PhishGuard Blueprint

Analyze suspicious emails without making users read mail headers.

PhishGuard turns pasted email text, headers, links, and .eml evidence into a risk score, plain-English explanation, and training-friendly report.

MVP scope Report shape Idea matrix

Safety boundary: do not automatically open, crawl, screenshot, or detonate links in the MVP. Parse evidence, defang URLs, warn users not to click, and treat scoring as suspicion guidance rather than proof of maliciousness.

1ChoosePick PhishGuard when the target role is SOC, helpdesk, or awareness training. 2ParseAccept pasted email, headers, links, and optional .eml evidence. 3ExplainShow suspicious clues without claiming certainty. 4ExpandMove into SOC and threat-intel platform modules later.

MVP

Paste, parse, explain, export

Inputs

Email body, raw headers, copied links, and optional .eml upload. Keep all samples local or clearly mark what is stored.

Outputs

Risk score, sender analysis, link analysis, language pressure, authentication findings, and a simple user recommendation.

Reports

Individual analysis report, team training summary, common red flags, and reusable examples for awareness sessions.

Detection Categories

Make the score explainable

Sender

Identity mismatch

Display-name spoofing, reply-to mismatch, free-mail impersonation, suspicious TLD, lookalike domain, and domain mismatch.

Links

Destination risk

Shorteners, punycode, IP address URLs, HTTP links, mismatched anchor text, redirect chains, and suspicious login paths.

Content

Pressure language

Urgency, threat wording, credential request, fake invoice, financial pressure, attachment request, unusual tone, and grammar anomalies.

Headers

Authentication clues

SPF, DKIM, DMARC, return-path mismatch, received-chain surprises, and mail provider warnings.

Do First / Later

Keep the MVP safe and useful

Do firstStatic analysis

Parse text, headers, and URLs; defang links; show evidence cards; export a report.

Do laterSandbox links

Only add screenshots or detonation with strong isolation, consent, and abuse controls.

Success metricExplanation quality

A non-technical user can understand why the email is suspicious and what to do next.

MonetizationTeams and training

Paid team dashboard, reporting button, awareness reports, and campaign simulator.

Report Shape

Make the answer useful for a person, not just a score

Executive result

Likely phishing, suspicious, probably safe, or needs review, with a short reason and a recommended action.

Evidence table

Sender, links, language, and authentication clues with matched evidence and confidence notes.

User guidance

Do not click, report to security, verify through another channel, or request helpdesk review.

Training note

Turn the red flags into a reusable awareness example without exposing sensitive mailbox content.

Recommended build: start with pasted email and header parsing, then add .eml upload, saved reports, team dashboards, and a browser extension later.

Choose next build CyberShield APIShield SOC Platform