PERSONA: SOC Analyst
CATEGORY: SOC Operations
ENDPOINTS: 4 used
UPDATED: April 2026

USE CASE · SOC ANALYST

Automated phishing triage for SOC teams

Tier 1 SOC analysts drown in user-reported phishing. DFIR Platform turns a 10-minute manual review into a 30-second API call — header parsing, SPF/DKIM/DMARC verdict, AI explanation, and multi-source enrichment of every extracted IOC, all in one workflow.

Create a free account (100 credits/mo)Try /phishing-check — no signup

CONTEXT

Phishing triage is a Tier 1 time sink

Most SOC teams see a flood of user-reported suspicious emails every week. Each one is read, the headers are inspected by hand, links and domains are copy-pasted into five different tabs (VirusTotal, AbuseIPDB, urlscan, whois, GSB), and the verdict is finally written into a ticket. It is mechanical, repetitive work — exactly the kind of work that burns out good analysts and keeps Tier 2 from the real investigations.

PAIN POINTS

10–15 minutes of manual steps per user-reported email, multiplied across 20–80 reports per day.
Tabs open across VirusTotal, AbuseIPDB, urlscan, and internal tools — no consolidated verdict.
SPF / DKIM / DMARC alignment checks done eyeball-first against raw headers.
IOCs extracted by hand into the ticket, one at a time, rate-limited by free tiers that forbid commercial use.

The reality

“10–15 minutes of manual steps per user-reported email, multiplied across 20–80 reports per day.”

CAPABILITIES

The endpoints that solve it

DFIR Platform exposes the exact building blocks a SOC needs to automate user-reported phishing triage end-to-end. Drop the raw .eml into one endpoint, get a structured verdict; drop the IOCs into another, get multi-source reputation. The normalized response slots straight into your SOAR, n8n workflow, or custom ticket automation.

Phishing email analyzer

1 credit

POST /v1/phishing/analyze

Parses raw .eml or RFC 822 headers. Returns SPF/DKIM/DMARC alignment, authentication results, extracted IOCs (URLs, domains, IPs, hashes, sender), and a deterministic risk score. Safe default for high-volume auto-triage.

AI-assisted phishing verdict

10 credits

POST /v1/phishing/analyze/ai

Takes the same email and adds a Claude-generated explanation: why it looks legitimate or malicious, which indicator is most suspicious, and a recommended action. Use on the subset of emails where a human analyst would want the rationale in plain English.

Batch IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

Accepts an indicators[] array of IPs, domains, URLs, and hashes extracted from the email. Each indicator returns a normalized verdict aggregated across up to 11 integrated sources (VirusTotal, AbuseIPDB, GreyNoise, Shodan, urlscan, OTX, Pulsedive, and more).

AI triage summary

10 credits

POST /v1/ai/triage

Optional final step: feed the combined email + enrichment JSON into the triage endpoint to get a single-paragraph handoff summary that slots directly into the ticket's first analyst comment.

WORKFLOW

The canonical SOC workflow

A typical automation triggers on a user-reported phishing mailbox, streams the .eml into the analyze endpoint, fans out the extracted IOCs into the enrichment endpoint, and writes the combined verdict back to the ticket. Below is the minimal shape in curl — swap in your SOAR's HTTP block and the logic is identical.

$ dfir-lab run soc-phishing-triage

# 1. Analyze the raw email (deterministic — 1 credit)
curl https://api.dfir-lab.ch/v1/phishing/analyze \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"raw_email": "'"$(base64 -i suspicious.eml)"'"}'

# Response includes: auth_results, indicators[], risk_score, summary

# 2. Enrich every indicator extracted above (3 credits each)
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": [
      { "type": "url",    "value": "https://phish.example/login" },
      { "type": "ip",     "value": "45.155.205.x" },
      { "type": "domain", "value": "paypa1-secure.tld" }
    ]
  }'

# 3. (Optional) Ask the AI triage endpoint for a one-paragraph
#    handoff summary to paste straight into the ticket.

Three calls, ~30 seconds of latency, one normalized response per IOC.

01
Step 01
Trigger
User forwards suspicious email to phishing@yourdomain — your mailbox ingestor (n8n / Logic Apps / a Python cron) picks it up within seconds.
02
Step 02
Analyze
POST the raw .eml to /v1/phishing/analyze — you get auth_results, extracted indicators, and a risk_score back.
03
Step 03
Enrich
Fan the indicators[] array into /v1/enrichment/lookup. Multi-source verdict per IOC, one response, one ticket comment.
04
Step 04
(Optional) AI rationale
For the borderline subset, add /v1/phishing/analyze/ai — a human-readable explanation the analyst can paste into the close-out note.
05
Step 05
Ticket + respond
Write verdict back to the ticket; auto-reply to the reporter with the resolution. Tier 1 only opens the ticket when risk_score crosses your threshold.

