PhishSentinel autonomously analyzes suspicious emails, scores their threat level from 0β100, extracts attack indicators, and presents findings in a live dashboard β in under 10 seconds.
PhishSentinel is an intelligent security tool that detects phishing emails β fake emails designed to trick you into giving up passwords, clicking dangerous links, or sending money to scammers. Think of it as a digital detective that reads every suspicious email and tells you exactly how dangerous it is.
Phishing is the #1 cyber threat of 2026, costing businesses over $3.5 billion every year. Criminals now use artificial intelligence (AI β computer systems that can learn and make decisions) to craft fake emails that are nearly indistinguishable from real ones. These attacks fool even careful, tech-savvy employees. Every company, from small startups to Fortune 500 giants, desperately needs better tools to catch these threats before they cause damage.
What makes PhishSentinel different from basic spam filters is that it uses an AI agent β a program that reasons step-by-step like a human security analyst β instead of simple keyword matching. While traditional tools look for words like "urgent" or "click here," PhishSentinel understands context, analyzes email headers (the behind-the-scenes routing information), detects visual tricks like lookalike domain names, and weighs 12 different risk factors to produce a reliable threat score.
πΌ For Managers: PhishSentinel demonstrates production-level skills in AI agent design, cybersecurity tooling, and full-stack Python development. It is the kind of tool real SOC (Security Operations Center) teams request but rarely have. The architecture mirrors enterprise threat intelligence platforms costing tens of thousands of dollars per year.
| Feature | What It Does (Plain English) |
|---|---|
| SPF Check | SPF (Sender Policy Framework) β checks whether the email was sent from an authorized server for that domain, detecting spoofed sender addresses |
| DKIM Check | DKIM (DomainKeys Identified Mail) β verifies a digital signature embedded in the email to prove it wasn't tampered with during transit |
| DMARC Check | DMARC (Domain-based Message Authentication, Reporting, and Conformance) β tells receiving servers what to do with emails that fail SPF or DKIM checks |
| Homoglyph Detection | Detects lookalike Unicode characters in domain names (like using "Π°mazon.com" with a Cyrillic 'Π°' instead of Latin 'a') that trick the human eye |
| Urgency Analysis | AI scans the email body for pressure tactics like "Act now!" or "Your account will be suspended" that rush victims into mistakes |
| IOC Extraction | IOC (Indicators of Compromise) β automatically pulls out malicious URLs, suspicious IP addresses, and questionable domains as evidence |
| Threat Scoring | Converts 12 individual indicator results into a single 0β100 threat score using weighted algorithms |
| Radar Chart | Plotly visualization showing all 12 indicator scores at once, making attack patterns instantly visible |
| Gauge Chart | Color-coded speedometer-style display showing the overall threat level (Safe, Suspicious, Likely Phishing, or Critical) |
| IOC Export | Download extracted threat indicators as CSV files for use in other security tools |
| Analysis History | SQLite database storing previous analyses with timestamps, so you can track threats over time |
| .EML File Upload | Import raw email files directly from Outlook, Thunderbird, or other email clients |
| Structured LLM Output | Uses Pydantic (a Python library for data validation) to ensure AI responses follow a predictable format |
When you paste an email into PhishSentinel, it passes through 7 specialized AI agents arranged in a pipeline called a graph. Each agent has one job: the first reads and decodes the email, the second checks authentication headers, the third scans the message body for suspicious language, the fourth extracts dangerous links, and so on. These agents pass information forward like an assembly line, with conditional branches that skip unnecessary steps for safe emails. Finally, a scoring agent weighs all findings and a report generator writes a human-readable summary. The entire process completes in seconds, and results are saved to a local database.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PhishSentinel β
β LangGraph Agent Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π§ Raw Email Input
β
βΌ
βββββββββββββββββββββ
β 1. Email Parser β β Extracts headers, body, attachments
ββββββββββ¬βββββββββββ
β
βΌ
βββββββββββββββββββββ
β 2. Header Agent β β Checks SPF, DKIM, DMARC, IP hops
ββββββββββ¬βββββββββββ
β
ββββββ΄βββββ
β All β
β auth β β Conditional branch (LangGraph edge)
β pass? β
ββββββ¬βββββ
NO β YES
β ββββββββββββββββββββββββ
βΌ βΌ
ββββββββββββββββ ββββββββββββββββββββββββ
