Module 8 · Lesson 5
Strategies for Effective Brand Protection
⏱ 13 min
A tiered framework for domain registration and monitoring that doesn't require buying 1,200 domains. What to own, what to watch, when to send a C&D, when to file UDRP, and when to just buy the domain directly.
Strategies for Effective Brand Protection
There is no strategy that eliminates brand abuse in the domain namespace. There is a strategy that makes abuse expensive to execute, fast to detect, and cheap to remediate. That's the target.
The framework I use has three tiers for registration and a separate track for monitoring and enforcement. It's not original, it's what the best-run brand protection programs I've seen actually do, distilled into something applicable at different budget levels.
The Three-Tier Registration Framework
Tier 1: Must Have
These domains you own, period. No monitoring required because you control them.
- Your primary brand in .com
- Your primary brand in your country ccTLD (or top 2-3 market ccTLDs if you operate internationally)
- Your primary brand in any TLD you use or plan to use operationally (.app, .io, .tech: whatever your product actually lives on)
- Any domain you're actively redirecting customer traffic to or from
If you don't own these, stop reading and go register them. Everything else in this lesson is secondary.
Tier 2: Should Have
These reduce your risk meaningfully without requiring an enormous portfolio.
- Common typos of your brand name in .com (transpositions, dropped letters, common misspellings)
- Your brand in .net and .org if your brand is well-known enough to attract squatters
- Your brand in the ccTLDs of your 5-10 highest-revenue markets
- Any TLD with direct industry relevance to your business where brand-similar registrations would be plausible to your customers (.shop for e-commerce, .bank for financial services, .health for healthcare)
- Previous phishing incident domains, if any, if someone hit you in .online last year, own .online now
The Tier 2 list for most mid-sized companies is 20-60 domains. At $15-20/year average, that's $300-1,200/year. Manageable.
Tier 3: Monitor and Enforce Reactively
Everything else goes into monitoring. You don't pre-register; you watch. When something appears, you evaluate and respond.
This is where 95% of the gTLD namespace lives for most brands. You're not registering defensively in .photography, .plumbing, or .guru unless there's a specific incident that changes the risk calculation.
Reactive enforcement works when you have:
- Automated monitoring that surfaces new registrations containing your brand string
- A defined triage process for evaluating severity
- A clear escalation path (C&D → negotiated purchase → UDRP)
Without monitoring infrastructure, reactive enforcement isn't a strategy, it's hoping someone tells you.
What to Monitor
The minimum monitoring stack should cover:
New registration alerts: Zone file monitoring for new domains containing your brand string. This catches the Tier 3 cases the moment they appear, not six months later. Tools: CZDS-based monitoring through Markmonitor, CSC, BrandShield, or X-RAY at EBRAND.
Active phishing/content alerts: Domains that resolve and serve content. A registered-but-parked domain is low urgency. A domain serving a fake login page for your service is high urgency and needs same-day response. Tools: Brand-aware content monitoring, certificate transparency log watching (which catches phishing sites even before they're in zone files).
Passive DNS changes: Sudden changes in resolution patterns for known suspicious domains. A domain that's been parked for a year and suddenly starts resolving to a new IP is worth investigating. Tools: DNSDB, DomainTools.
Your own domains: It sounds obvious, but some brands don't monitor whether their own domains are being used as phishing sources by email spoofing or subdomain takeover. DMARC reporting catches the email angle; monitoring for subdomain takeover is a separate check.
Enforcement Triage
When monitoring surfaces a suspicious domain, you need a triage process. These are the three responses, roughly in order of cost:
Cease-and-desist letter: Cheapest option, sometimes effective for low-sophistication squatters who registered speculatively and don't want legal trouble. IP counsel drafts one letter; it costs $200-500. Most legitimate businesses that accidentally registered near your trademark respond to a C&D. Cybersquatters sometimes do too, if they think the litigation risk is real.
Direct purchase: Frequently overlooked. If the domain is parked and the squatter will negotiate, buying it directly is often cheaper and faster than UDRP. A UDRP filing costs $1,500-2,000 and takes 6-8 weeks. If the squatter will sell for $500, buy it. You can always file UDRP later and cite the purchase request in your bad-faith evidence, but often it's just cheaper to pay.
UDRP/URS filing: When the domain is actively being used for harm, when the registrant is sophisticated enough to ignore C&Ds, or when negotiated purchase is being used as leverage for an unreasonable price, file UDRP. At ~88% success rate for clear cases, it's a reliable tool for legitimate trademark holders. Just don't file weak cases, a UDRP loss creates precedent and public record that can be used against you in future proceedings.
Building the Right Monitoring Stack for Your Budget
For a mid-sized company with a focused brand portfolio (1-5 brands, 10-20 core markets):
- Basic zone file monitoring through a commercial service: $200-500/month
- TMCH enrollment: $150/year per mark
- DNSDB access for investigation: $1,000-3,000/year
- IP counsel on retainer for C&D and UDRP: variable, but budget for 2-4 matters/year
Total: roughly $5,000-15,000/year. Compare that to blanket defensive registration across 500 TLDs at $7,500/year just for registrations, plus ongoing management overhead. The monitoring-first approach often wins on both cost and effectiveness.
For larger portfolios (multinational, multiple product lines, high phishing risk sector), the math shifts toward fuller monitoring platforms and larger defensive registration portfolios. But even at that scale, the framework is the same: own the high-value TLDs, monitor the rest, enforce reactively.
Key Takeaways
- Tier 1 (must own): primary brand in .com + your market ccTLDs + any TLD you use operationally. No exceptions.
- Tier 2 (should own): common typos in .com, brand in .net/.org for well-known brands, key market ccTLDs, industry-relevant TLDs. Typically 20-60 domains.
- Tier 3 (monitor and enforce): everything else. Reactive enforcement often more cost-effective than pre-registration.
- Monitoring must cover new registrations, active phishing content, and passive DNS changes. Without monitoring, reactive enforcement is wishful thinking.
- Enforcement triage: C&D first (cheap), direct purchase second (often underused), UDRP when necessary. Don't file weak UDRP cases.
Further Reading
- ICANN CZDS for zone file access: czds.icann.org
- Certificate Transparency log monitoring (for early phishing detection): crt.sh
- DomainTools Brand Monitor: domaintools.com
Up Next
Lesson 06: Case studies. A UDRP win, a defensive registration failure, a company that built an efficient tiered strategy, and the Sunrise period abuse that I've seen happen more than once.