Phish.Report vs OpenBait
Phish.Report is a free utility for filing single phishing-URL takedowns to registrars and hosts. OpenBait is a continuous anti-phishing platform that uses Phish.Report as one of several channels and adds the detection, monitoring, and defensive layers around it. If you only need the submit step, Phish.Report alone is enough. If you need detection and orchestration, OpenBait wraps it.
Phish.Report
Free + Trusted Reporter tier
Single-purpose takedown utility. Free API for submitting URLs to registrars and hosting providers. Excellent for one-off submissions when you already know the malicious URL.
OpenBait
$0 / $79 / $299 / $999+ per month
Anti-phishing SaaS. Calls Phish.Report's API as our primary registrar/host channel and adds CT log monitoring, canary tokens, user-side SDK, and orchestration across browser blocklists. Self-serve, JP-localized.
Where they overlap, where they don't
We use Phish.Report internally — this isn't a takedown of their product. The table below distinguishes "single-step takedown" from "continuous brand-protection workflow", which is the actual axis between the two tools.
Free tier, the core thing it does
Wraps Phish.Report API + adds Web Risk, SmartScreen, Safe Browsing, ThreatFox, VirusTotal channels
You bring URLs to it — no detection layer
CT logs + NRD feeds + dnstwist run continuously
Per-submission case page, no org workspace
Multi-channel cases, evidence package, takedown lifecycle states
Single-channel by design
Phish.Report + Web Risk + Safe Browsing + SmartScreen + ThreatFox + VirusTotal in one case
Fires when attacker clones the site — earliest possible warning
Detects and warns users arriving from known phishing referrers
Stops once the takedown is filed
Polls reachability, reopens cases when the kit comes back
Owner / admin / member roles, 28 RBAC permissions
Free, with paid Trusted Reporter tier
Free / $79 / $299 / $999+ per month
EN only
Native JP + 年間契約 + 銀行振込 + 請求書払い
Stick with Phish.Report alone if...
- • You already have a feed of malicious URLs from another source
- • You only need the takedown-submission step, not detection or orchestration
- • A single user is filing reports occasionally — no team or audit-trail need
- • You operate in English-only and don't need invoice / bank-transfer billing
Pick OpenBait if...
- • You need to find phishing sites — not just submit URLs you already have
- • You want one case page that fans out to Phish.Report + browser blocklists + threat feeds
- • You want canary tokens on your real site and a user-side SDK warning real visitors — Phish.Report doesn't ship these
- • You need org workspaces, RBAC, and an audit trail for security review
- • You need Japanese UI + 年間契約 + 銀行振込 / 請求書払い
FAQ
- Is Phish.Report a competitor to OpenBait?
- Phish.Report is a free utility for filing single phishing-URL takedowns to registrars and hosting providers, plus a Trusted Reporter tier. OpenBait uses the Phish.Report API as one of several takedown channels and wraps it with continuous monitoring (CT logs, NRD feeds, dnstwist), per-org case workspaces, canary tokens, a user-side JavaScript SDK, and orchestration across browser blocklists. They overlap on the takedown-submission step — if that's the only thing you need, Phish.Report alone is enough.
- What does Phish.Report do well that I should keep using it for?
- Phish.Report is excellent for one-off takedown submissions when you already have the malicious URL, want minimal infrastructure, and don't need a workflow around it. The API is clean, the response is fast, and the Trusted Reporter tier gives you priority handling. OpenBait actually relies on Phish.Report for that exact step — we re-export every successful submission's case ID back into our timeline.
- What does OpenBait add on top of Phish.Report?
- Three layers. (1) Detection: Phish.Report doesn't tell you that a phishing site exists — you have to find it yourself. OpenBait monitors CT logs, NRD feeds, and dnstwist permutations continuously and surfaces lookalike candidates in your workspace. (2) Multi-channel orchestration: a single OpenBait case ships to Phish.Report and Google Web Risk and Microsoft SmartScreen and ThreatFox and VirusTotal, with per-channel status sync. (3) Defensive layer: canary tokens fire when attackers clone your site, and our SDK warns real users arriving from phishing pages. Phish.Report does none of this.
- When is Phish.Report alone enough?
- When you (a) already have a list of phishing URLs from another source, (b) only need the takedown step, (c) don't need org workspaces or audit history, and (d) operate in English. If any of those is false — especially if you need to detect phishing in the first place or to coordinate response across browser blocklists — you'll outgrow Phish.Report alone within the first month.
- Can I use both?
- Yes — and we encourage it. OpenBait already calls Phish.Report's API as our primary registrar/host takedown channel. If you're a Phish.Report power user with a Trusted Reporter key, you can plug it into OpenBait so all our submissions inherit your reputation. Nothing about adding OpenBait makes Phish.Report less useful.
Try the OpenBait detection layer for free
Paste a brand domain and we'll show you the lookalike candidates Phish.Report can't — for free, with no signup. If anything looks worth filing, OpenBait already wires Phish.Report into the takedown step.