arrow_back Back to Blog
TUTORIAL

What is CertStream and How to Use It for Phishing Detection

By Tetik.NET Threat Labs · May 18, 2026

The SSL Certificate Problem

In the past, the presence of a padlock (HTTPS) meant a website was secure and verified. Today, thanks to automated authorities like Let's Encrypt, anyone can get an SSL certificate in seconds—including attackers. In fact, over 95% of phishing websites now use HTTPS.

But there is a silver lining. Every time an SSL certificate is issued, it is publicly logged in Certificate Transparency (CT) logs. If an attacker registers paypa1-secure-login.com and requests an SSL certificate, a public record is created instantly.

Enter CertStream

CertStream is an intelligence network that aggregates these global CT logs into a single real-time WebSocket feed. By connecting to this firehose, security analysts can monitor every single SSL certificate being issued worldwide (often hundreds per second).

How to Filter the Firehose

Listening to CertStream generates massive amounts of data. The key to phishing detection is applying regular expressions and Levenshtein distance algorithms to the incoming domain names.

import certstream
import re

TARGET_BRAND = "paypal"

def print_callback(message, context):
    if message['message_type'] == "certificate_update":
        all_domains = message['data']['leaf_cert']['all_domains']
        for domain in all_domains:
            # Simple keyword matching
            if TARGET_BRAND in domain.lower():
                print(f"[ALERT] Phishing domain detected: {domain}")

certstream.listen_for_events(print_callback, url='wss://certstream.calidog.io/')

The Challenge for SOC Teams

While the script above is a great proof-of-concept, running it in production is a nightmare. The WebSocket connection drops, memory leaks crash the server, and a simple keyword match will trigger thousands of false positives (e.g., catching a benign site like paypal-fan-forum.com).

The Tetik.NET Solution

Tetik.NET handles the infrastructure for you. Our proprietary AI Vision Engine connects to CertStream, filters the noise using Machine Learning risk-scoring models, and automatically captures screenshots of suspicious domains. If a domain looks like your brand, Tetik.NET instantly triggers a DMCA takedown.

Stop Manual Monitoring

Tetik.NET automates your entire threat intelligence workflow. Detect phishing domains in seconds, automate DMCA takedowns, and monitor the dark web 24/7.

Deploy Tetik Intelligence