DFIR Platform vs PhishTool
PhishTool is a dedicated analyst UI for phishing triage — upload an .eml, get a rich breakdown, manage the case. DFIR Platform's /phishing-check API provides programmatic email header and IOC analysis for pipelines and one-shot checks. Different categories, often used together.
- PhishTool is stronger for human-in-the-loop analyst workflow: .eml inspection UI, case management, team collaboration, MITRE ATT&CK tagging.
- DFIR Platform is stronger for programmatic automation: API-first phishing-check on a unified credit pool with multi-source IOC enrichment.
- Many SOCs pair them — PhishTool for manual forensic review, DFIR Platform for SOAR / n8n automation and bulk IOC enrichment of extracted indicators.
Feature-by-feature
Each row is a single capability. Where DFIR Platform wins, the row is marked in accent; where PhishTool wins, it's marked on their column. Ties and partials are shown as such — no spin.
What each one does best
Picking a tool isn't about which one wins overall — it's about which one fits your workload. Here's an unvarnished look at each side's actual strengths.
What PhishTool does well
- Purpose-built analyst UI
PhishTool is designed for the human triage flow. Analysts upload an .eml, get a rich header/body breakdown, extracted indicators, attachments, and rendering — all in a dedicated interface. No API glue required to read the output.
- Case management & investigation workflow
Investigations are first-class objects: assign cases, track status, attach notes, tie indicators to verdicts. For a SOC team doing phishing triage end-to-end in one tool, this is exactly the shape you want.
- MITRE ATT&CK tagging built in
PhishTool lets analysts tag techniques directly on the investigation (phishing, spearphishing link, attachment, etc.). That metadata flows into reporting and metrics — useful for SOC maturity tracking without bolt-on tooling.
- Established community trust
PhishTool has a long-running free Community edition and a well-known following among SOC analysts and blue teamers. That means shared knowledge, playbooks, and a familiar workflow when onboarding new team members.
Where DFIR Platform differs
- API-first /phishing-check
A single POST with raw headers or a full .eml returns parsed fields, SPF/DKIM/DMARC verdicts, and extracted IOCs — ready for SOAR, n8n, or scripted pipelines. No UI click-through, no session cookies, curl-friendly.
- Multi-source IOC enrichment on the same key
Indicators extracted from a phishing message (IPs, domains, URLs, hashes) can be enriched immediately against up to 11 sources via /enrich or /enrich/batch on the same credit pool — turning triage output into actionable blocks and hunts.
- Unified credit pool across the suite
One API key covers /phishing-check, /enrich, /exposure-scanner, /domain-lookup, and AI triage. Credits are shared: 5 per single IOC, 3 per IOC in a batch (max 50). No separate subscription per product.
- Public free tool for one-off checks
The /phishing-check tool is free at dfir-lab.ch/phishing-check with no account — useful for quick analyst sanity-checks, user-reported phish triage on shift, or sharing with non-SOC colleagues who just need a verdict.
When to reach for each one
Concrete signals from real workflows. If two or more bullets in a column describe your team, that's the right tool to start with.
Use PhishTool when
- Your SOC needs a dedicated UI where analysts investigate phishing cases end-to-end.
- You want case management, assignments, notes, and MITRE ATT&CK tagging in one place.
- You're training junior analysts and want a guided inspection view over .eml files.
- You need a shared team workspace for phishing triage with collaboration features.
Use DFIR Platform when
- You're building a SOAR or n8n playbook that programmatically triages reported phish.
- You need one API that analyses emails AND enriches extracted IOCs across 11 sources.
- You want transparent self-serve pricing ($0 / $29 / $99) without a sales call.
- You need to drop a public, shareable phishing-check link for users without accounts.
- You want phishing analysis, IOC enrichment, exposure scanning, and AI triage on one plan.
SOC analyst triaging a user-reported phishing email
A finance team member forwards a suspicious invoice email to the SOC mailbox. The .eml contains two URLs, one sender IP, three intermediate relay IPs, and an attached PDF. The analyst needs a verdict, a documented investigation, and all indicators enriched and blocked within the SLA.
In PhishTool, the analyst uploads the .eml and gets the full header chain, body rendering, attachment metadata, and extracted IOCs in the investigation UI. They tag the MITRE technique (spearphishing link), add notes, flag the case, and close it. The forensic breakdown is the strength here — it's a human-readable inspection view built for exactly this task.