β Deep Header β β Skip deep inspection β
β Inspection β β (fast path) β
ββββββββ¬ββββββββ ββββββββββββ¬βββββββββββββ
β β
βββββββββββββ¬βββββββββββββ
βΌ
βββββββββββββββββββ
β 3. Body Agent β β LLM scans for urgency, brand
ββββββββββ¬βββββββββ impersonation, homoglyph domains
β
βΌ
βββββββββββββββββββ
β 4. IOC Extract β β Pulls IPs, URLs, domains as
ββββββββββ¬βββββββββ Indicators of Compromise
β
βΌ
βββββββββββββββββββ
β 5. Scoring β β Weights 12 indicators β 0β100
ββββββββββ¬βββββββββ threat score
β
βΌ
βββββββββββββββββββ
β 6. Report Gen β β GPT-4o writes analyst narrative
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β 7. SQLite Save β β Stores analysis for history tab
ββββββββββ¬βββββββββ
β
βΌ
π Streamlit Dashboard
| Layer | Technology | Why We Chose It |
|---|---|---|
| AI Agent Framework | LangGraph | LangGraph (a LangChain extension for building stateful, multi-actor applications) lets us define complex agent workflows as graphs with conditional edges, making the pipeline modular and easy to extend |
| Language Model | OpenAI GPT-4o | GPT-4o provides excellent reasoning for security analysis tasks while supporting structured output via function calling, ensuring consistent data formats |
| Web Dashboard | Streamlit | Streamlit (a Python library for creating data apps) allows rapid UI development without writing HTML/JavaScript, perfect for data-heavy security tools |
| Charts | Plotly | Plotly creates interactive, publication-quality visualizations that render beautifully in browsers and export cleanly to images |
| Email Parsing | Python email stdlib |
Python's built-in email library handles MIME (Multipurpose Internet Mail Extensions) encoding, attachments, and header parsing without external dependencies |
| Data Storage | SQLite | SQLite (a serverless, self-contained database engine) requires zero setup, stores data in a single file, and handles thousands of analyses without configuration |
| Config/Secrets | python-dotenv + st.secrets | python-dotenv loads API keys from .env files locally; st.secrets manages them securely in Streamlit Cloud β keeping credentials out of code |
| Language | Python 3.11+ | Python 3.11 offers better error messages, faster performance, and modern typing features that make complex agent code more maintainable |
| # | Indicator | Category | Max Score | Plain English Explanation |
|---|---|---|---|---|
| 1 | SPF Check | Header | 10 | SPF (Sender Policy Framework) β verifies the email came from an authorized mail server for the sender's domain; failure suggests spoofing |
| 2 | DKIM Check | Header | 10 | DKIM (DomainKeys Identified Mail) β validates a cryptographic signature proving the email wasn't modified after being sent |
| 3 | DMARC Check | Header | 10 | DMARC tells email providers what to do with messages that fail authentication; absence means no enforcement policy |
| 4 | Reply-To Mismatch | Header | 10 | When the "Reply-To" address differs from the "From" address, scammers may be redirecting responses to a different account |
| 5 | Return-Path Mismatch | Header | 10 | The Return-Path (where bounced emails go) should match the sender; mismatches indicate potential spoofing |
| 6 | Suspicious IP Chain | Header | 10 | Traces the path through mail servers (IP hops); blacklisted IPs or unexpected geographic routes raise flags |
| 7 | Message-ID Anomaly | Header | 10 | Legitimate emails have properly formatted Message-IDs; suspicious patterns may indicate mass spam tools |
| 8 | Urgency Signals | Body (AI) | 10 | Phrases creating artificial pressure like "Immediate action required" or "24 hours only" β classic manipulation tactics |
| 9 | Credential Harvesting Cues | Body (AI) | 10 | Requests for passwords, credit card numbers, or account verification β legitimate services rarely ask for these via email |
| 10 | Brand Impersonation | Body (AI) | 10 | Emails claiming to be from banks, tech companies, or government agencies that use unofficial domains or slight name variations |
| 11 | Suspicious Link Analysis | Body (AI) | 10 | URLs that redirect through trackers, use URL shorteners to hide destinations, or contain typos of real domains |
| 12 | Homoglyph Domain Detection | Body (AI) | 10 | Internationalized domain names using visually similar Unicode characters (Cyrillic 'Π°' vs Latin 'a') to impersonate trusted brands |
THREAT SCORE LEGEND
βββββββββββββββββββββββββββββββββββββββββ
0 β 20 β β
Safe β No significant indicators found
21 β 45 β β οΈ Suspicious β Minor anomalies, exercise caution
46 β 74 β π¨ Likely Phishing β Multiple strong indicators present
75 β 100 β β οΈ Critical β High-confidence phishing attack
βββββββββββββββββββββββββββββββββββββββββ
The main dashboard showing a Plotly gauge chart with threat score 87/100 (Critical), four metric cards, and a radar chart plotting all 12 indicator scores.
