A defaced website is a curious problem. It's loud — anyone visiting the page can see something is wrong. But it's also quiet from a server's perspective: HTTP returns 200, your uptime monitor is happy, your TLS cert hasn't moved, and the CMS logs show a "successful" content update from a legitimate-looking session. The signal is on the rendered page , not in the metrics. I run a site at hi3ris.blueshield.tg and surveil a couple of dozen others for various reasons. After my third "you've been hacked, by the way" message from a friend, I got tired of trusting external uptime services that don't know what my homepage is supposed to look like. So I built WatchTower — an async-first defacement monitor that combines four detection layers, captures evidence, and alerts on multiple channels. This post is a tour of how it actually works under the hood.…