Architecture explainer

How OpenBait actually works

The homepage shows three pillars; this page explains how each one runs in production, plus four typical user journeys turned into step-by-step playbooks.

Offense · Find

Offense — find them before they fire

OpenBait doesn't wait for reports. It pulls Certificate Transparency logs, NRD feeds, and dnstwist permutations 24/7, and the moment an attacker registers a new lookalike domain it lands in the queue.

Mechanism

  • CT logs ingested every minute — every new SSL cert with a brand-similar host gets pulled in
  • NRD feed crossed with dnstwist mutations (homoglyph / TLD swap / character substitution) so coverage is layered, not single-source
  • AI classifier marks each candidate page for login-form / credential-theft signal so analysts triage what matters first

Outcome

  • New lookalike domains surfaced within 24 hours of registration
  • 1,000+ candidates analysed every 30 days in production
  • Severity, LIVE state, and action priority pre-sorted in the queue
Defense · Trap

Defense — catch the clone the moment it's built

Embed a Canary token in your real site and it fires the moment an attacker scrapes or clones it. A JavaScript SDK on top warns real users who arrive on the clone via phishing email — your last-mile defensive layer.

Mechanism

  • Six token types — beacon / DNS / QR / email / pixel / clone-detection — pick the one that fits the attacker's TTPs
  • Every trigger fires console + webhook + email; per-token notification routes mean critical tokens go to PagerDuty while low-priority hit a digest
  • User-side JS SDK detects phishing referrers and shows a warning — installation is one line on your real site, not on the attacker's

Outcome

  • Earliest possible warning — fires the second the attacker scrapes, before the campaign goes live
  • Last-mile user protection — even a successful phishing email gets warned in the browser
  • Memcyco-class deception layer at mid-market price, run in-house
Support · Take down

Support — six takedown channels in parallel

Once you have a confirmed phishing site, OpenBait fans the takedown out across Phish.Report, Google Web Risk, Microsoft SmartScreen, Safe Browsing, VirusTotal, and abuse.ch — one case page, synced status across all six.

Mechanism

  • One case ID submits to six channels in parallel; each lane's status syncs back automatically
  • Registrar and hosting abuse contacts auto-resolved from RDAP + Abusix (Cloudflare and similar proxies are detected and bypassed)
  • Public no-signup endpoint at /report/takedown lets anyone file a takedown by URL paste — useful for incident-response moments where account creation isn't the first move

Outcome

  • Takedown velocity 2-3x single-channel because all six channels run in parallel
  • No more hand-resolving registrar abuse contacts per case
  • Shareable case page with full timeline for handing off to CSIRT or auditors
User journeys

Four mental states, four shortest paths

Whatever brought you here today, you're probably in one of four mental states. Here's the fastest action path for each.

Acute

I have a phishing URL — file a takedown now

  1. 1Open /report/takedown, paste URL, drop your email, hit submit. Phish.Report begins the multi-channel fan-out within seconds.
  2. 2Case ID and tracking URL arrive by email — share the URL with your team or auditor for status visibility.
  3. 3If the attack repeats, file again the same way. If it's continuous, upgrade to a workspace for monitoring + canary defense.
Submit a takedown now
Proactive

Find clones of my brand before they hit anyone

  1. 1Drop your brand domain into /report. Within 30 seconds you see lookalike candidates with severity and LIVE status.
  2. 2File takedowns one by one for the urgent ones, or create a free workspace to convert the scan into continuous monitoring.
  3. 3Monitoring fires email + Slack + webhook the moment a new lookalike is registered.
Run a free scan
Defense

Know the moment my site gets cloned

  1. 1Create a Canary token in the console (beacon recommended), paste a single line of HTML on your real site.
  2. 2Attacker scrapes or clones the page — token fires immediately. Console + email + webhook notification.
  3. 3Click through to the case, then escalate via the support line to all six takedown channels.
See Canary plans
User shield

Warn real users on the phishing page

  1. 1Create an SDK token in the console, paste one line of JS on your real site (npm or CDN, your choice).
  2. 2Visitors arriving on your real site via phishing referrers see a warning in their browser — last-mile defense.
  3. 3Trigger events are recorded in the SDK event log so you can map attacker campaigns and decide next-step playbook moves.
SDK install guide
Next step

Start small, layer defenses as you go

Free tier first; turn on each line as it becomes relevant. No credit card, no commitment, pause anytime.

How OpenBait works — Offense × Defense × Support architecture