Threat Analysis Tab
The IOC (Indicator of Compromise) report tab showing extracted malicious URLs, sender IPs, and suspicious domains in a sortable table with CSV export.
IOC Report Tab
The history tab showing the last 20 email analyses stored in SQLite, with timestamps, threat scores, and clickable rows to reload past results.
Analysis History Tab
Before you begin, ensure you have:
- Python 3.11 or higher β Download from python.org
- pip β Python's package installer (included with Python 3.4+)
- OpenAI API Key β Get yours at OpenAI (requires account creation and billing setup)
# Step 1: Clone the repository
git clone https://github.com/AnandSundar/phishsentinel.git
cd phishsentinel
# Step 2: Create a virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Step 3: Install dependencies
pip install -r requirements.txt
# Step 4: Set your OpenAI API key
cp .env.example .env
# Edit .env and add: OPENAI_API_KEY=your_key_here
# Step 5: Run the app
streamlit run app.pyThe app will open at http://localhost:8501 in your browser.
π‘ Pro Tip: Test the app immediately using the included sample email:
samples/sample_phish.eml
phishsentinel/
β
βββ π app.py # Streamlit UI entry point β run this to start the app
β
βββ π€ agent/
β βββ __init__.py
β βββ graph.py # LangGraph StateGraph β defines the AI agent pipeline
β βββ nodes.py # 7 agent node functions (the "workers" in the pipeline)
β βββ state.py # Shared data structure passed between agents
β βββ schemas.py # Data models for structured AI output (Pydantic)
β
βββ π οΈ utils/
β βββ email_parser.py # Reads and extracts raw email components
β βββ homoglyph.py # Detects lookalike Unicode characters in domains
β βββ scoring.py # Converts indicator results into 0β100 threat score
β βββ db.py # SQLite database read/write helpers
β
βββ π data/
β βββ phishsentinel.db # Auto-created SQLite database (analysis history)
β
βββ π§ samples/
β βββ sample_phish.eml # Demo phishing email β use this to test the app instantly
β
βββ πΈ docs/screenshots/ # Dashboard screenshots for this README
β
βββ .env.example # Template for your API key config
βββ requirements.txt # Python package dependencies
βββ README.md # You are here
PhishSentinel is designed with privacy as a core principle:
Emails are analyzed in memory and never stored. Only the analysis results (threat scores, extracted IOCs, summary text) are saved to the local SQLite database. The original email content is discarded after processing completes. This means sensitive email content stays ephemeral β there is no growing archive of private communications on your server.
Your OpenAI API key is protected through multiple layers:
- Local development: Stored in
.envfile (which is gitignored by default) - Production deployment: Managed via
st.secretsin Streamlit Cloud - Never in code: The application reads from environment variables, keeping credentials out of version control
PhishSentinel runs entirely on your own machine or private server. Emails are sent to only two places:
- Your local SQLite database β for history storage
- OpenAI's API β for AI analysis (via encrypted HTTPS connection)
No third-party analytics, no external logging services, no data brokers.
According to OpenAI's API data usage policy, data sent through the API:
- Is NOT used to train OpenAI's models
- Is retained temporarily only for abuse monitoring (up to 30 days for enterprise, shorter for standard)
- Can be zero retention for eligible enterprise customers
β οΈ Important: Do not analyze emails containing sensitive personal data (SSNs, medical records, passwords) unless you have reviewed OpenAI's data usage policy and your organization's data handling requirements.
