WatchPhish
A phishing intelligence and simulation platform that aggregates live threat feeds, enriches domain data, and delivers interactive phishing awareness training.
ReactTypeScriptNode.jsExpressPostgreSQLDrizzle ORMTailwind CSSVirusTotal API
Problem
Security teams and awareness trainers need a unified view of live phishing threats alongside hands-on simulation tools. Manually aggregating data from disparate threat feeds—while also running awareness exercises—is fragmented and slow.
Approach
WatchPhish combines a live threat intelligence dashboard with an attack simulation library in a single full-stack application. It:
- Ingests phishing URLs from OpenPhish, URLhaus, PhishTank, and ThreatFox in real time.
- Enriches each indicator with VirusTotal detection scores and RDAP domain-age analysis to surface newly registered phishing domains.
- Supports sector-based filtering across Finance, Tech, Government, and Healthcare with a real-time distribution chart.
- Monitors brand impersonation by scanning Certificate Transparency logs (crt.sh) for typosquatting and lookalike domains—with a watchlist for up to 10 brands.
- Provides eight interactive phishing simulation scenarios (Microsoft Login Phish, PayPal Email, Browser-in-the-Browser, SMS Scam, and more) for security awareness training.
Stack
- Frontend: React 19, Vite, TypeScript, Tailwind CSS v4
- UI: Radix UI, Framer Motion, Recharts
- Backend: Express 5, Node.js, TypeScript
- Database: PostgreSQL + Drizzle ORM
What I Learned
- Multi-feed aggregation: Normalising inconsistent schemas across four threat intelligence APIs into a single unified model.
- Domain enrichment pipeline: Combining VirusTotal detection ratios with RDAP registration dates to score newly registered phishing domains.
- CT log monitoring: Leveraging certificate transparency feeds to catch brand impersonation before domains go live in threat feeds.
- Simulation UX: Building convincing but safe phishing replicas that teach recognition cues without real risk.