PERSONA: Email Security Engineer
CATEGORY: Integration
ENDPOINTS: 6 used
UPDATED: April 2026

USE CASE · EMAIL SECURITY ENGINEER

Programmable email security behind your gateway

You own the email pipeline — the gateway, the reporting button, the forward-to-IT mailbox, the BEC response playbook. Vendor auto-triage is opaque, brittle, and priced per seat. DFIR Platform gives you deterministic JSON per email and per inbox, so your rules stay your rules.

Create a free account (100 credits/mo)Try /phishing-check — no signup

CONTEXT

Gateway auto-triage is a black box you cannot patch

Most email-security engineers live with the same frustration: the gateway's ML model silently re-scores traffic, confidence buckets shift after a vendor update, and the 'why' behind a verdict sits in a support portal you cannot script against. When a user reports a missed phish or a BEC attempt lands, the engineer needs to reconstruct the email's path with primitives — authentication results, IOC reputation, forwarding-rule history — not plead with a vendor for a log export.

PAIN POINTS

Gateway vendors change ML weights without notice; last week's rule works, today's does not.
BEC response requires forwarding-rule and sign-in timeline data that M365/Workspace expose inconsistently across tenants.
SOAR integrations to gateways are vendor-locked; swap vendors and your playbooks break.
Per-seat pricing on 'advanced phishing' features punishes you for having a large mailbox footprint.

The reality

“Gateway vendors change ML weights without notice; last week's rule works, today's does not.”

CAPABILITIES

The endpoints that solve it

DFIR Platform exposes the exact endpoints an email-security pipeline needs — no proprietary UI, no opaque scoring model. The base analyzer is cheap and deterministic for the hot path. The AI analyzer sits one call away for the harder verdicts. BEC endpoints cover the investigation side when automation is not enough. Build your pipeline in your automation tool of choice — it is just HTTP.

Deterministic phishing analyzer

1 credit

POST /v1/phishing/analyze

The hot-path call. Parses raw RFC 822, returns SPF/DKIM/DMARC alignment, authentication verdict, extracted indicators[], and a deterministic risk score. Same email in, same JSON out — safe to cache, safe to retry.

AI phishing adjudication

10 credits

POST /v1/phishing/analyze/ai

For the subset of messages where the deterministic score lands in the ambiguous band. Returns the same structure plus a natural-language explanation and recommended action — exactly what an engineer wants to pipe into an on-call notification.

Phishing enrichment (header add-ons)

2 credits

POST /v1/phishing/enrich

Light-weight enrichment on the indicators already extracted by the analyzer: DNS, blacklist, GSB, URL expansion. Useful when you want extra context without paying for the full multi-source lookup.

Batch IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

When a message's risk score crosses threshold, fan its indicators into the full multi-source enrichment (up to 11 sources per IP, 8 per domain/URL, 6 per hash). One response per IOC, ready to slot into an investigation ticket.

BEC forwarding-rule audit

5 credits

POST /v1/bec/forwarding-audit

Given tenant credentials (or delegated access), enumerates inbox and transport forwarding rules — the #1 persistence mechanism attackers use after a successful BEC. Returns a flat JSON list you can diff across time.

BEC activity timeline

10 credits

POST /v1/bec/timeline

Reconstructs a per-mailbox timeline of sign-ins, rule changes, and anomalous sends around a suspected compromise window. Outputs the artefact every IR writeup ultimately wants to paste into the report.

WORKFLOW

A two-lane pipeline: hot path + escalation

The pipeline most engineers settle on looks like this: the hot path runs /v1/phishing/analyze on every user-reported or gateway-bounced email; anything crossing a risk threshold falls into an escalation lane that adds AI adjudication and full IOC enrichment. BEC endpoints live in a separate playbook triggered by suspicious sign-in signals from your IdP.

