Direct answer
Can CT detect phishing before launch? Sometimes. CT can reveal newly issued certificates before the phishing page is broadly distributed.
What CT reveals
New certificates expose domains and SAN entries. Attackers often use free certificates, brand strings, typosquats, wildcard patterns or repeated naming conventions.
Why CT alone is not enough
A suspicious certificate is context, not proof. It becomes more valuable when linked to URLScan, DNS, liveness, screenshots, redirects, kit fingerprints or Belgian brand relevance.
Operational use
PhishNet uses CT as an early-warning and context source, then promotes only through corroboration, evidence or analyst decision.
How PhishNet uses this
Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.
Selected sources and research
These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.
Common questions
Can CT detect phishing before launch?
Sometimes. CT can reveal newly issued certificates before the phishing page is broadly distributed.
Is every suspicious certificate malicious?
No. CT is an early-warning signal that requires corroboration and false-positive suppression.