An n8n workflow watches the SOC mailbox. On arrival, it POSTs the raw email to /phishing-check and receives parsed headers, SPF/DKIM/DMARC results, and the extracted IOCs. The workflow then fires /enrich/batch with all 4 IPs and 2 URLs in one request (6 IOCs × 3 credits = 18 credits). The aggregated verdicts trigger an auto-block in the firewall; a Slack summary goes to the SOC channel.
Takeaway: PhishTool gives the analyst a proper forensic UI; DFIR Platform runs the same checks in 2 API calls with multi-source enrichment built in. Most mature SOCs want both: automation for volume, a dedicated UI for the cases that need a human.
Side-by-side tier comparison
Both vendors quoted publicly where available. Where pricing requires a sales call, that's noted explicitly — no estimated numbers.
DFIR Platform
Publicly priced — self-serve- Free100 credits/mo — no credit card$0
- Starter500 credits — solo analyst / small team$29/mo
- Professional2,500 credits — MSSP / automation pipelines$99/mo
- EnterpriseUnlimited credits, on-prem optionCustom
PhishTool
Community free + contact-sales Professional / Enterprise- CommunityFree — individual analyst UI, capped monthly analyses$0
- ProfessionalSingle user, PhishTool API, alerts, in-trayContact sales
- EnterpriseTeam, Outlook add-in, SAML SSO, MSSP multi-tenantContact sales
Using both together
PhishTool for the human-in-the-loop: an analyst opens a user-reported phish, works through the .eml breakdown, tags MITRE techniques, and closes the case with notes. DFIR Platform for the automation layer: an n8n workflow catches new phish reports, fires /phishing-check for a first-pass verdict, batch-enriches every extracted IOC via /enrich/batch, and only escalates uncertain cases to PhishTool for manual review. The two products sit at different points in the triage pipeline and genuinely complement each other.
Frequently asked questions
Is DFIR Platform a direct replacement for PhishTool?
No — they're in different product categories. PhishTool is a workflow UI for analysts doing hands-on phishing triage and case management. DFIR Platform's /phishing-check is an API for programmatic email analysis and IOC extraction. If your team wants a dedicated UI, PhishTool remains the better fit; if you want automation, DFIR Platform is the stronger choice.
Does PhishTool have an API?
Yes — PhishTool API access starts at the Professional tier (single user) and continues through Enterprise (team + mailbox integrations + Outlook add-in). The free Community tier is UI-only. Pricing for Professional and Enterprise is contact-sales. DFIR Platform's /phishing-check is API-first on the Free tier — 100 credits/month, no credit card — useful if you need programmatic access without a sales call.
Can I use both PhishTool and DFIR Platform?
Yes — and it's a natural fit. A common pattern: DFIR Platform's /phishing-check runs first-pass automation on every reported phish via a SOAR or n8n flow, batch-enriches IOCs across 11 sources, and only escalates uncertain cases to PhishTool for manual analyst review with full case-management.
Does DFIR Platform have MITRE ATT&CK tagging?
Not natively inside /phishing-check responses. PhishTool has that baked into its investigation UI. If ATT&CK tagging on the case record is important to your reporting, PhishTool is the better choice for that specific capability.
Is there a free way to try DFIR Platform's phishing analysis?
Yes. /phishing-check is available as a free public tool at dfir-lab.ch/phishing-check with no signup, useful for one-off analyst sanity-checks. For programmatic access, the Free tier grants 100 credits/month with no credit card required.
How does DFIR Platform extend beyond email analysis?
Every extracted indicator can be enriched on the same API key via /enrich (up to 11 sources for IPs, 8 for domains/URLs, 6 for hashes) and /enrich/batch (up to 50 IOCs per request at 3 credits each). The same pool also powers /exposure-scanner, /domain-lookup, and AI triage — one subscription across the suite.
Compare DFIR Platform with other tools
Email security detection platform
Malware and IOC intelligence
URL and domain scanning
See how DFIR Platform handles your real IOCs
Try the free /ioc-check first — no signup, 10 lookups per hour. Or create a Free account for the full API and 100 credits per month.