PhishMind
← Back to blog

Introducing PhishMind: a phishing triage API for SOC and IT teams

PhishMind Team ·

Editor’s note (April 2026): PhishMind merged with a parallel team in April 2026 and the product is now positioned as a B2B phishing triage API for SOC, IR, and IT security teams. The language below has been updated to match — the original hackathon framing focused on consumer-style explanations and self-serve pricing, neither of which are part of the current MVP. See /docs for the live API and the architecture doc for the design.

Introducing PhishMind

PhishMind is a phishing triage API. You POST a reported email; we extract every URL and attachment, detonate each in an isolated sandbox, and an agent reviews the captured artifacts and returns a verdict, confidence, indicators, and a written summary your analysts can ship.

The problem

Every security team triages phishing reports. Analysts open the email, copy the URL, paste it into a sandbox tool, screenshot the result, check the headers, write up findings, and close the ticket. The process takes 15 to 20 minutes per report and doesn’t scale with volume.

Existing options each handle one slice. URL-only scanners give you a verdict on a link but skip attachments and email context. Manual triage is thorough but expensive. Enterprise platforms solve the problem at six-figure ACVs after a quarter of integration work.

There’s a gap in the middle for an API-first pipeline that does the full triage in seconds.

What PhishMind does

  1. You POST a .eml to /v1/cases with type=user_report. Channel adapters normalize the input — email is the MVP; WhatsApp, SMS, and Slack ship behind the same surface.
  2. The engine extracts and detonates. URLs are unwrapped through SafeLinks and Proofpoint redirectors and detonated in fingerprint-chromium (an anti-fingerprint Chromium fork) running headful under Xvfb behind tinyproxy. Attachments and documents render in an E2B Desktop microVM. Screenshots, video, HAR, DOM, and rendered pages are persisted in object storage.
  3. An agent reviews and returns a verdict. An OpenAI Agents SDK loop calls tools — analyze_url, analyze_attachment_deep, inspect_artifact, heuristic_verdict, find_related_messages — over the captured artifacts. Verdict, confidence, indicators, and a written summary land on the case. Full event trace persisted.
  4. Cases auto-cluster into campaigns. Cases that share a final domain, sender domain, or attachment hash are linked automatically — one pivot from a single report to every related case in your org.

Try it

curl -X POST https://api.phishmind.com/v1/cases \
  -H "Authorization: Bearer pm_live_..." \
  -F "type=user_report" \
  -F "channel=email" \
  -F "payload=@message.eml"

We’re onboarding design partners — SOC, IR, and IT security teams — to PhishMind today. There’s no public signup yet; email hello@phishmind.com if your team triages reported phishing and you’d swap manual review for an API call.

Read the API docs →