Imposter Detection with Watchman
Matthew Wollenweber
ShmooCon XX (Final) · Day 3 · Build It
In this ShmooCon presentation, Matthew Wollenweber introduces Watchman, an open-source tool designed to provide rapid and cost-effective detection of imposter domains. The talk addresses a critical gap in the cybersecurity landscape: the slow and prohibitively expensive nature of commercial brand monitoring services that often fail to alert organizations to malicious domain registrations until long after they've been weaponized. Wollenweber, drawing from his extensive experience in security operations and incident response, developed Watchman as a personal project to overcome these frustrations, particularly in the context of combating sophisticated phishing and Business Email Compromise (BEC) attacks.
AI review
Wollenweber's "Imposter Detection with Watchman" delivers a brutally honest critique of the abysmal state of commercial domain monitoring services, then proceeds to demonstrate a superior, open-source alternative. Watchman leverages efficient diffing of raw ICANN zone files to achieve near real-time detection of newly registered imposter domains, far outpacing the often weeks-long delays of its expensive counterparts. This talk is a welcome dose of reality, providing a genuinely actionable defensive innovation for anyone serious about combating BEC and phishing.