AI Verdict
AI-enhanced phishing analysis powered by Claude Sonnet 4.5. Accepts pre-processed email analysis data (authentication results, IOCs, heuristic scores) and returns a detailed AI risk assessment with persuasion analysis, manipulation scoring, and visual impersonation detection.
POST
/api/v1/phishing/analyze/aiAuthentication
API key with phishing:ai permission
Credits
10 credits per request
Plans
Starter, Professional, Enterprise
Credits Charged Before AI Call
Credits are deducted before the Claude API call to prevent cost leakage. If the AI model is temporarily unavailable or times out, the response returns ai_verdict: null with the heuristic analysis echo, but 10 credits are still charged. Your integration should always check whether ai_verdict is present before accessing its fields.
Request Body
This endpoint accepts pre-processed email analysis data — not raw email content. All fields are required unless marked optional. Recipient emails are stripped and all domains, IPs, and URLs are defanged before being sent to Claude for PII protection.
| Field | Type | Required | Description |
|---|---|---|---|
| senderEmail | string | Yes | The sender's email address (e.g., suspicious@example.com). |
| senderDomain | string | Yes | The sender's domain (e.g., example.com). |
| subject | string | Yes | The email subject line. |
| authResults | object | Yes | Email authentication results. Must contain spf, dkim, and dmarc objects, each with result (string) and domain (string). |
| suspiciousIndicators | array | Yes | Array of suspicious indicators. Each item has category (string), description (string), and severity ("low" | "medium" | "high"). |
| extractedIOCs | array | Yes | Array of extracted IOCs. Each item has type (string), value (string), and optionally enrichmentVerdict (string) and enrichmentScore (number). |
| hopCount | number | Yes | Number of email hops (Received headers). |
| heuristicScore | number | Yes | Heuristic phishing score from 0 to 100. |
| heuristicVerdict | string | Yes | Heuristic verdict string (e.g., clean, suspicious, malicious). |
| recipientEmails | string[] | No | Optional. Recipient email addresses. Stripped before sending to the AI model for PII protection. |
| htmlStructureInfo | string | No | Optional. HTML structure metadata for visual/structural analysis by the AI. |
Example Request Body
{
"senderEmail": "suspicious@example.com",
"senderDomain": "example.com",
"subject": "Urgent: Verify Your Account",
"authResults": {
"spf": { "result": "fail", "domain": "example.com" },
"dkim": { "result": "fail", "domain": "example.com" },
"dmarc": { "result": "fail", "domain": "example.com" }
},
"suspiciousIndicators": [
{ "category": "auth_failure", "description": "SPF check failed", "severity": "high" },
{ "category": "urgency", "description": "Subject contains urgency language", "severity": "medium" }
],
"extractedIOCs": [
{ "type": "domain", "value": "evil-login.com", "enrichmentVerdict": "malicious", "enrichmentScore": 85 },
{ "type": "ip", "value": "93.184.216.34", "enrichmentVerdict": "suspicious", "enrichmentScore": 42 }
],
"hopCount": 4,
"heuristicScore": 72,
"heuristicVerdict": "malicious"
}Response
The response contains an analysis object (echo of the sanitized input data) and an ai_verdict object with the AI-generated assessment. The ai_verdict can be null if the Claude call fails (credits are still charged). Response metadata is in the meta object.
