Home

phishuntvsOpenPhish

Long-standing free phishing-URL feed with paid premium tiers.

OpenPhish was one of the first publicly available phishing feeds and remains a baseline source many SOCs ingest by default. phishunt is newer, smaller, and optimised for a different angle: per-URL enrichment, brand attribution, and agent-ready integrations.

OpenPhish strengths

  • Long track record (operational since 2014), broad source ingestion.
  • Paid Premium tier offers higher-volume API access and historical data.
  • Established integrations across enterprise SOAR / SIEM platforms.

phishunt strengths

  • Per-URL enrichment included in the free feed: IP, ASN, hosting org, GeoIP country, TLS certificate issuer, plus flags from Google Safe Browsing, OpenPhish, PhishTank, urlscan.io and TweetFeed in one row.
  • Brand attribution — every detection is tagged with the targeted brand slug, with dedicated /suspicious/<brand>/ pages for the 56+ tracked brands.
  • Per-URL screenshots taken at first sight, retained 90 days. Useful for retrospective review without re-fetching potentially-down sites.
  • CC0 1.0 license on every data output (TXT/JSON/CSV/RSS feeds, REST API, MCP server). No registration, no API key, no rate limit on read endpoints.
  • MCP server at mcp.phishunt.io for AI-agent integrations (Claude Desktop, Cursor, etc.).

Side by side

Dimension OpenPhish phishunt
Free tier Yes (with rate limits) Yes — unlimited reads, no API key
Paid tier Premium (volume + history) None — side project, CC0
Per-URL enrichment Brand only IP, ASN, org, country, TLS cert, brand
Screenshots No Yes (90-day retention)
Brand landing pages No 56+ brands, dedicated /suspicious/<brand>/ pages
TLS-intermediate pages No Per-intermediate threat profile (/cert/<X>/)
MCP server / Agent Skills No Yes — mcp.phishunt.io, 6 tools
License Proprietary CC0 1.0 Universal

When to use each

Use OpenPhish when: you need a feed with a long historical track record, paid premium SLAs, or established enterprise SOAR integrations.
Use phishunt when: you want enrichment fields (IP/ASN/cert/brand) bundled with the URL, free without registration, with per-URL screenshots and agent-ready endpoints.
Use both when: you are building a defence-in-depth feed pipeline — ingest both, dedupe by URL, gain coverage that neither alone provides. The OpenPhish flag is already present in every phishunt row.

Frequently asked questions

Is phishunt an OpenPhish alternative?

phishunt covers some of the same use cases (free phishing URL feed) but the angle is different: phishunt adds per-URL enrichment, brand attribution, screenshots and agent-ready endpoints; OpenPhish has a longer track record and paid premium tiers. Most SOCs benefit from running both — the OpenPhish flag is already in every phishunt row.

Does phishunt include OpenPhish data?

Every phishunt row includes a malicious_openphish flag that is true when OpenPhish has independently listed the URL. The two feeds are not the same source — phishunt has its own ingestion pipeline (Certificate Transparency + recently-registered-domain scoring + cross-checks). The OpenPhish flag is a confirmation signal, not the primary detection.

How is phishunt's coverage compared to OpenPhish?

Different angle, not strictly more or less. OpenPhish is a baseline aggregator; phishunt biases toward freshly-detected suspicious sites with full enrichment. The Venn diagram of URL coverage is partial overlap, not subset.

Try the phishunt feed API documentation