Curated watchlist of suspect / unactivated .gov names and stealth corporate subdomains. For each domain we poll certificate transparency logs (crt.sh) and DNS (Cloudflare DoH) on a 6-hour cadence. New CT entries — especially where the certificate's common name matches the bare domain — signal that a site is about to go live.
What we track
Certificate transparency — every cert ever issued for the domain, sourced via crt.sh.
DNS A and NS records — Cloudflare DoH, status code (NOERROR vs NXDOMAIN), record values.