$ dfir-lab run email-security-automation

import os, base64, requests

API = "https://api.dfir-lab.ch"
H = {"Authorization": f"Bearer {os.environ['DFIR_API_KEY']}"}

def triage(raw_eml_bytes: bytes) -> dict:
    # Hot path: 1 credit, sub-second latency
    r = requests.post(
        f"{API}/v1/phishing/analyze",
        headers=H,
        json={"raw_email": base64.b64encode(raw_eml_bytes).decode()},
        timeout=10,
    )
    verdict = r.json()
    if verdict["risk_score"] < 70:
        return verdict  # done — log and move on

    # Escalation lane: AI adjudication + full IOC enrichment
    ai = requests.post(
        f"{API}/v1/phishing/analyze/ai",
        headers=H,
        json={"raw_email": base64.b64encode(raw_eml_bytes).decode()},
        timeout=30,
    ).json()

    iocs = verdict["indicators"]
    enrichment = requests.post(
        f"{API}/v1/enrichment/lookup",
        headers=H,
        json={"indicators": iocs},
        timeout=30,
    ).json()

    return {"verdict": verdict, "ai": ai, "enrichment": enrichment}

Hot path is 1 credit per email. Escalation lane costs ~1 + 10 + (N × 3) credits — only paid on the subset that needs it.

01
Step 01
Ingest
Gateway quarantine, user-report mailbox, or transport rule BCC. Any source of raw .eml works — no vendor-specific connector required.
02
Step 02
Hot path
POST /v1/phishing/analyze for every message. Deterministic, cheap, safe to run in-line with your own queue.
03
Step 03
Threshold + escalate
Risk score above your threshold? Fan out to /v1/phishing/analyze/ai and /v1/enrichment/lookup. Everything else just gets logged.
04
Step 04
BEC playbook
When your IdP flags anomalous sign-ins, call /v1/bec/forwarding-audit and /v1/bec/timeline for the affected mailbox. Attach both JSONs to the incident ticket.
05
Step 05
Own the output
All responses are plain JSON — no UI to depend on. Index into Splunk, post to Slack, push to Jira, diff across days. Your pipeline, your rules.

PRICING

Pricing that tracks your workload

A mid-size org (1k–10k mailboxes) with a real engineer owning the pipeline lands on Professional — the hot path is cheap and the escalation lane is the budget driver. Very small teams fit Starter. Large enterprises, MSSP-grade volume, or heavy BEC investigation caseloads should plan for Enterprise.

Recommended tier

Professional

2,500 credits / month

Entry price

$99/mo

01
Small team — 200 emails/week hot path, 10% escalate
(200 × 4 × 1) + (20 × 4 × 10) + (100 × 4 × 3) = 800 + 800 + 1,200 = 2,800 credits/month
Fits Professional ($99/mo, 2,500 credits) plus a small 500-credit top-up ($35), or Starter + 3,000-credit top-ups if volume is bursty.
02
Mid-size org — 1,000 emails/week hot path, 15% escalate, 2 BEC cases/mo
(1,000 × 4 × 1) + (150 × 4 × 10) + (600 × 4 × 3) + (2 × (5 + 10)) = 4,000 + 6,000 + 7,200 + 30 = 17,230 credits/month
Exceeds Professional on credits. Either stack credit top-ups or move to Enterprise for unlimited usage and a committed SLA.
03
Small dev-team pilot — 50 emails/week all deterministic, no AI
50 × 4 × 1 = 200 credits/month
Fits Free ($0, 100 credits) for the first half of the month; Starter ($29/mo, 500 credits) covers the full month with room for ad-hoc IOC enrichment.

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Create a free account (100 credits/mo)

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

Try /phishing-check — no signup

Paste raw headers or upload an .eml in the browser. Same deterministic analyzer as /v1/phishing/analyze, rate-limited to 10 checks/hour — use it to validate verdict quality before wiring the API into your pipeline.

Open tool

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: Same endpoints, different audience. The SOC page is written for the analyst using a finished pipeline. This page is for the engineer building and owning that pipeline — so it covers determinism, idempotency, BEC automation, and how the pieces compose into a larger email-security system.
Q / 02: No — and you should not want to. Gateways do inline SMTP-layer blocking; the DFIR Platform is a post-delivery programmable layer. They are complementary. If anything, a good programmable layer lets you keep a cheaper gateway.
Q / 03: The /v1/phishing/analyze endpoint is rule-based: same raw email in, same JSON out. The risk score does not drift because a model retrained overnight. The AI endpoints are explicitly separate so you can cache, retry, and audit the deterministic layer with confidence.
Q / 04: Yes — forwarding-rule and sign-in timeline data only exist inside your identity provider (M365, Google Workspace). You authorize access once under your tenant; the endpoints then expose the data in a normalized JSON shape consistent across IdPs.
Q / 05: Yes — every endpoint is HTTP + JSON with bearer auth. Any SOAR with a generic HTTP block works. Most teams wrap the hot-path + escalation pattern into a single sub-workflow and call it from their gateway and mailbox playbooks.
Q / 06: SaaS defaults to EU processing. Enterprise customers with hard data-residency requirements can deploy on-premise; ask for an Enterprise quote.

