SpoofVane — AI Brand-Impersonation Defense

/ 600 chars, max 2000 chars) Paste this (≈1,950 chars): SpoofVane catches brand-impersonation infrastructure the day it goes live by fingerprinting the page itself, not just the domain name. The problem: phishing kits clone a brand's login and payment pages, hide behind Cloudflare, geo-target the victim country, and actively block security scanners. Domain-only tools miss them. How it works: 1. Discovery — 8 sources surface suspect URLs per brand sweep: Google SERP + paid ads, certificate-transparency logs, newly-registered-domain deltas, app stores and APK sideloads, GitHub kit leaks, Telegram kit marketplaces, and social-platform impersonation. 2. Inspection — Bright Data's Scraping Browser, Web Unlocker, and geo-pinned residential proxies render each suspect page in real Chrome from the victim's country, reaching adversarial pages ordinary scanners can't. Multi-region rendering detects geo-cloaking. 3. Scoring — perceptual image hashing, DOM-tree similarity, logo detection, and favicon matching, plus phishing-kit family fingerprinting (16Shop, EvilProxy, Tycoon-2FA and more). 4. AI verdict — Claude reasons over the screenshot, DOM, and metadata to return a structured phish / suspicious / benign verdict with evidence and a drafted takedown notice. 5. Triage copilot — an agentic, read-only Claude tool-use loop an analyst works in natural language; it queries the alert store autonomously and cites alert IDs, but never sends a takedown — a human owns that gate. 6. Delivery — multi-tenant SOC console, evidence-pack PDFs, SIEM/SOAR webhooks (ServiceNow, Sentinel, Splunk, PagerDuty, STIX/TAXII, Slack), and an MCP server so analysts can query SpoofVane from inside Claude. Why Bright Data is essential: of any Track 3 entry, SpoofVane has the most load-bearing dependency. Without the adversarial-access stack it literally cannot reach the pages it exists to find. 7/7 Bright Data products integrated; 601 tests green; 76 backend modules.