Monitor, detect, and analyze phishing domains as they appear.
Combines CertStream certificate transparency monitoring with OpenSquat
domain squatting detection for comprehensive, real-time phishing defense.

🔴 Live Demo • Quick Start • Features • API Docs • Contributing

Real-time phishing detection feed with brand impersonation tags, typosquatting detection, risk scoring, and filtered views. Monitors 70+ brands across tech, finance, crypto, e-commerce, and social media.

Active monitoring with toast alerts for critical threats. Stats update in real-time via WebSocket connections.

• CertStream Integration — Monitor SSL/TLS certificates as they're issued globally in real-time
• OpenSquat Integration — Detect domain squatting and typosquatting from newly registered domains
• WebSocket Dashboard — Live updates without page refresh, instant notifications

• Brand Similarity Detection — Identify domains impersonating 70+ known brands (PayPal, Microsoft, Google, Amazon, Chase, Coinbase, MetaMask, FedEx, and more)
• Typosquatting Detection — Character substitution (g00gle), omission (gogle), and addition (googles) patterns
• Homograph/IDN Detection — Catch Cyrillic, Greek, and other Unicode lookalike attacks
• Shannon Entropy Analysis — Detect algorithmically generated domains (DGA)
• Multi-factor Risk Scoring — 9-factor weighted scoring system (0-100 scale)

• 4 Views — Dashboard, All Detections, Threat Intelligence, Domain Analysis
• Risk Filtering — Filter by Critical/High/Medium, by source, search
• Interactive Charts — Risk distribution and detection timeline
• Manual Analysis — Analyze any domain on-demand via the UI
• CSV/JSON Export — Export detection data for SIEM integration
• Toast Alerts — Real-time notifications for high-severity detections

• REST API — Full API for integration with security tools and automation
• CLI Tool — Command-line interface for scripting and CI/CD
• Python Package — pip install ready with pyproject.toml
• Docker Ready — Dockerfile and Docker Compose included
• CI/CD — GitHub Actions workflow for testing across Python 3.9-3.12
• 20+ Unit Tests — Comprehensive test coverage

• Detects phishing targeting industrial control systems (30+ vendors: Siemens, Schneider, Rockwell, Honeywell, ABB...)
• Industrial protocol keyword matching (Modbus, DNP3, OPC UA, BACnet, PROFINET...)
• MITRE ATT&CK for ICS technique mapping
• Automatic ICS-aware risk multiplier for elevated threat scoring

git clone https://github.com/SiteQ8/PhishWatch.git
cd PhishWatch
pip install -e .
phishwatch serve

Open http://localhost:5000 and click Start Monitoring.

git clone https://github.com/SiteQ8/PhishWatch.git
cd PhishWatch
docker compose up -d

git clone https://github.com/SiteQ8/PhishWatch.git
cd PhishWatch
pip install -r requirements.txt
python -m phishwatch serve

# Human-readable output
phishwatch analyze paypal-login-secure.tk

# JSON output
phishwatch analyze paypal-login-secure.tk --json

Example output:

============================================================
  PhishWatch Domain Analysis
============================================================
  Domain:       paypal-login-secure.tk
  Risk Score:   94/100
  Threat Level: CRITICAL
  Summary:      CRITICAL (94/100): paypal-login-secure.tk — probable target: paypal

  Recommendations:
    • IMMEDIATE: Block domain across all network segments including OT
    • Add to SIEM and firewall deny-lists
    • Alert SOC and OT security teams
    • Check for similar domains (typosquatting variants)
    • Investigate brand impersonation — consider takedown
============================================================

phishwatch serve --port 8080 --debug

All endpoints are under /api/v2/.

curl -X POST http://localhost:5000/api/v2/analyze \
  -H "Content-Type: application/json" \
  -d '{"domain": "g00gle-account-security.top"}'

PhishWatch/
├── phishwatch/
│   ├── __init__.py              # Package metadata
│   ├── __main__.py              # python -m phishwatch
│   ├── app.py                   # Flask + SocketIO application
│   ├── cli.py                   # CLI entry point
│   ├── config.py                # Configuration & brand watchlists
│   ├── core/
│   │   ├── domain_analyzer.py   # Domain analysis (similarity, entropy, homograph)
│   │   ├── threat_classifier.py # Multi-factor risk scoring
│   │   ├── ics_iot_detector.py  # ICS/IoT/OT detection module (advanced)
│   │   ├── certstream_monitor.py# Real-time certificate monitoring
│   │   └── opensquat_integration.py # Domain squatting detection
│   ├── templates/
│   │   └── dashboard.html       # Web dashboard
│   └── static/
│       ├── css/dashboard.css
│       └── js/dashboard.js
├── tests/                       # Test suite (20+ tests)
├── docs/index.html              # GitHub Pages live demo
├── screenshots/                 # Dashboard screenshots
├── Dockerfile                   # Production container
├── docker-compose.yml
├── pyproject.toml               # Python packaging
└── README.md

CertStream (WSS) ──┐
                    ├─▶ Domain Analyzer ─▶ Threat Classifier ─▶ Dashboard
OpenSquat (NRD) ───┘    · Brand similarity    · 9-factor scoring   · WebSocket
                        · Typosquatting        · ICS/OT multiplier  · Real-time
                        · Homograph detect     · Classification     · Alerts
                        · Entropy / DGA        · Recommendations    · Export

pip install -e ".[dev]"
pytest tests/ -v --cov=phishwatch

docker compose up -d
# Or manually:
docker build -t phishwatch .
docker run -p 5000:5000 -e SECRET_KEY=your-secret phishwatch

Environment variables or .env file:

• STIX/TAXII export for threat intelligence sharing
• VirusTotal & URLScan.io integration
• Machine learning classifier for phishing confidence
• Email/Slack alerting for critical detections
• SQLite/PostgreSQL persistence
• Grafana dashboard integration
• YARA rule generation from detections
• Shodan integration for infrastructure analysis

Contributions welcome! See CONTRIBUTING.md.

MIT License — see LICENSE.

Ali AlEnezi (@SiteQ8)

PhishWatch — Catching phishing domains before they catch you.