Phishing is the #1 cyber threat facing businesses today. According to the FBI's Internet Crime Complaint Center, phishing attacks cost organizations over $3.5 billion annually. In 2026, AI-generated phishing emails have become nearly impossible to distinguish from legitimate communications β even security professionals fall for sophisticated attacks.
Yet most companies still rely on basic spam filters that use simple keyword matching. They need intelligent tools that understand context, detect nuanced deception, and provide actionable intelligence β exactly what PhishSentinel delivers.
Building PhishSentinel required mastery of eight critical engineering skills:
- π€ AI Agent Architecture β Designed a multi-node agent system using LangGraph with conditional branching and state management
- π LLM Integration β Integrated OpenAI GPT-4o with structured output schemas for reliable, parseable results
- π Cybersecurity Domain Knowledge β Implemented SPF/DKIM/DMARC authentication checks and IOC extraction patterns used by enterprise SOC teams
- π Data Visualization β Created interactive Plotly charts (gauge, radar) that communicate threat data intuitively
- ποΈ Database Design β Built a SQLite-backed history system with proper schema design and query optimization
- π§ͺ Input Validation β Handled raw email parsing, file uploads, and edge cases in user-provided data
- π Full-Stack Development β Delivered a complete application from backend AI agents to frontend dashboard
- π Technical Documentation β Produced clear README and inline documentation for maintainability
PhishSentinel mirrors the architectural patterns found in commercial threat intelligence platforms costing $50,000+ per year:
- Agent Graphs β Modular AI components that can be extended or replaced independently
- Structured LLM Output β Using Pydantic schemas to ensure AI responses are machine-parseable
- IOC Extraction β Automated threat indicator harvesting for integration with SIEM (Security Information and Event Management) tools
- Scoring Algorithms β Weighted multi-factor analysis rather than binary yes/no decisions
π― Bottom line: PhishSentinel is not a tutorial project. It is a working security tool built with the same architectural patterns (agent graphs, structured LLM output, IOC extraction) used in enterprise threat intelligence platforms costing tens of thousands of dollars per year.
| Feature | Status | Target |
|---|---|---|
| Core 12-indicator analysis | β Complete | v1.0 |
| Streamlit dashboard | β Complete | v1.0 |
| SQLite history | β Complete | v1.0 |
| VirusTotal API integration (URL scanning) | π In Progress | v1.1 |
| Bulk .eml folder analysis | π Planned | v1.1 |
| Slack/Teams alert webhook | π Planned | v1.2 |
| PDF report export | π Planned | v1.2 |
| Multi-language phishing detection | π‘ Idea | v2.0 |
| Outlook add-in integration | π‘ Idea | v2.0 |
Status Key:
- β Complete β Ready to use
- π In Progress β Currently being developed
- π Planned β Scheduled for upcoming release
- π‘ Idea β Under consideration
We welcome contributions from the security and AI community!
- Fork the Repository: Click the "Fork" button on GitHub
- Create a Branch:
git checkout -b feature/your-feature-name - Make Changes: Write code, add tests, update docs
- Commit:
git commit -m "Add: your feature description" - Push:
git push origin feature/your-feature-name - Pull Request: Open a PR with a clear description of changes
- Formatting: Use Black (
black .) - Type Hints: All functions must have type annotations
- Docstrings: Google-style docstrings for all public functions
- Tests: Include tests for new indicators or features
Want to make PhishSentinel smarter? Here's how to add a new detection indicator:
- Define the Logic: Create a function in
utils/(e.g.,utils/new_detector.py) - Add to Pipeline: Import and call your function in
agent/nodes.py(in the appropriate agent node) - Update State: Add the new indicator to
agent/state.py(inPhishingAnalysisState) - Update Scoring: Add weight to
utils/scoring.py(INDICATOR_WEIGHTS) - Update Schema: Add to
agent/schemas.py(inIndicatorResultor similar) - Update UI: Add visualization in
app.py
Follow the node pattern: Each agent node receives the current state, performs analysis, and returns an updated state. The graph handles passing data between nodes.
This project is licensed under the MIT License β see the LICENSE file for details.
- β Commercial use allowed
- β Modification allowed
- β Distribution allowed
- β Private use allowed
β οΈ No warranty provided
- GitHub: @AnandSundar
- LinkedIn: Anand Sundar
- Email: anandsundar96@gmail.com
Built with β and too much threat intelligence
π΅οΈ Stay suspicious. Stay safe.