DEV.co
Open-Source Security · atenreiro

opensquat

openSquat is an open-source Python tool that detects domain look-alikes and cyber squatting threats by monitoring newly registered domains for typosquats, phishing domains, homograph attacks, and similar brand impersonation tactics. It operates in three modes: free community (local detection on public feeds), premium feed (larger paid feed with local detection), and premium API (server-side detection via hosted service).

Source: GitHub — github.com/atenreiro/opensquat
975
GitHub stars
161
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryatenreiro/opensquat
Owneratenreiro
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars975
Forks161
Open issues0
Latest releaseUnknown
Last updated2026-04-27
Sourcehttps://github.com/atenreiro/opensquat

What opensquat is

Written in Python 3.10+, openSquat uses Levenshtein distance algorithms for similarity detection and can integrate with VirusTotal, Quad9 DNS, and Certificate Transparency logs for validation. The tool supports multiple output formats (JSON, CSV, TXT) and confidence level tuning. Premium modes require API authentication and consume quota on per-keyword API calls.

Quickstart

Get the opensquat source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/atenreiro/opensquat.gitcd opensquat# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Brand Protection & Threat Hunting

Monitor newly registered domains daily for typosquats, phishing, and homograph attacks targeting your organization's brand. Automate daily scans and configure alerts on detected threats.

Incident Response & Forensics

Quickly identify malicious domain variants registered during or after a phishing campaign or security incident. Cross-reference with VirusTotal and Certificate Transparency for reputation validation.

Threat Intelligence & OSINT

Build domain squatting datasets for threat research, competitive intelligence, or supply-chain monitoring. Integrate results into SOAR platforms or threat feeds for downstream analysis.

Implementation considerations

  • Decide upfront: Community feed (~100k domains/day, free) vs. Premium Feed (larger, paid) vs. Premium API (server-side, quota-based). Same API key works for both Premium modes.
  • Python 3.10+ and dependency management (confusable_homoglyphs, homoglyphs, requests, dnspython, beautifulsoup4) required; use pip or clone + requirements.txt.
  • Tune confidence levels (0–4) to balance result volume and false-positive rate; higher levels return more candidates but with lower precision.
  • For DNS, VirusTotal, or Certificate Transparency validation, configure external API keys or quotas separately (not included with openSquat).
  • Automation via cron or orchestration tools; schedule daily scans on free feed or continuous polling on Premium API within quota limits.

When to avoid it — and what to weigh

  • Real-time Detection at Scale — Community mode downloads ~100k domains daily; real-time per-domain detection is not the design intent. Premium API exists for larger scale but incurs quota costs.
  • No Budget for Commercial Features — Core detection is free, but Premium Feed and Premium API modes require paid subscription. Larger monitoring requirements will exhaust community feed volume quickly.
  • Proprietary/Closed Source Requirement — GPL-3.0 requires any derivative work to remain open source and compatible with the license. Commercial closed-source derivatives are not permitted.
  • Integrated Enterprise SIEM/SOC Platform — openSquat is a standalone tool without native integrations into commercial SIEM or SOAR platforms. Expect custom scripting for ingestion and alerting.

License & commercial use

GPL-3.0 (GNU General Public License v3.0). Any derivative work, modification, or distribution must remain open source and compatible with GPL-3.0. Closed-source proprietary use is not permitted.

openSquat itself is free and may be used commercially for internal threat detection and brand monitoring. However, GPL-3.0 requires that any modifications or derivative tools remain open source. The Premium Feed and Premium API features are commercial services requiring a paid subscription; integration into your product requires careful review of whether your modifications trigger GPL obligations. Consult legal counsel before embedding in proprietary software.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

openSquat queries external services (VirusTotal, Quad9, Certificate Transparency, and newly registered domain feeds). Ensure API keys are not exposed in CLI flags; prefer environment variables or key files. Community and Premium Feed modes download and process untrusted domain data locally; validate filtering logic before production. Premium API mode sends keywords to remote service; review data residency and privacy policies. No explicit security audit or vulnerability disclosure process documented.

Alternatives to consider

Phishtank / PhishLabs APIs

Commercial phishing domain databases with real-time reporting and commercial SLA; less flexibility for custom keyword matching and algorithm tuning.

Snusbase / SecurityTrails

Managed threat intelligence platforms with passive DNS, domain monitoring, and enterprise integrations; higher cost but consolidated OSINT interface.

DomainTools / Whois Lookup

Established domain intelligence APIs with historical data and bulk scanning; requires separate integration work to replicate typosquat detection logic.

Software development agency

Build on opensquat with DEV.co software developers

openSquat automates detection of domain look-alikes and typosquats targeting your brand. Start with the free community feed or scale with Premium Feed/API to monitor at enterprise volume. Contact Devco to embed openSquat into your threat detection pipeline.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

opensquat FAQ

Is openSquat truly free to use?
Community mode (default) is free and uses public newly registered domain feeds. Premium Feed and Premium API modes require a paid subscription with per-keyword or per-domain quota costs.
Can I use openSquat in a commercial product or SaaS?
You may use openSquat internally for threat detection. If you modify the code or embed it in a proprietary product, you must open-source your modifications under GPL-3.0. Review with legal counsel before distribution.
What is the difference between Premium Feed and Premium API?
Premium Feed downloads a larger paid NRD feed and runs local Levenshtein detection (same algorithm as Community). Premium API skips local feed download and queries a hosted REST API per keyword, returning server-side matches. Both use the same API key.
How often is the community feed updated?
The README states 'Daily NRD feeds' (~100k domains/day). Premium Feed is described as 'much larger' but update frequency is not explicitly stated.

Software development & web development with DEV.co

Adopting opensquat is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Integrate Brand Monitoring Into Your Security Workflow

openSquat automates detection of domain look-alikes and typosquats targeting your brand. Start with the free community feed or scale with Premium Feed/API to monitor at enterprise volume. Contact Devco to embed openSquat into your threat detection pipeline.