Inspiration

Every day, 3.4 billion phishing emails are sent worldwide. Most people can't tell a fake URL from a real one — and the tools that security professionals use are too technical for everyday users. We built PhishGuard to close that gap: a tool that gives anyone instant access to professional-grade threat intelligence, explained in language you don't need a security degree to understand.

What It Does

PhishGuard analyzes any URL and delivers a comprehensive threat report in under 10 seconds:

  • Threat Score (0–100) — A weighted composite score across 5 signal categories
  • AI Analyst Verdict — Groq AI (Llama 3.3 70B) synthesizes all findings into a plain-English paragraph, like having a security analyst on call
  • 90+ Vendor Scan — Cross-references VirusTotal's entire vendor database simultaneously
  • Domain Intelligence — RDAP/WHOIS lookup reveals domain age (a brand-new domain is a huge red flag), registrar, and country
  • URL Structure Analysis — Detects homoglyph attacks (paypa1.com vs paypal.com), suspicious TLDs, brand impersonation in subdomains, entropy scoring, and 12+ other structural signals
  • IP & Server Intel — Geolocates the hosting server, identifies the ISP, and flags datacenter IPs often used for anonymous phishing infrastructure
  • Google Safe Browsing + URLhaus — Real-time checks against Google's and abuse.ch's threat databases
  • Phishing Education Hub — Interactive quiz and visual breakdown of 6 common phishing tactics

Verdict classifications: 🟢 SAFE · 🔵 LOW RISK · 🟡 SUSPICIOUS · 🟠 LIKELY PHISHING · 🔴 CONFIRMED THREAT

How We Built It

The architecture has two main layers:

Analysis Engine (urlAnalysis.js + apiService.js) All threat checks run in a sequential pipeline via a custom useScanner hook. URL structure analysis runs locally (no API needed), then domain/IP lookups, then external threat feeds in parallel, and finally the Groq AI call which receives a structured JSON summary of all findings and returns a narrative verdict.

Frontend (React + Tailwind CSS) Built with a custom dark design system — deep navy backgrounds, electric cyan accents, and verdict-specific glow colors. Key UI moments: an animated radar scanning progress screen, a radial SVG threat gauge that fills on load, and a tabbed report layout (Overview, Threat Feeds, Domain & IP, URL Structure). A particle network canvas runs in the background.

Groq Integration After all signals are collected, we send a structured summary to Groq's Llama 3.3 70B model with a system prompt instructing it to act as a senior cybersecurity analyst. The response arrives in under 1 second — fast enough to feel like a live analysis.

Challenges We Faced

  • CORS restrictions — Most threat intelligence APIs don't allow direct browser calls. We handled this with a combination of CORS-friendly endpoints (URLhaus, ip-api.com, RDAP) and carefully structured VirusTotal requests.
  • No false confidence — Designing the scoring algorithm to avoid both false positives (legitimate sites flagged) and false negatives (phishing sites missed) required careful weight tuning across 5 signal categories.
  • Making it understandable — The hardest UX challenge wasn't the data — it was presenting raw threat signals in a way that a non-technical user immediately understands. The Groq AI narrative layer was the key breakthrough here.

What We Learned

  • Domain age is one of the strongest single phishing indicators — most phishing domains are under 30 days old
  • Groq's inference speed (sub-second responses) makes real-time AI analysis genuinely viable in a web app
  • The gap between "technically flagged" and "human-understandable" is enormous — and closing it is where the real security value lives

What's Next

  • Browser extension for inline URL warnings while browsing
  • Email header analyzer (SPF/DKIM/DMARC validation)
  • Bulk URL scanning for security teams
  • API endpoint for developers to integrate PhishGuard into their own tools

Built With

Share this project:

Updates