-tenant by design today; Clerk-backed multi-tenant org support arrives in Phase 2.

Metadata-only storage14-day default retentionCloudflare Workers + cronHard quota safeguards
Network

Cloudflare global edge — innate DDoS protection, zero cold-starts.

Identity

Clerk (SOC 2 Type II, GDPR) for multi-tenant fleets; PBKDF2 for single-tenant apps.

Subprocessors

Cloudflare & Resend (SOC 2 Type II) · Stripe (PCI-DSS Level 1).

Product roadmap

From foundation to fleet scale

  1. Phase 0Shipped

    Foundation — Watchlist & Log Registry

    • Watchlist CRUD with crt.sh on-demand sweep and CSV export.
    • CT log registry plus Chromium list refresh on a 24-hour cadence.
    • Hard quota safeguards (40k D1 writes/day, throttle at 80%, freeze at 95%).
  2. Phase 1In progress

    Tile Poller — Real Names Walk

    • Sunlight tile poller with deterministic tick mapping.
    • Regex-based domain matching engine with alert prioritization.
    • Webhook notification delivery for high-risk matches.
  3. Phase 2Next

    Multi-Tenant & Anomaly Detection

    • Multi-Worker sharding for horizontal log processing.
    • Advanced anomaly detection (spikes in issuance for related TLDs).
    • Integration with URL Sidekick for automated scanning of newly discovered cert hosts.

Ready to bring CT Sidekick into your stack?

Talk to our team about deployment, custom SLAs, and integration with your existing identity and observability stack.

Request a consultation