| Field | Type | Description |
|---|---|---|
| ai_verdict.risk_level | string | Overall risk assessment: safe, suspicious, malicious, or highly_malicious |
| ai_verdict.confidence_score | number | Confidence in the assessment, integer from 0 to 100. |
| ai_verdict.executive_summary | string | 2-3 sentence summary suitable for non-technical stakeholders. |
| ai_verdict.key_findings | string[] | Natural language explanations of each risk signal detected. |
| ai_verdict.recommended_actions | string[] | Suggested remediation steps for the security team. |
| ai_verdict.model | string | The Claude model used for analysis (currently "claude-sonnet-4-5-20250929"). |
| ai_verdict.persuasion_analysis | object | null | Cialdini's 6 persuasion principles analysis. Contains principles (reciprocity, commitment, socialProof, authority, liking, scarcity — each 0-10), dominantPrinciple, manipulationScore (0-100), and tactics array. |
| ai_verdict.manipulation_scoring | object | null | Manipulation dimension scoring. Contains dimensions (urgency, fear, reward, authority, curiosity, trust — each 0-10), overallRisk ("low" | "medium" | "high" | "critical"), and patterns array. |
| ai_verdict.visual_analysis | object | null | Brand impersonation assessment. Contains brandImpersonation (boolean), impersonatedBrand (string or null), visualTechniques (string[]), and confidence (0-100). |
Example Response
{
"success": true,
"data": {
"analysis": {
"sender_email": "suspicious@example.com",
"sender_domain": "example.com",
"subject": "Urgent: Verify Your Account",
"auth_results": {
"spf": { "result": "fail", "domain": "example.com" },
"dkim": { "result": "fail", "domain": "example.com" },
"dmarc": { "result": "fail", "domain": "example.com" }
},
"suspicious_indicators": [
{ "category": "auth_failure", "description": "SPF check failed", "severity": "high" }
],
"extracted_iocs": [
{ "type": "domain", "value": "evil-login.com", "enrichmentVerdict": "malicious", "enrichmentScore": 85 }
],
"hop_count": 4,
"heuristic_score": 72,
"heuristic_verdict": "malicious"
},
"ai_verdict": {
"risk_level": "malicious",
"confidence_score": 89,
"executive_summary": "This email exhibits multiple high-confidence phishing indicators including complete email authentication failure (SPF, DKIM, DMARC), a malicious domain confirmed by threat intelligence, and urgency-based social engineering in the subject line.",
"key_findings": [
"All three email authentication mechanisms (SPF, DKIM, DMARC) failed, confirming the sender is not authorized to send on behalf of example.com.",
"The extracted domain evil-login.com has been flagged as malicious by threat intelligence providers with a score of 85/100.",
"The subject line uses urgency language ('Urgent: Verify Your Account') — a common social engineering tactic to bypass rational decision-making."
],
"recommended_actions": [
"Block sender domain at the email gateway and add evil-login.com to URL blocklist.",
"Alert all recipients and advise them not to click any links or provide credentials.",
"Submit the phishing indicators to your threat intelligence sharing platform."
],
"model": "claude-sonnet-4-5-20250929",
"persuasion_analysis": {
"principles": {
"reciprocity": 0,
"commitment": 2,
"socialProof": 0,
"authority": 7,
"liking": 0,
"scarcity": 8
},
"dominantPrinciple": "scarcity",
"manipulationScore": 65,
"tactics": [
"Urgency framing to pressure immediate action",
"Authority impersonation via official-sounding account verification request"
]
},
"manipulation_scoring": {
"dimensions": {
"urgency": 8,
"fear": 6,
"reward": 0,
"authority": 7,
"curiosity": 2,
"trust": 4
},
"overallRisk": "high",
"patterns": [
"Time pressure via 'Urgent' prefix",
"Account suspension threat to invoke fear of loss"
]
},
"visual_analysis": {
"brandImpersonation": false,
"impersonatedBrand": null,
"visualTechniques": [],
"confidence": 30
}
}
},
"meta": {
"request_id": "req_abc123",
"credits_used": 10,
"credits_remaining": 490,
"processing_time_ms": 3456
}
}Code Examples
cURL
curl -X POST https://api.dfir-lab.ch/v1/phishing/analyze/ai \
-H "Authorization: Bearer sk-dfir-your-key-here" \
-H "Content-Type: application/json" \
-d '{
"senderEmail": "suspicious@example.com",
"senderDomain": "example.com",
"subject": "Urgent: Verify Your Account",
"authResults": {
"spf": { "result": "fail", "domain": "example.com" },
"dkim": { "result": "fail", "domain": "example.com" },
"dmarc": { "result": "fail", "domain": "example.com" }
},
"suspiciousIndicators": [