PRICING

Pricing that tracks your workload

A small SOC handling 10–20 user-reports a week fits comfortably in Starter. Larger shops with 50+ reports per week or heavy AI rationale usage should expect to scale to Professional. The free tier is enough for evaluation and occasional manual triage.

Recommended tier

Starter

500 credits / month

Entry price

$29/mo

01
Small team — 15 reports/week, base analyze only
15 × 4 × 1 credit = 60 credits + ~30 IOCs/wk × 4 × 3 = 360 credits → ~420 credits/month
Free (100 credits) is enough to evaluate the verdict quality; Starter ($29, 500 credits) is the right tier for the actual monthly workload.
02
Mid-size SOC — 20 reports/week, half enriched with AI
(20 × 4 × 1) + (10 × 4 × 10) + (80 × 4 × 3) = 80 + 400 + 960 = 1,440 credits/month
Fits Professional ($99, 2,500 credits) comfortably, with room for exposure scans and threat-actor profiling.
03
Busy MSSP pipeline — 80 reports/week, all AI-analyzed
80 × 4 × 10 + (240 × 4 × 3) = 3,200 + 2,880 = 6,080 credits/month
Professional (2,500) + a 5,000-credit top-up, or Enterprise for unlimited usage.

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Create a free account (100 credits/mo)

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

Try /phishing-check — no signup

Paste raw headers or upload an .eml in the browser. Same analyzer under the hood, rate-limited to 10 checks/hour — useful for evaluating the verdict quality before wiring the API into your SOAR.

Open tool

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: No — DFIR Platform sits downstream of the gateway. Your SEG still does inline blocking; the platform handles the post-delivery triage of the user-reported emails the SEG's AI scored as 'likely phish but not blocked'. The two are complementary.
Q / 02: Raw RFC 822 — either pasted as text in the raw_email field or base64-encoded from an .eml file. No attachments are required; the endpoint only inspects headers and the body. Attachments are hashed and the hashes surface in the indicators[] array for separate analysis via the file endpoints.
Q / 03: The base /v1/phishing/analyze call returns in well under a second. The /v1/enrichment/lookup endpoint fans out to up to 11 sources per IOC and completes within ~5 seconds on typical workloads. For a 5-IOC email, end-to-end triage settles around 6–8 seconds.
Q / 04: Self-serve tiers are SaaS only. On-premise deployment is available on the Enterprise plan — get in touch if you have an air-gap or data-residency requirement.
Q / 05: Both are HTTP-first — any SOAR or automation platform with a generic HTTP block works. n8n and Tines users typically wrap the three calls in a single sub-workflow / subflow and reuse it across multiple triage playbooks. See the separate n8n use case for a step-by-step.
Q / 06: Analyzed emails are processed in-memory for the duration of the request. By default, only the derived artifacts (verdict, indicator list, summary) are persisted under your org for audit / history. Full raw-email retention is an opt-in setting on paid plans.

RELATED · INDEX

Other teams solving adjacent problems

ADJACENT USE CASE

Ready when you are

Stop triaging by hand.

Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.

Browse all use cases Create free account

Automated phishing triage for SOC teams

Phishing triage is a Tier 1 time sink

PAIN POINTS

10–15 minutes of manual steps per user-reported email, multiplied across 20–80 reports per day.
Tabs open across VirusTotal, AbuseIPDB, urlscan, and internal tools — no consolidated verdict.
SPF / DKIM / DMARC alignment checks done eyeball-first against raw headers.
IOCs extracted by hand into the ticket, one at a time, rate-limited by free tiers that forbid commercial use.

The reality

“10–15 minutes of manual steps per user-reported email, multiplied across 20–80 reports per day.”

The endpoints that solve it

Phishing email analyzer

1 credit

POST /v1/phishing/analyze

AI-assisted phishing verdict

10 credits

POST /v1/phishing/analyze/ai

Batch IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

AI triage summary

10 credits

POST /v1/ai/triage

Optional final step: feed the combined email + enrichment JSON into the triage endpoint to get a single-paragraph handoff summary that slots directly into the ticket's first analyst comment.

The canonical SOC workflow

$ dfir-lab run soc-phishing-triage

# 1. Analyze the raw email (deterministic — 1 credit)
curl https://api.dfir-lab.ch/v1/phishing/analyze \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"raw_email": "'"$(base64 -i suspicious.eml)"'"}'

# Response includes: auth_results, indicators[], risk_score, summary

# 2. Enrich every indicator extracted above (3 credits each)
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": [
      { "type": "url",    "value": "https://phish.example/login" },
      { "type": "ip",     "value": "45.155.205.x" },
      { "type": "domain", "value": "paypa1-secure.tld" }
    ]
  }'

# 3. (Optional) Ask the AI triage endpoint for a one-paragraph
#    handoff summary to paste straight into the ticket.

Three calls, ~30 seconds of latency, one normalized response per IOC.