RELATED · INDEX

Other teams solving adjacent problems

ADJACENT USE CASE

Ready when you are

Stop triaging by hand.

Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.

Browse all use cases Create free account

Programmable email security behind your gateway

Gateway auto-triage is a black box you cannot patch

PAIN POINTS

Gateway vendors change ML weights without notice; last week's rule works, today's does not.
BEC response requires forwarding-rule and sign-in timeline data that M365/Workspace expose inconsistently across tenants.
SOAR integrations to gateways are vendor-locked; swap vendors and your playbooks break.
Per-seat pricing on 'advanced phishing' features punishes you for having a large mailbox footprint.

The reality

“Gateway vendors change ML weights without notice; last week's rule works, today's does not.”

The endpoints that solve it

Deterministic phishing analyzer

1 credit

POST /v1/phishing/analyze

AI phishing adjudication

10 credits

POST /v1/phishing/analyze/ai

Phishing enrichment (header add-ons)

2 credits

POST /v1/phishing/enrich

Light-weight enrichment on the indicators already extracted by the analyzer: DNS, blacklist, GSB, URL expansion. Useful when you want extra context without paying for the full multi-source lookup.

Batch IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

BEC forwarding-rule audit

5 credits

POST /v1/bec/forwarding-audit

BEC activity timeline

10 credits

POST /v1/bec/timeline

A two-lane pipeline: hot path + escalation

$ dfir-lab run email-security-automation

import os, base64, requests

API = "https://api.dfir-lab.ch"
H = {"Authorization": f"Bearer {os.environ['DFIR_API_KEY']}"}

def triage(raw_eml_bytes: bytes) -> dict:
    # Hot path: 1 credit, sub-second latency
    r = requests.post(
        f"{API}/v1/phishing/analyze",
        headers=H,
        json={"raw_email": base64.b64encode(raw_eml_bytes).decode()},
        timeout=10,
    )
    verdict = r.json()
    if verdict["risk_score"] < 70:
        return verdict  # done — log and move on

    # Escalation lane: AI adjudication + full IOC enrichment
    ai = requests.post(
        f"{API}/v1/phishing/analyze/ai",
        headers=H,
        json={"raw_email": base64.b64encode(raw_eml_bytes).decode()},
        timeout=30,
    ).json()

    iocs = verdict["indicators"]
    enrichment = requests.post(
        f"{API}/v1/enrichment/lookup",
        headers=H,
        json={"indicators": iocs},
        timeout=30,
    ).json()

    return {"verdict": verdict, "ai": ai, "enrichment": enrichment}

Hot path is 1 credit per email. Escalation lane costs ~1 + 10 + (N × 3) credits — only paid on the subset that needs it.

Step 01

Ingest

Gateway quarantine, user-report mailbox, or transport rule BCC. Any source of raw .eml works — no vendor-specific connector required.

Step 02

Hot path

POST /v1/phishing/analyze for every message. Deterministic, cheap, safe to run in-line with your own queue.

Step 03

Threshold + escalate

Risk score above your threshold? Fan out to /v1/phishing/analyze/ai and /v1/enrichment/lookup. Everything else just gets logged.

Step 04

BEC playbook

When your IdP flags anomalous sign-ins, call /v1/bec/forwarding-audit and /v1/bec/timeline for the affected mailbox. Attach both JSONs to the incident ticket.

Step 05

Own the output

All responses are plain JSON — no UI to depend on. Index into Splunk, post to Slack, push to Jira, diff across days. Your pipeline, your rules.

Pricing that tracks your workload

Recommended tier

Professional

2,500 credits / month

Entry price

$99/mo

Small team — 200 emails/week hot path, 10% escalate

(200 × 4 × 1) + (20 × 4 × 10) + (100 × 4 × 3) = 800 + 800 + 1,200 = 2,800 credits/month

Fits Professional ($99/mo, 2,500 credits) plus a small 500-credit top-up ($35), or Starter + 3,000-credit top-ups if volume is bursty.

