Threat Scope

A browser-based AI security tool that detects AI-generated phishing, harmful scripts, harmful websites and encoded image-based threats through advanced pattern and content analysis.

Comment

Inspiration

When the world entered the computer and internet era, fraud became easier and more scalable. That shift gave rise to an entire field dedicated to protecting digital systems — cybersecurity.

Now we are stepping into another transformation: the era of Artificial Intelligence. AI can generate emails, build websites, write code, and even mimic human tone convincingly. While this progress is impressive, it also introduces a serious problem. Phishing and online fraud are becoming more sophisticated and harder to detect.

Traditional spam filters depend heavily on obvious keywords and static blacklists. But AI-generated scams are different. They are polished, grammatically correct, and psychologically persuasive. They don’t look suspicious at first glance.

This shift inspired us to build Threat Scope — a system designed to detect AI-driven fraud patterns instead of relying only on outdated spam signals.

We wanted something practical, explainable, and privacy-focused — not just another API wrapper.

What it does

Threat Scope is a browser extension backed by a detection engine that analyzes:

  • Suspicious websites
    • Phishing emails
    • Malicious scripts and obfuscated code
    • Potentially dangerous downloads
    • High-risk image links

It assigns a risk score (0–100), categorizes the threat type (phishing, piracy, malware, safe), and provides clear explanations for why something was flagged.

Instead of just saying “unsafe,” it shows what triggered the alert — such as brand impersonation, urgency patterns, encoded scripts, or suspicious domains.

The system works offline and does not transmit sensitive user data to external services.

How we built it

We built Threat Scope as a modular system combining a browser extension with a backend analysis engine.

The browser extension is responsible for collecting relevant information from webpages and emails, such as the URL, visible text, page title, and embedded scripts. Instead of performing heavy analysis inside the browser, the extension sends structured data to a backend server built using Node.js and Express.

The backend acts as the core detection engine. We implemented a hybrid approach that combines rule-based heuristics with AI-powered semantic analysis.

First, we built structural detection layers that analyze:

  • URL patterns and suspicious domains
  • Brand impersonation and typosquatting
  • High-risk top-level domains
  • Credential harvesting indicators
  • Malicious JavaScript patterns and obfuscation
  • Suspicious file extensions and downloads

These rule-based checks provide a baseline risk score and ensure the system can detect obvious structural threats.

On top of this, we integrated a free AI API to perform semantic analysis of content. This allows the system to evaluate:

  • AI-generated persuasive language
  • Social engineering tone
  • Urgency-based manipulation
  • Bot-style phishing messages
  • The AI layer improves detection of sophisticated phishing attempts that do not rely on obvious keywords.

We then combine both layers into a final risk score. The structural analysis ensures reliability, while the AI analysis adds contextual understanding. If the AI service fails or is unavailable, the system can still rely on the rule-based engine to provide a result.

The system returns:

  • A risk score (0–100)
  • Threat classification
  • Confidence level
  • Human-readable explanation of triggered signals This hybrid architecture balances intelligence, explainability, and practical deployment constraints.

Challenges we ran into

One major challenge was that AI-generated phishing content is subtle. It doesn’t rely on obvious spam keywords or poor grammar. Instead, it mimics professional tone, structured language, and legitimate communication styles. Detecting these patterns required us to move beyond simple keyword matching and think more about behavioral and contextual signals.

Another challenge was balancing detection sensitivity and false positives. If the system is too strict, legitimate websites and emails get flagged, which reduces user trust. If it is too lenient, real threats can slip through. Finding the right scoring balance between structural checks and AI-based semantic analysis took multiple iterations and testing.

We also faced architectural challenges. Integrating the browser extension with the backend required debugging communication issues, handling port conflicts, and ensuring reliable API responses. Since the system depends on both rule-based logic and AI-based analysis, maintaining smooth interaction between layers was not straightforward.

In addition, making the extension compatible across different browsers was more difficult than expected. Browser extension APIs and permission models differ slightly, which required adjustments in configuration and debugging. So far, we have successfully deployed Threat Scope on two browsers — Firefox and Edge — but ensuring consistent behavior across platforms required careful testing and refinement.

These challenges helped us strengthen both the technical design and the overall reliability of the system

Accomplishments that we're proud of

One of our biggest accomplishments is building a fully functional browser extension integrated with a backend detection engine. Instead of creating a simple prototype, we developed a working system that performs real-time analysis of websites, emails and scripts.

We are proud of designing a hybrid detection approach that combines structural rule-based analysis with AI-powered semantic understanding. This allows Threat Scope to detect both technical indicators (such as suspicious domains and obfuscated code) and psychological manipulation patterns used in AI-generated phishing.

Another accomplishment is making the system explainable. Instead of showing vague warnings, Threat Scope provides clear risk scores, confidence levels, and specific reasons for why content was flagged. This improves transparency and user trust.

We also successfully deployed the extension on multiple browsers, including Firefox and Edge. Ensuring compatibility across platforms required careful debugging and adaptation.

Most importantly, we built a solution that addresses modern AI-driven fraud in a practical and scalable way, rather than relying solely on traditional spam detection methods.

What we learned

While building Threat Scope, we learned that modern fraud detection is much more complex than traditional spam filtering. AI-generated phishing content often looks professional and grammatically correct, which makes it harder to detect using simple keyword-based methods. This forced us to think beyond obvious spam signals and focus on behavioral patterns and structural indicators.

We also learned that detection systems must carefully balance sensitivity and accuracy. During testing, we noticed that some AI-generated emails — including legitimate ones written by tools like ChatGPT — were sometimes flagged as suspicious because they shared structural similarities with phishing messages, such as formal tone or persuasive language. This taught us that not all AI-generated content is malicious, and detection systems must distinguish between harmful intent and neutral AI-generated text.

Another important lesson was related to browser compatibility. Not every browser handles extensions in the same way. Some are more developer-friendly, while others have stricter permission models and configuration requirements. Ensuring consistent functionality across browsers required careful testing and adjustments.

From a system design perspective, we learned the importance of modular architecture. Separating the extension layer from the backend analysis engine made debugging easier and improved scalability.

Overall, this project taught us that building cybersecurity tools requires not only technical implementation, but also careful calibration, testing, and continuous refinement.

What's next for Threat Scope

The next phase of Threat Scope focuses on expanding both its technical depth and its accessibility.

One immediate goal is to extend compatibility across more browsers. While we have successfully deployed the extension on Firefox and Edge, we plan to integrate it into as many major browsers as possible to ensure wider accessibility and usability.

We also plan to evolve Threat Scope beyond a browser extension into a broader security platform. Future developments may include:

  • A web-based dashboard or standalone application version
  • Deepfake voice detection for identifying AI-generated scam calls
  • An OTP scam prevention module to detect social engineering attempts during authentication flows
  • An advanced email security plugin for enterprise use
  • A credential leak detection system that alerts users if exposed information appears in suspicious contexts
  • A prompt-injection shield designed to protect AI bots and agentic systems from manipulation or data extraction attacks

As AI-driven fraud continues to evolve, our goal is to continuously adapt Threat Scope to defend against emerging threats. We envision it becoming a modular security framework capable of protecting users not just from phishing websites, but from the broader ecosystem of AI-enabled cyber fraud.

Share this project:

Updates