What kind of data does PhishStats provide?

PhishStats provides real-time threat intelligence data, including feeds for phishing URLs, IP addresses, and domain names associated with active phishing campaigns.

Who is PhishStats best for?

It is best for security researchers, threat intelligence platforms, phishing detection systems, and Security Operations Centers (SOCs) looking to integrate current phishing data into their operations.

Is there a free tier available for PhishStats?

Yes, PhishStats offers a free API access tier with a rate limit of 50 requests per hour, suitable for testing and initial integration.

Does PhishStats offer SDKs for different programming languages?

No, PhishStats does not provide official SDKs. Developers are expected to build their own HTTP clients using the documented RESTful API.

How often is the phishing data updated?

PhishStats aims to provide real-time data, meaning its feeds are continuously updated as new phishing threats are identified and processed.

What is the primary output format of the PhishStats API?

The PhishStats API primarily returns data in JSON format, making it compatible with most programming languages and systems.

Can I use PhishStats data for commercial products?

The terms of use for commercial applications depend on your subscription plan. Users should review the PhishStats API terms for specific usage rights.

PhishStats — Real-time Phishing Threat Intelligence API

Overview

PhishStats is a threat intelligence service specializing in the collection and dissemination of real-time phishing data. The platform provides an API that allows developers and security professionals to integrate current information about phishing URLs, IP addresses, and domains directly into their security systems. Since its founding in 2017, PhishStats has focused on delivering data that aids in the proactive identification and mitigation of phishing threats.

The service is designed for use by security researchers who analyze attack trends, threat intelligence platforms that aggregate and process security data, and phishing detection systems that need up-to-the-minute indicators of compromise. Security Operations Centers (SOCs) can also utilize the PhishStats API to enrich their incident response processes, automate alert triage, and enhance their defensive postures against social engineering attacks. By providing access to frequently updated feeds, PhishStats aims to reduce the window of opportunity for attackers.

PhishStats addresses the challenge of rapidly evolving phishing campaigns by maintaining a continually updated database of malicious indicators. Its core products include a real-time phishing URL feed, a phishing IP feed, and a phishing domain feed. These data streams can be consumed programmatically, allowing for automated lookups and integration into custom applications or existing security tools. The API is straightforward, returning data in JSON format, which facilitates parsing and integration into various programming environments. While official SDKs are not provided, the API's RESTful nature and clear documentation for endpoints and parameters simplify the process of building custom HTTP clients.

The utility of such a service extends to various use cases, including email gateway protection, web filtering, and endpoint security. By cross-referencing incoming traffic or user activity against PhishStats data, organizations can identify and block access to known phishing sites, thereby protecting users from credential theft, malware infections, and other malicious activities. The effectiveness of threat intelligence, including phishing data, is often measured by its timeliness and accuracy, which are critical factors in countering fast-moving threats. For example, organizations like AbuseIPDB also offer similar services focusing on malicious IP addresses, highlighting the shared industry focus on actionable threat data.

Key features

Real-time Phishing URL Feed: Provides access to a frequently updated list of URLs identified as being part of active phishing campaigns. This feed enables systems to detect and block access to malicious links as soon as they are identified.
Phishing IP Feed: Offers a list of IP addresses associated with phishing infrastructure, including C2 servers and hosting locations for phishing sites. This data assists in network-level blocking and forensic analysis.
Phishing Domain Feed: Delivers a feed of domain names used in phishing attacks, facilitating the identification and blocking of suspicious domains at DNS or proxy levels.
JSON API Responses: All API endpoints return data in JSON format, which is a widely supported data interchange format, simplifying parsing and integration into web and backend applications.
Rate-limited Free Tier: A free tier is available, offering API access with a limit of 50 requests per hour, allowing developers to test and integrate the service before committing to a paid plan.
Developer-focused Documentation: Concise API documentation outlines endpoints, parameters, and response structures, aiding developers in quickly understanding and implementing the API.

Pricing

PhishStats offers a free tier for initial development and testing, with paid plans available for increased API request volumes. Pricing is structured based on the number of requests per hour.

Plan	Requests per Hour	Monthly Cost
Free	50	$0
Starter	2000	$20
Pro	10000	$50
Enterprise	Custom	Contact for Quote

Pricing as of 2026-05-28. For detailed and up-to-date pricing information, please refer to the PhishStats API pricing page.

Common integrations

PhishStats is designed for integration into various security tools and platforms:

SIEM Systems: Integrate phishing feeds into Security Information and Event Management (SIEM) systems (e.g., Splunk, Elastic SIEM) to correlate with other security logs and enhance threat detection.
Firewalls and Proxies: Use phishing IP and domain feeds to configure dynamic blocking rules on network firewalls and web proxies.
Email Security Gateways: Incorporate phishing URL and domain data to improve the filtering capabilities of email security solutions.
Threat Intelligence Platforms (TIPs): Feed PhishStats data into TIPs (e.g., MISP, Anomali ThreatStream) to enrich existing threat intelligence and provide a more comprehensive view of the threat landscape.
Incident Response Playbooks: Automate lookups against PhishStats data within incident response workflows to quickly identify and prioritize phishing-related alerts.
Custom Security Applications: Develop bespoke applications for phishing detection, analysis, or reporting by consuming the PhishStats API directly.

Alternatives

URLScan.io: A service that analyzes and monitors websites, providing detailed reports on potential threats, including phishing indicators.
AbuseIPDB: A database for reporting and checking malicious IP addresses, offering an API for threat intelligence lookups.
OpenPhish: Provides a real-time feed of phishing URLs, similar to PhishStats, focused on proactive detection.

Getting started

To get started with the PhishStats API, you typically need to obtain an API key from your account and then make HTTP requests to the specified endpoints. Here's a basic example using Python to retrieve the latest phishing URLs:

import requests

# Replace with your actual API key
API_KEY = "YOUR_PHISHSTATS_API_KEY"
BASE_URL = "https://phishstats.com/api"

headers = {
    "User-Agent": "PhishStats-Python-Client/1.0",
    "Authorization": f"Bearer {API_KEY}"
}

def get_latest_phishing_urls():
    endpoint = f"{BASE_URL}/phishing-urls"
    try:
        response = requests.get(endpoint, headers=headers)
        response.raise_for_status() # Raise an exception for HTTP errors
        data = response.json()
        if data and "urls" in data:
            print("Latest Phishing URLs:")
            for url_entry in data["urls"][:5]: # Print first 5 for brevity
                print(f"  - URL: {url_entry['url']}")
                print(f"    Added: {url_entry['added']}")
                print(f"    Source: {url_entry['source']}")
        else:
            print("No URLs found or unexpected response format.")
    except requests.exceptions.HTTPError as http_err:
        print(f"HTTP error occurred: {http_err}")
    except requests.exceptions.ConnectionError as conn_err:
        print(f"Connection error occurred: {conn_err}")
    except requests.exceptions.Timeout as timeout_err:
        print(f"Timeout error occurred: {timeout_err}")
    except requests.exceptions.RequestException as req_err:
        print(f"An error occurred: {req_err}")

if __name__ == "__main__":
    get_latest_phishing_urls()

This Python script demonstrates how to make an authenticated GET request to the /phishing-urls endpoint. It includes basic error handling for common HTTP and network issues. You would replace "YOUR_PHISHSTATS_API_KEY" with the actual API key obtained from your PhishStats account. Remember to consult the PhishStats API documentation for specific endpoint details, available parameters, and response structures.

PhishStats

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

## reviews

## comments

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

# see also

## reviews

## comments