About OpenPhish

Where do you get the URLs from?

We leverage cutting-edge technology to analyze millions of URLs from various sources around the world. Our advanced detection engine is designed to identify active phishing URLs and extract valuable threat intelligence, including network and geographical locations, phishing kits and phishing targets. To provide comprehensive data to our clients, we are continuously expanding our global visibility and exploring new data sources.

Are you an aggregator?

We specialize in phishing detection and do not function as an aggregator. Our primary focus is on providing comprehensive threat intelligence to our users.

How do you detect phishing URLs?

We have developed autonomous systems that use a custom knowledge framework to determine the likelihood of a URL being a phishing page. The advantage of these autonomous systems lies in their ability to operate seamlessly and efficiently without any human intervention. This not only saves valuable time and resources but also ensures a rapid response to new phishing threats.

Through extensive datasets and continuous evaluation, we fine-tune the knowledge framework to maintain a high level of accuracy in distinguishing between legitimate and phishing URLs.

How do you prevent false positives?

We have implemented a thorough vetting process for every URL that is identified as a phishing attempt before it is added to our phishing feeds. Our vetting process includes various methods and uses information such as: an internally curated list of trusted domains, DNS, ASN, SSL information, and trusted data from SOC teams. While our system is designed to reduce false positives, it is still possible for occasional ones to occur.

What is your unique value proposition?

Timely. As soon as we detect new phishing URLs, we publish it within 5 minutes. This means you get immediate access to all the intelligence and information about threat actors and compromised data

Accurate. We take a careful and conservative approach to intelligence. We prioritize accuracy and strive to avoid providing incorrect or misleading information. For instance, if we are uncertain about something, we leave that data point blank rather than making an educated guess. Additionally, we use a multi-stage vetting process to minimize the risk of false positives.

Relevant. We understand that sifting through vast amounts of data can be time-consuming and costly. That's why we focus solely on live and active phishing URLs that pose an immediate threat to your customers and users. With our data, you can be confident that you're taking the necessary steps to protect your business without wasting valuable time and resources.

Fully Automated. We have an automated system that does not require human input, verification, or validation. This allows us to rapidly scale up (process more data), deliver data efficiently, and provide global coverage.

Why are certain phishing URLs not included in your feed?

Our focus is on delivering the most relevant and timely information regarding phishing threats. To ensure the highest quality and accuracy in our products, we adhere to the following practices.

Reporting New and Active Phishing URLs: Our products cover newly discovered and currently active phishing URLs. By prioritizing these URLs, we provide valuable insights into the latest tactics employed by cybercriminals. This proactive approach enables organizations and individuals to stay one step ahead in safeguarding against phishing attacks.

Unique URL Reporting: We maintain an in-house tracking system to avoid redundancy and optimize the usefulness of our offerings. Within any given 14-day period, we do not duplicate the reporting of any URL.

Exclusion of Inactive Phishing URLs: As part of our commitment to providing actionable information, we do not report dead or inactive phishing URLs. These URLs no longer pose an immediate threat as they have been identified, taken down, or rendered ineffective. By excluding them from our reports, we streamline the information to concentrate on URLs that actively require attention.

By implementing these practices, we ensure that our reports deliver the most relevant, up-to-date, and actionable intelligence on new and active phishing URLs.

What brands do you support?

Our phishing detection engine is built to identify and capture phishing content, regardless of the impersonated brand. Our brand identification feature serves as an additional layer on top of this engine, allowing us to automatically associate the phishing URL with its targeted brand when possible for more accurate reporting and analysis. As part of our ongoing efforts in brand identification, our system continually improves its ability to recognize a wider range of brands. We provide a monthly list of the brands we have successfully identified, which can be found here.

Products and Offerings

What are your offerings?

Phishing Feed: Designed for immediate action against emerging phishing threats

  • Three tiers: Premium, Premium Plus, and Platinum
  • URLs come with more than 15 attributes, providing you with information to enhance your threat intelligence
  • Refreshed every 5 minutes to include any new URLs detected within the last 15 minutes
  • Includes a 24 hours feed and a 30-day archive
  • Optimized for real-time consumption to maximize its benefits
  • Delivered in JSON, CSV or TXT file

OpenPhish Database: Designed for those that want easy query capabilities and batch analysis

  • Three tiers: Lite, Extended and Pro
  • Delivered as SQLite database: run unlimited queries with ease offline
  • Open-sourced Python API library to cover the most common use-cases
  • Refreshed as frequently as 15 minutes
  • Access to 30, 90, or 180 days of historical data

We also offer custom data sets. Please contact us with your requirements.

What is your pricing structure?

The feed and database tiers are priced on an annual subscription basis with a flat fee structure.

Which offering fits my use case?

We've put together a list of common use cases and recommended which of our offerings would be the best fit for each one. If you don't see your specific use case listed, just reach out to us with a brief description, and we'll be happy to make a recommendation for you.

Inquire about the OpenPhish Database, if you're looking to:

  • Improve your SOC capabilities
  • Identify URLs targeting your brand or similar brands/industry

Inquire about the Phishing Feed, if you're looking to:

  • Validate or test your existing models
  • Test your proprietary software or detection engine
  • Provide protection to your customers
  • Check if your users were compromised
  • Get a list of active phishing URLs

Inquire about either offering, if you're looking to:

  • Build machine learning or AI models
  • Expand your existing datasets
  • Discover trends, do threat hunting or any similar research

Do you have an API?

We don't offer an API to determine if a URL is phishing, but we've developed an open-source Python module that acts as an offline API. With this module, you can query our database locally and check your own URLs (e.g., from SMS or firewall logs) without any restrictions or privacy concerns.

Do you offer a trial?

Yes, we offer a 14-day free trial.

How does your feed compare with others?

We do not have a direct comparison to other providers. However, since the number of active phishing URLs is finite, you will likely encounter URLs from our phishing feed in other data providers and vice-versa. You can refer to the Interisle study from 2022 discussing the coverage gap problem and why organizations need more than one source of information. Disclosure: we are one of the providers of data to Interisle.

Do you support 3rd party integrations?

Our main objective is to offer the necessary data to you and make it available in standard formats that can seamlessly integrate with other software and services.

Which product is best for email protection?

If you're struggling with phishing emails that slip through your current defenses, our Premium feed might be just what you need. We suggest taking a closer look at the types of emails that are getting through, since many of them tend to be spam, scam, or malware. If none of the missed emails contain phishing URLs, then our feed may not be the right fit for your needs.


How can I report phishing URLs?

We offer multiple convenient methods for sharing URLs with us. You can choose from the following three options:

  • Email: Simply send the URLs to a report@openphish.com
  • API Integration: You can utilize our REST API to transmit the URLs directly to our systems. Please note that this method requires a static IP for authentication.
  • Endpoint Access: You can provide us with access to an endpoint that you control. We will retrieve the URLs from your endpoint periodically. This approach offers flexibility while maintaining control over the data you share.

To explore any of these options and learn more about sharing URLs with us, please get in touch with our team at contact@openphish.com

Do you report false positives?

Although False Positives are extremely rare, we take them very seriously. We conduct regular scans on our feed to identify any abnormalities, and study reports from customers, security operation centers (SOCs), and brand owners.

Once confirmed as a false positive, we remove the URL from all of our products, submit a verdict flip to VirusTotal and publish the URL to our false positive feed.

How can I report a false positive?

Email us at support@openphish.com with the URL in the email. Please ensure that you escape the URL to prevent it from getting blocked. Additionally, we kindly request that you provide us with any relevant contextual details.

Note that confirmed phishing URLs at the time of discovery are not removed.