Home

phishuntvsPhishTank

Community-curated phishing URL database operated by Cisco Talos.

PhishTank is a community-driven phishing URL database where submissions are verified by user votes before being published. It is run by Cisco Talos as a free public resource. phishunt overlaps in scope (free phishing URL feed) but the detection model and enrichment depth are quite different.

PhishTank strengths

  • Community verification: humans vote each submission as phish or not-phish before publication, reducing false positives at the cost of latency.
  • Backed by Cisco Talos — institutional continuity and a long historical archive.
  • API access free with registration.

phishunt strengths

  • Detection in minutes, not hours. phishunt's pipeline runs every hour and lists new sites as they pass scoring, without waiting for community votes.
  • Per-URL enrichment bundled in the feed: IP, ASN, hosting org, GeoIP country, TLS certificate issuer, plus cross-source flags (GSB / OpenPhish / PhishTank / urlscan.io / TweetFeed).
  • Per-URL screenshots retained 90 days — useful for retrospective review when the original site is down or has rotated.
  • Brand attribution with dedicated /suspicious/<brand>/ pages for 56+ tracked brands.
  • No registration or API key required. CC0 1.0 license on all data outputs.

Side by side

Dimension PhishTank phishunt
Free tier Yes (registration required) Yes — unlimited reads, no registration
Verification model Community voting (delayed) Automated scoring + cross-source flags
Detection latency Hours to days Minutes to one hour
Per-URL enrichment Minimal IP, ASN, org, country, TLS cert, brand
Screenshots No Yes (90-day retention)
MCP server / Agent Skills No Yes — mcp.phishunt.io, 6 tools
License Custom (free to use, attribution) CC0 1.0 Universal

When to use each

Use PhishTank when: you need community-verified URLs (lower false-positive rate at the cost of detection latency) or want Cisco Talos institutional backing.
Use phishunt when: you need detection speed (hourly pipeline), bundled enrichment (IP/ASN/cert/brand), screenshots, or an agent-ready feed without registration.
Use both when: building a multi-source feed pipeline. The PhishTank flag is already present in every phishunt row, so you can use phishunt as the primary feed and PhishTank as a second-opinion signal.

Frequently asked questions

Is phishunt a PhishTank alternative?

phishunt and PhishTank serve overlapping use cases but with different trade-offs: PhishTank's community-verified model has lower false-positive rates but higher detection latency; phishunt's automated pipeline detects faster but lists are pre-verification. Most teams benefit from running both.

Does phishunt include PhishTank data?

Every phishunt row includes a malicious_phishtank flag that is true when PhishTank has independently listed the URL. The flag acts as a confirmation signal — it does not mean PhishTank is the original source.

Which is more accurate, phishunt or PhishTank?

Different accuracy profiles. PhishTank has lower false-positive rates (community verification) but misses fresh phishing during the verification window. phishunt has higher false-positive risk on individual rows but cross-references five sources (GSB, OpenPhish, PhishTank, urlscan.io, TweetFeed) so multi-source-flagged rows are very high confidence. Use multi-flag filters on phishunt and you approach PhishTank's accuracy with much lower latency.

Try the phishunt feed API documentation