A Python CLI tool that replicates the decision-making workflow of a real SOC analyst — scanning emails, scoring threats, and exporting structured incident reports.
The Phishing Detection Simulator is a modular CLI application that walks through the same triage steps a SOC analyst performs when a suspicious email lands in a queue.
It reads raw email content, passes it through four independent detection engines, aggregates weighted signals into a numeric risk score, classifies the threat level, and produces machine-readable reports — all without leaving the terminal.
Every email receives a score from 0 to 100. The scoring engine maps this to one of three triage tiers:
<div class="bg-dark-800/60 border border-orange-700/30 rounded-xl p-6 hover:border-orange-500/50 transition-colors">
<div class="flex items-center space-x-3 mb-4">
<div class="w-10 h-10 rounded-lg bg-orange-500/20 flex items-center justify-center text-xl">🔑</div>
<h3 class="text-lg font-bold text-orange-400">Keyword Scanner</h3>
</div>
<p class="text-gray-300 text-sm mb-4">Scans the email body for known phishing vocabulary — urgency phrases, credential-harvesting language, and social engineering cues that manipulate recipients into taking action.</p>
<div class="flex flex-wrap gap-2">
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">"Verify your account"</span>
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">"Immediate action required"</span>
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">"Click here to confirm"</span>
</div>
</div>
<div class="bg-dark-800/60 border border-red-700/30 rounded-xl p-6 hover:border-red-500/50 transition-colors">
<div class="flex items-center space-x-3 mb-4">
<div class="w-10 h-10 rounded-lg bg-red-500/20 flex items-center justify-center text-xl">🌐</div>
<h3 class="text-lg font-bold text-red-400">Domain Analyzer</h3>
</div>
<p class="text-gray-300 text-sm mb-4">Inspects sender addresses and embedded URLs for typosquatting, suspicious TLDs, IP-based links, and sender/reply-to spoofing patterns that indicate fraudulent origin.</p>
<div class="flex flex-wrap gap-2">
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">Typosquatting</span>
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">IP-based URLs</span>
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">Sender spoofing</span>
</div>
</div>
<div class="bg-dark-800/60 border border-yellow-700/30 rounded-xl p-6 hover:border-yellow-500/50 transition-colors">
<div class="flex items-center space-x-3 mb-4">
<div class="w-10 h-10 rounded-lg bg-yellow-500/20 flex items-center justify-center text-xl">📎</div>
<h3 class="text-lg font-bold text-yellow-400">Attachment Scanner</h3>
</div>
<p class="text-gray-300 text-sm mb-4">Classifies all file attachments across four risk tiers — from critical (executables, macros) to low-risk (standard documents) — giving analysts a rapid surface-area assessment.</p>
<div class="flex flex-wrap gap-2">
<span class="bg-red-900/40 text-red-400 border border-red-700/30 px-2 py-1 rounded text-xs">Critical: .exe .bat .ps1</span>
<span class="bg-yellow-900/40 text-yellow-400 border border-yellow-700/30 px-2 py-1 rounded text-xs">High: .docm .xlsm</span>
<span class="bg-green-900/40 text-green-400 border border-green-700/30 px-2 py-1 rounded text-xs">Low: .pdf .txt</span>
</div>
</div>
<div class="bg-dark-800/60 border border-blue-700/30 rounded-xl p-6 hover:border-blue-500/50 transition-colors">
<div class="flex items-center space-x-3 mb-4">
<div class="w-10 h-10 rounded-lg bg-blue-500/20 flex items-center justify-center text-xl">📋</div>
<h3 class="text-lg font-bold text-blue-400">Risk Scoring Engine</h3>
</div>
<p class="text-gray-300 text-sm mb-4">Aggregates weighted signals from all detection modules into a single 0–100 risk score. Each module contributes a calibrated point value based on indicator severity and confidence level.</p>
<div class="flex flex-wrap gap-2">
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">Weighted aggregation</span>
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">Configurable thresholds</span>
<span class="bg-gray-700 text-gray-300 px-2 py-1 rounded text-xs">LOWs / MEDIUM / HIGH</span>
</div>
</div>
</div>
{
"email_id": "phish_0042",
"timestamp": "2025-01-15T14:32:00Z",
"risk_score": 82,
"verdict": "HIGH",
"modules": {
"keyword_score": 35,
"domain_score": 40,
"attachment_score": 20,
"header_score": 5
},
"flags": [
"typosquat_domain",
"high_risk_attachment",
"urgency_language"
]
}
email_id,timestamp,score,verdict,flags phish_0042,2025-01-15T14:32:00Z, 82,HIGH, typosquat_domain|high_risk...
module,score,indicators keyword,35,urgency_language|… domain,40,typosquat_domain|… attachment,20,invoice.exe header,5,sender_spoof