API-first DFIR platform

Incident Response.
Automated.

The API toolkit built for modern security teams. Analyze phishing emails, enrich IOCs, triage alerts, and generate forensic reports — all through a single platform.

Start FreeView API Docs

Free tier · No credit card · 50 credits/month

dfir-cli — phishing-analysis
0+API Endpoints
0+Free Credits / Month
0+Threat Intel Feeds
0Flexible Plans
Phishing Email AnalysisAI-Powered VerdictsExposure ScannerIOC EnrichmentMITRE ATT&CK MappingForensic Report GenerationInvestigation TimelinesURL & Domain ReputationThreat Actor ProfilingDetection Rule GenerationBatch IOC ProcessingREST API with JSON
Services

API-First Security Toolkit

Every capability exposed as a clean REST endpoint. Integrate forensics, threat intelligence, and incident response into your workflows with a single API key.

Phishing Email Checker

AI-powered phishing analysis. Scans headers, URLs, and attachments. Returns verdict with confidence score, MITRE mapping, and IOC extraction.

Email
Analysis
Verdict

Exposure Scanner

Scans for exposed credentials, data leaks, and dark web mentions tied to your organization.

IOC Enrichment

Enrich IPs, domains, hashes, and URLs with threat intel from multiple sources. Batch-friendly.

AI Triage & Analysis

Alert triage, deep analysis, threat actor profiling, and detection rule generation -- all AI-powered.

Investigation Management

Create and manage investigations, build timelines, and track evidence chains across cases.

Report Generation

Auto-generate forensic reports from your investigations with export to PDF and STIX.

Up and Running in Minutes

01

Create Account

Sign up, get 50 free credits instantly.

02

Generate API Key

Create keys with granular permissions per service.

03

Integrate & Automate

Call our APIs from your SIEM, SOAR, or scripts.

terminal
$ curl -X POST https://dfir-lab.ch/api/v1/phishing/analyze \
  -H "Authorization: Bearer dfir_sk_..." \
  -H "Content-Type: application/json" \
  -d '{"email_raw": "base64_encoded_eml..."}'

See It in Action

Production-ready APIs with sub-second response times. Integrate threat intelligence into your workflow in minutes.

Choose an endpoint

REST
Protocol
JSON
Format
TLS
Encrypted
Request
curl -X POST https://dfir-lab.ch/api/v1/phishing/analyze \
  -H "Authorization: Bearer sk_dfir_live_8f3a...b2c1" \
  -H "Content-Type: application/json" \
  -d '{
    "input_type": "eml",
    "content": "Received: from mail.example.com ...\nFrom: security@paypa1.com\nTo: user@company.com\nSubject: Action Required: Verify Now\nAuthentication-Results: spf=fail; dkim=fail; dmarc=fail\n\n<html><body><a href=\"https://paypa1-secure.xyz/login\">Click here</a></body></html>",
    "options": {
      "include_iocs": true,
      "include_body_analysis": true,
      "include_homoglyph_check": true,
      "include_link_analysis": true,
      "include_attachment_analysis": true
    }
  }'
Response — 200 OK
{
  "data": {
    "verdict": {
      "level": "highly_malicious",
      "score": 87,
      "summary": "Phishing email impersonating PayPal with failed authentication and credential harvesting link."
    },
    "key_findings": [
      "All authentication mechanisms (SPF, DKIM, DMARC) failed",
      "Homoglyph domain detected: paypa1.com → paypal.com",
      "Credential harvesting URL with invalid SSL"
    ],
    "recommended_actions": [
      "Block sender domain paypa1.com",
      "Add URL to blocklist",
      "Alert affected recipients"
    ],
    "authentication_results": {
      "spf": { "result": "fail", "domain": "paypa1.com" },
      "dkim": { "result": "fail", "domain": "paypa1.com" },
      "dmarc": { "result": "fail", "domain": "paypa1.com" }
    },
    "suspicious_indicators": [
      {
        "category": "auth_failure",
        "description": "SPF, DKIM, and DMARC all failed",
        "severity": "danger"
      },
      {
        "category": "spoofing",
        "description": "Homoglyph domain paypa1.com impersonating paypal.com",
        "severity": "danger"
      }
    ],
    "email_metadata": {
      "from": "security@paypa1.com",
      "to": ["user@company.com"],
      "subject": "Action Required: Verify Now"
    },
    "extracted_iocs": [
      { "type": "domain", "value": "paypa1.com", "location": "header" },
      { "type": "url", "value": "https://paypa1-secure.xyz/login", "location": "body" },
      { "type": "domain", "value": "paypa1-secure.xyz", "location": "body" }
    ]
  },
  "meta": {
    "credits_used": 1,
    "credits_remaining": 49,
    "processing_time_ms": 843
  }
}

Simple, Transparent Pricing

Pay for what you use with our credit-based model. Start free and scale as your security operations grow.

Free

$0/month

50 credits/month

  • 50 API credits/month
  • Phishing Email Checker
  • 1 API key
  • No team members
Get Started

Starter

$29/month

500 credits/month

  • 500 API credits/month
  • Phishing Email Checker + AI
  • Exposure Scanner
  • 5 API keys
  • 10 team members
  • Priority support
Start Free Trial
Most Popular

Professional

$99/month

2,500 credits/month

  • 2,500 API credits/month
  • Phishing Email Checker + AI
  • Exposure Scanner
  • Unlimited API keys
  • Unlimited team members
  • Priority support
Start Free Trial

Enterprise

Custom

Tailored to your organization

  • Unlimited credits
  • Phishing Email Checker + AI
  • Exposure Scanner
  • Unlimited API keys
  • Unlimited team members
  • Dedicated support
  • Custom SLA
  • On-premise option
Talk to Sales

Need more credits?

Top up anytime with credit packages -- no subscription change needed.

100credits$9
250credits$19
500credits$35
1,000credits$59

Frequently Asked Questions

Ready to Automate Your Incident Response?

Get started in minutes with 50 free credits. No credit card required — plug our APIs into your existing stack and let automation handle the heavy lifting.

Start FreeTalk to Sales