discover_brand_domains
ActiveTool of com.blackveilsecurity/dns
Discover all domains that belong to a brand's portfolio by aggregating certificate, DNS, redirect, and mail-policy signals. Use when asked what domains are part of a brand portfolio, or to find all domains related to a brand. Pass the EXACT seed domain verbatim — do NOT normalize or substitute a canonical domain.
Parameters schema
{
"type": "object",
"required": [
"domain",
"discovery_mode"
],
"properties": {
"depth": {
"enum": [
"standard",
"deep"
],
"type": "string",
"description": "Discovery depth. standard is default; deep expands candidate seeding and enrichment fanout."
},
"domain": {
"type": "string",
"maxLength": 253,
"minLength": 1,
"description": "The exact seed domain to expand, scanned verbatim (e.g., example.com). Do NOT normalize, resolve, or substitute a brand's canonical/main domain — pass the literal domain the user named (e.g. pass `clau.de`, not `anthropic.com`). Use `brand_aliases` for related brand labels."
},
"format": {
"enum": [
"full",
"compact"
],
"type": "string",
"description": "Output verbosity. Auto-detected if omitted."
},
"signals": {
"type": "array",
"items": {
"enum": [
"san",
"san_recursive",
"ns",
"dmarc_rua",
"dkim_key_reuse",
"http_redirect",
"mx_overlap",
"txt_verification",
"mx_platform",
"spf_include",
"spf_include_seed",
"cname_alignment"
],
"type": "string"
},
"maxItems": 12,
"minItems": 1,
"description": "Signal modules to invoke. Defaults to all 12 discovery/enrichment signals."
},
"planner_mode": {
"enum": [
"off",
"observe",
"enforce"
],
"type": "string",
"description": "Planner mode for staged discovery fanout. observe emits metrics; enforce applies candidate-backed signal caps."
},
"brand_aliases": {
"type": "array",
"items": {
"type": "string",
"maxLength": 64,
"minLength": 2
},
"maxItems": 20,
"description": "Optional public brand aliases to seed, such as product or legal-entity labels."
},
"force_refresh": {
"type": "boolean",
"description": "Bypass cache and run a fresh check. Useful after DNS changes."
},
"discovery_mode": {
"enum": [
"classic",
"tiered"
],
"type": "string",
"default": "classic",
"description": "Discovery mode. \"classic\" (default, BSL-licensed) runs the public signal-sweep pipeline. \"tiered\" layers Tier 0 (tenant-declared portfolio), Tier 1 (infrastructure-graph), and Tier 2 (declared-evidence) lookups in front of the legacy sweep, falling back to Tier 3 (the existing sweep) only on cache miss / very_stale fingerprint / uncovered caller candidates. Tiered mode requires private BlackVeil service bindings — BSL self-hosts should leave this on \"classic\"."
},
"dkim_selectors": {
"type": "array",
"items": {
"type": "string",
"maxLength": 63,
"minLength": 1
},
"maxItems": 50,
"description": "Optional DKIM selectors to probe. Defaults to a built-in common-selector list."
},
"min_confidence": {
"type": "number",
"maximum": 1,
"minimum": 0,
"description": "Drop candidates whose combined confidence falls below this threshold (0-1, default 0.5)."
},
"candidate_domains": {
"type": "array",
"items": {
"type": "string",
"maxLength": 253,
"minLength": 1
},
"maxItems": 250,
"description": "Optional candidate domains supplied by the caller for corroboration."
},
"ownership_verified": {
"type": "boolean",
"description": "Caller attests that the seed domain is owned or authorized for scanning. Required when discovery_mode is \"tiered\" and the caller is not an enterprise/owner/partner principal. Prevents unauthorized mass reconnaissance via deep tier lookups."
}
}
}No endpoints wrapped at confidence ≥ 0.70.
Parent server
com.blackveilsecurity/dns
https://github.com/MadaBurns/bv-mcp
2/7 registries