A practical taxonomy of phishing indicators in 2026
Forty-seven concrete signals, ranked by independent predictive value across 12M scans.
Read articleTrustoby analyzes URLs, emails, and text using verifiable signals — DNS, TLS, RDAP, SPF/DKIM/DMARC, and language patterns — then shows you the exact evidence behind every score, with calibrated confidence. Never opinions. Only what we can prove.
Trusted by security & trust teams at
Capabilities
Trustoby covers the channels attackers actually use — links, email, and copy — with evidence you can audit, not opinions you have to trust.
DNS resolution paths, RDAP registration age, TLS certificate chains, security headers, redirect chains, and phishing-pattern heuristics across hundreds of indicators.
Full SPF, DKIM, and DMARC posture inspection. We tell you whether a sender domain actually authenticates — and what an inbox should believe.
AI-generation likelihood, urgency manipulation, and social-engineering pattern recognition. Confidence is calibrated to the length and quality of the text.
Watch a domain or sender forever. Get notified the moment its posture changes — new certs, new MX, new SPF, suspicious redirects.
A single REST endpoint returns a score, a band, calibrated confidence, and the full evidence array. SDK-friendly. Idempotent. Cached.
Inline trust badges as you browse. One-click deep scan. Zero data leaves the device until you ask for a full analysis.
How it works
A deterministic pipeline. Cached where it can be. Re-verified where it must be.
Paste a URL, an email, or a block of text. Or pipe assets through the API and webhook stream.
We query DNS, RDAP, certificate transparency, sender authentication, and run language analyzers in parallel.
Each signal carries severity, weight, and confidence. We never average opinions — we accumulate facts.
You receive a 0–100 score, a band, calibrated confidence, and the full evidence array. Always auditable.
Principle
Black-box trust scores are how the last generation of safety tools lost credibility. We do the opposite: every contribution to a score is labeled, weighted, and visible. If we don't have enough signal, we say so, and we lower confidence accordingly.
Every evidence item links back to the raw query — DNS records, certs, headers, RDAP responses.
Confidence reflects evidence completeness, not model boldness. Thin signal → low confidence, always.
When signals disagree, we surface both sides instead of hiding them behind an average.
{
"input": "https://account-secure-verify.com",
"result": {
"score": 23,
"band": "critical",
"confidence": 0.91
},
"evidence": [
{
"category": "registration",
"severity": "critical",
"label": "Domain age: 3 days",
"confidence": 0.98
},
{
"category": "tls",
"severity": "warning",
"label": "Cert issued <24h ago (Let's Encrypt)",
"confidence": 0.94
},
{
"category": "language",
"severity": "critical",
"label": "Brand impersonation phrase pattern",
"confidence": 0.86
}
]
}Why Trustoby
If a score can ruin a customer's day or a quarter's pipeline, you need the evidence behind it.
No black-box scores. Every number traces back to evidence you can verify yourself.
Sub-second median latency. Cached intelligently. Built for inline use, not batch dashboards.
We don't retain analyzed content beyond what you configure. SOC 2 controls, regional data residency on request.
Multi-region. Idempotent endpoints. Webhook retries with backoff. No surprises at 3am.
Problems we solve
Four failure modes we keep seeing across security, support, and trust teams — and what Trustoby does about each.
Newly registered lookalike domains slip past filters in the first 24 hours when they're most dangerous.
LLM-generated outreach is indistinguishable from human writing at a glance, scaled to millions.
Customers lose trust the moment a fake support address reaches them — and you find out from Twitter.
Single-number 'safety' ratings without evidence are unfalsifiable and indefensible to a customer.
Industries
Trustoby is in production across regulated industries and high-volume consumer surfaces.
Protect customers from account-takeover lures and authenticate inbound vendor communications.
Surface seller-impersonation domains before they reach buyers; reduce dispute volume.
Verify sources and inbound tips. Score document chains and originating domains in seconds.
Catch financial-aid and tuition-scam domains targeting students at registration time.
Triage abuse reports faster with attached evidence — no manual whois lookups.
Defend donor trust from donation-page lookalikes during high-volume campaigns.
Use cases
Wire Trustoby into SOAR or your support inbox. Each suspicious URL gets a score, band, and evidence array attached automatically — no analyst toggling tabs.
See an exampleBefore adding a vendor, scan their domain, sender posture, and contact emails. Get a one-page evidence brief instead of a 'looks fine' Slack message.
See an exampleRun drafts through the language analyzer to catch unintended urgency, coercion, or LLM-style phrasing before campaigns go out.
See an exampleWatchlist your brand. Get a webhook the moment a lookalike domain is registered or a suspicious cert is issued.
See an exampleHow we compare
Integrations
Native integrations and a generic webhook for everything else.
Security & privacy
TLS 1.3 in transit, AES-256 at rest. Per-tenant key isolation on request.
SSO/SAML, scoped API keys, audit log of every key use and every scan.
Configurable retention. We never train models on customer data. Period.
SOC 2 Type II in progress. GDPR-ready DPAs. Regional residency available.
Pricing
Start free, upgrade only when you actually need more.
For individuals exploring trust signals.
Start freeFor professionals and small teams.
Start Pro trialFor teams operating at scale.
Start Team trialTestimonials
"We cut phishing-triage time by 70% in the first month. Analysts stopped tabbing between five tools."
"The evidence array is what sold us. We can defend every action to a customer or a regulator."
"Calibrated confidence sounds boring until you've been burned by a 99% certain false positive."
Customer success
By piping inbound abuse reports through the Trustoby API and attaching the evidence array to every Jira ticket, Mercator's trust team eliminated manual whois and DNS checks, dropped median triage from 14 minutes to 4, and routed only high-confidence critical findings to senior analysts.
Resources
Working notes, technical deep-dives, and incident lessons we wish someone had handed us.
Forty-seven concrete signals, ranked by independent predictive value across 12M scans.
Read articleConfidence theatrics versus confidence that survives a postmortem — a working engineer's take.
Read articleNewly registered phishing domains now reach 50% of their victim count in under six hours.
Read articleFAQ
No. We never label things safe or unsafe — that's an opinion that ages badly. We surface evidence and a calibrated score so you (or your policy) can decide.
Confidence reflects the amount and quality of available evidence, not the model's enthusiasm. Thin or contradictory signals lower confidence; rich, consistent signals raise it.
Because every score ships with evidence, false positives are auditable — and far less expensive operationally. You see exactly which signals pushed the score and can reweight them per workspace.
No. We never train models on customer inputs. Retention is configurable down to zero; regional residency is available on Team plans.
Yes — 50 scans per month with full API access, no credit card required. Pro and Team plans add monitors, higher quotas, and SSO.
Median scan latency is under 400ms with warm caches; cold-path scans (new domains, new senders) typically complete in well under two seconds.
50 scans a month, free forever. API access included. Upgrade only when your evidence pipeline outgrows it.