Mid-size org — 1,000 emails/week hot path, 15% escalate, 2 BEC cases/mo

(1,000 × 4 × 1) + (150 × 4 × 10) + (600 × 4 × 3) + (2 × (5 + 10)) = 4,000 + 6,000 + 7,200 + 30 = 17,230 credits/month

Exceeds Professional on credits. Either stack credit top-ups or move to Enterprise for unlimited usage and a committed SLA.

Small dev-team pilot — 50 emails/week all deterministic, no AI

50 × 4 × 1 = 200 credits/month

Fits Free ($0, 100 credits) for the first half of the month; Starter ($29/mo, 500 credits) covers the full month with room for ad-hoc IOC enrichment.

Frequently asked

Q / 01

How is this different from the SOC phishing triage use case?

Same endpoints, different audience. The SOC page is written for the analyst using a finished pipeline. This page is for the engineer building and owning that pipeline — so it covers determinism, idempotency, BEC automation, and how the pieces compose into a larger email-security system.

Q / 02

Can I replace my gateway with this?

No — and you should not want to. Gateways do inline SMTP-layer blocking; the DFIR Platform is a post-delivery programmable layer. They are complementary. If anything, a good programmable layer lets you keep a cheaper gateway.

Q / 03

What does 'deterministic' actually mean here?

The /v1/phishing/analyze endpoint is rule-based: same raw email in, same JSON out. The risk score does not drift because a model retrained overnight. The AI endpoints are explicitly separate so you can cache, retry, and audit the deterministic layer with confidence.

Q / 04

Do the BEC endpoints require tenant admin access?

Yes — forwarding-rule and sign-in timeline data only exist inside your identity provider (M365, Google Workspace). You authorize access once under your tenant; the endpoints then expose the data in a normalized JSON shape consistent across IdPs.

Q / 05

Can I run this inside my SOAR (Tines, n8n, Cortex XSOAR, Splunk SOAR)?

Yes — every endpoint is HTTP + JSON with bearer auth. Any SOAR with a generic HTTP block works. Most teams wrap the hot-path + escalation pattern into a single sub-workflow and call it from their gateway and mailbox playbooks.

Q / 06

What about data residency?

SaaS defaults to EU processing. Enterprise customers with hard data-residency requirements can deploy on-premise; ask for an Enterprise quote.

Programmable email security behind your gateway

Gateway auto-triage is a black box you cannot patch

The endpoints that solve it

Deterministic phishing analyzer

AI phishing adjudication

Phishing enrichment (header add-ons)

Batch IOC enrichment

BEC forwarding-rule audit

BEC activity timeline

A two-lane pipeline: hot path + escalation

Ingest

Hot path

Threshold + escalate

BEC playbook

Own the output

Pricing that tracks your workload

Small team — 200 emails/week hot path, 10% escalate

Mid-size org — 1,000 emails/week hot path, 15% escalate, 2 BEC cases/mo

Small dev-team pilot — 50 emails/week all deterministic, no AI

Three ways to evaluate

Create a free account (100 credits/mo)

Try /phishing-check — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Automated Phishing Triage for SOC Teams

IOC Enrichment for Incident Response

Attack Surface Management for NIS2 / DORA

Stop triaging by hand.

Programmable email security behind your gateway

Gateway auto-triage is a black box you cannot patch

The endpoints that solve it

Deterministic phishing analyzer

AI phishing adjudication

Phishing enrichment (header add-ons)

Batch IOC enrichment

BEC forwarding-rule audit

BEC activity timeline

A two-lane pipeline: hot path + escalation

Ingest

Hot path

Threshold + escalate

BEC playbook

Own the output

Pricing that tracks your workload

Small team — 200 emails/week hot path, 10% escalate

Mid-size org — 1,000 emails/week hot path, 15% escalate, 2 BEC cases/mo

Small dev-team pilot — 50 emails/week all deterministic, no AI

Three ways to evaluate

Create a free account (100 credits/mo)

Try /phishing-check — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Automated Phishing Triage for SOC Teams

IOC Enrichment for Incident Response

Attack Surface Management for NIS2 / DORA

Stop triaging by hand.