Step 01

Trigger

User forwards suspicious email to phishing@yourdomain — your mailbox ingestor (n8n / Logic Apps / a Python cron) picks it up within seconds.

Step 02

Analyze

POST the raw .eml to /v1/phishing/analyze — you get auth_results, extracted indicators, and a risk_score back.

Step 03

Enrich

Fan the indicators[] array into /v1/enrichment/lookup. Multi-source verdict per IOC, one response, one ticket comment.

Step 04

(Optional) AI rationale

For the borderline subset, add /v1/phishing/analyze/ai — a human-readable explanation the analyst can paste into the close-out note.

Step 05

Ticket + respond

Write verdict back to the ticket; auto-reply to the reporter with the resolution. Tier 1 only opens the ticket when risk_score crosses your threshold.

Pricing that tracks your workload

Recommended tier

Starter

500 credits / month

Entry price

$29/mo

Small team — 15 reports/week, base analyze only

15 × 4 × 1 credit = 60 credits + ~30 IOCs/wk × 4 × 3 = 360 credits → ~420 credits/month

Free (100 credits) is enough to evaluate the verdict quality; Starter ($29, 500 credits) is the right tier for the actual monthly workload.

Mid-size SOC — 20 reports/week, half enriched with AI

(20 × 4 × 1) + (10 × 4 × 10) + (80 × 4 × 3) = 80 + 400 + 960 = 1,440 credits/month

Fits Professional ($99, 2,500 credits) comfortably, with room for exposure scans and threat-actor profiling.

Busy MSSP pipeline — 80 reports/week, all AI-analyzed

80 × 4 × 10 + (240 × 4 × 3) = 3,200 + 2,880 = 6,080 credits/month

Professional (2,500) + a 5,000-credit top-up, or Enterprise for unlimited usage.

Frequently asked

Q / 01

Does this replace my SEG (Secure Email Gateway)?

No — DFIR Platform sits downstream of the gateway. Your SEG still does inline blocking; the platform handles the post-delivery triage of the user-reported emails the SEG's AI scored as 'likely phish but not blocked'. The two are complementary.

Q / 02

What format does /v1/phishing/analyze expect?

Raw RFC 822 — either pasted as text in the raw_email field or base64-encoded from an .eml file. No attachments are required; the endpoint only inspects headers and the body. Attachments are hashed and the hashes surface in the indicators[] array for separate analysis via the file endpoints.

Q / 03

How fast is the API in practice?

The base /v1/phishing/analyze call returns in well under a second. The /v1/enrichment/lookup endpoint fans out to up to 11 sources per IOC and completes within ~5 seconds on typical workloads. For a 5-IOC email, end-to-end triage settles around 6–8 seconds.

Q / 04

Can I self-host or run this on-prem?

Self-serve tiers are SaaS only. On-premise deployment is available on the Enterprise plan — get in touch if you have an air-gap or data-residency requirement.

Q / 05

Is there an n8n or Tines node?

Both are HTTP-first — any SOAR or automation platform with a generic HTTP block works. n8n and Tines users typically wrap the three calls in a single sub-workflow / subflow and reuse it across multiple triage playbooks. See the separate n8n use case for a step-by-step.

Q / 06

What about PII — are the .eml bodies stored?

Analyzed emails are processed in-memory for the duration of the request. By default, only the derived artifacts (verdict, indicator list, summary) are persisted under your org for audit / history. Full raw-email retention is an opt-in setting on paid plans.

Automated phishing triage for SOC teams

Phishing triage is a Tier 1 time sink

The endpoints that solve it

Phishing email analyzer

AI-assisted phishing verdict

Batch IOC enrichment

AI triage summary

The canonical SOC workflow

Trigger

Analyze

Enrich

(Optional) AI rationale

Ticket + respond

Pricing that tracks your workload

Small team — 15 reports/week, base analyze only

Mid-size SOC — 20 reports/week, half enriched with AI

Busy MSSP pipeline — 80 reports/week, all AI-analyzed

Three ways to evaluate

Create a free account (100 credits/mo)

Try /phishing-check — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Email Security Automation via API

Security Automation with n8n

IOC Enrichment for Incident Response

Stop triaging by hand.

Automated phishing triage for SOC teams

Phishing triage is a Tier 1 time sink

The endpoints that solve it

Phishing email analyzer

AI-assisted phishing verdict

Batch IOC enrichment

AI triage summary

The canonical SOC workflow

Trigger

Analyze

Enrich

(Optional) AI rationale

Ticket + respond

Pricing that tracks your workload

Small team — 15 reports/week, base analyze only

Mid-size SOC — 20 reports/week, half enriched with AI

Busy MSSP pipeline — 80 reports/week, all AI-analyzed

Three ways to evaluate

Create a free account (100 credits/mo)

Try /phishing-check — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Email Security Automation via API

Security Automation with n8n

IOC Enrichment for Incident Response

Stop triaging by hand.