{ "category": "auth_failure", "description": "SPF check failed", "severity": "high" }
],
"extractedIOCs": [
{ "type": "domain", "value": "evil-login.com", "enrichmentVerdict": "malicious", "enrichmentScore": 85 }
],
"hopCount": 4,
"heuristicScore": 72,
"heuristicVerdict": "malicious"
}'Python
import requests
url = "https://api.dfir-lab.ch/v1/phishing/analyze/ai"
headers = {
"Authorization": "Bearer sk-dfir-your-key-here",
"Content-Type": "application/json",
}
payload = {
"senderEmail": "suspicious@example.com",
"senderDomain": "example.com",
"subject": "Urgent: Verify Your Account",
"authResults": {
"spf": {"result": "fail", "domain": "example.com"},
"dkim": {"result": "fail", "domain": "example.com"},
"dmarc": {"result": "fail", "domain": "example.com"},
},
"suspiciousIndicators": [
{"category": "auth_failure", "description": "SPF check failed", "severity": "high"}
],
"extractedIOCs": [
{"type": "domain", "value": "evil-login.com", "enrichmentVerdict": "malicious", "enrichmentScore": 85}
],
"hopCount": 4,
"heuristicScore": 72,
"heuristicVerdict": "malicious",
}
response = requests.post(url, json=payload, headers=headers)
data = response.json()
# AI verdict may be null if Claude is unavailable
ai = data["data"]["ai_verdict"]
if ai:
print(f"Risk Level: {ai['risk_level']}")
print(f"Confidence: {ai['confidence_score']}%")
print(f"Summary: {ai['executive_summary']}")
print(f"Model: {ai['model']}")
print("\nKey Findings:")
for finding in ai["key_findings"]:
print(f" - {finding}")
print("\nRecommended Actions:")
for action in ai["recommended_actions"]:
print(f" - {action}")
# Persuasion analysis
if ai.get("persuasion_analysis"):
pa = ai["persuasion_analysis"]
print(f"\nDominant Persuasion Principle: {pa['dominantPrinciple']}")
print(f"Manipulation Score: {pa['manipulationScore']}/100")
else:
print("AI analysis unavailable — credits were still charged")
print(f"\nCredits used: {data['meta']['credits_used']}")
print(f"Credits remaining: {data['meta']['credits_remaining']}")TypeScript
const response = await fetch("https://api.dfir-lab.ch/v1/phishing/analyze/ai", {
method: "POST",
headers: {
Authorization: "Bearer sk-dfir-your-key-here",
"Content-Type": "application/json",
},
body: JSON.stringify({
senderEmail: "suspicious@example.com",
senderDomain: "example.com",
subject: "Urgent: Verify Your Account",
authResults: {
spf: { result: "fail", domain: "example.com" },
dkim: { result: "fail", domain: "example.com" },
dmarc: { result: "fail", domain: "example.com" },
},
suspiciousIndicators: [
{ category: "auth_failure", description: "SPF check failed", severity: "high" },
],
extractedIOCs: [
{ type: "domain", value: "evil-login.com", enrichmentVerdict: "malicious", enrichmentScore: 85 },
],
hopCount: 4,
heuristicScore: 72,
heuristicVerdict: "malicious",
}),
});
interface PersuasionAnalysis {
principles: {
reciprocity: number;
commitment: number;
socialProof: number;
authority: number;
liking: number;
scarcity: number;
};
dominantPrinciple: string;
manipulationScore: number;
tactics: string[];
}
interface ManipulationScoring {
dimensions: {
urgency: number;
fear: number;
reward: number;
authority: number;
curiosity: number;
trust: number;
};
overallRisk: "low" | "medium" | "high" | "critical";
patterns: string[];
}
interface VisualAnalysis {
brandImpersonation: boolean;
impersonatedBrand: string | null;
visualTechniques: string[];
confidence: number;
}
interface AIVerdict {
risk_level: "safe" | "suspicious" | "malicious" | "highly_malicious";
confidence_score: number;
executive_summary: string;
key_findings: string[];
recommended_actions: string[];
model: string;
persuasion_analysis: PersuasionAnalysis | null;
manipulation_scoring: ManipulationScoring | null;
visual_analysis: VisualAnalysis | null;
}
const result = await response.json();
const { data, meta } = result;
console.log(`Credits used: ${meta.credits_used}, remaining: ${meta.credits_remaining}`);
const ai: AIVerdict | null = data.ai_verdict;
if (ai) {
console.log(`Risk: ${ai.risk_level} (confidence: ${ai.confidence_score}%)`);
console.log(`Summary: ${ai.executive_summary}`);
ai.key_findings.forEach((f: string) => console.log(` Finding: ${f}`));
ai.recommended_actions.forEach((a: string) => console.log(` Action: ${a}`));
if (ai.persuasion_analysis) {
console.log(`Dominant principle: ${ai.persuasion_analysis.dominantPrinciple}`);
console.log(`Manipulation score: ${ai.persuasion_analysis.manipulationScore}/100`);
}
} else {
console.log("AI analysis unavailable — credits were still charged");
}