Phishing Analysis Engine

Ephemeral Sentinel

Explainable phishing analysis for every email your users report. Automated. Deterministic. No analyst required.

For MSPs For Businesses How It Works
Example phishing email as it appears in Outlook before being reported

The Problem

Most phishing reports disappear.

Organizations invest in phishing reporting tools. Users are encouraged to click Report Phish when they receive something suspicious. Dedicated mailboxes get set up. Training materials remind employees why reporting matters.

Then the reports pile up. Security teams don't have time to review every forwarded email. Users hear nothing back. After a few experiences with silence, they stop reporting entirely.

The feedback loop breaks. Security awareness degrades. Threats go unexamined.

📭
Reports go unread
Reporting mailboxes fill with no one reviewing them
🔕
No feedback to users
Users never hear if their report mattered
📉
Reporting drops off
Users stop reporting after repeated silence
🎯
Threats go undetected
Active campaigns spread before teams notice

The Solution

Every report gets a response.

Ephemeral Sentinel automatically analyzes reported phishing emails the moment they arrive. No analyst required. No waiting. No silence.

🔍
Deterministic Analysis
Headers, authentication signals, domain characteristics, phishing language, URLs, and attachments — all inspected using deterministic rules.
📋
Structured Reports
Each analysis produces a clear report explaining detected signals, attack technique, risk score, and recommended action.
Instant Delivery
Reports are returned to the reporting user and optionally copied to the security team — within seconds of report receipt.
🔒
Privacy-First Design
Email content is processed ephemerally in memory. Nothing is retained, and no content leaves your environment.
🏗️
No Inline Risk
Sentinel does not sit in the mail flow path. No MX changes required. No inbound ports. No delivery risk.
🤖
No AI Required
Analysis is fully rule-based and deterministic. Results are consistent, auditable, and explainable without AI dependencies.

How It Works

Simple integration with infrastructure you already have.

Sentinel connects to the reporting mailbox your Report Phish button already forwards to. Nothing else changes.

1
User clicks Report Phish
Available in Outlook, Gmail, or any email client with a phishing report button.
2
Email forwarded as .eml attachment
The original message arrives in your designated reporting mailbox.
3
Sentinel polls mailbox via IMAP
Outbound-only connection. No inbound ports required on your end.
4
Deterministic analysis performed
Headers, auth signals, domains, language, URLs, and attachments inspected.
5
Structured report generated
Risk score, detected signals, attack narrative, and recommended action.
6
Report returned to user and security team
Users receive a plain-language explanation. Security teams get the technical detail.
Ephemeral Sentinel architecture diagram showing email flow from Report Phish button through analysis engine to report delivery

Who It's For

Built for the teams responsible for security outcomes.

Ephemeral Sentinel serves two primary audiences with different goals but the same need: automated, explainable phishing analysis.

Managed Service Providers

Automate triage for every client.

Deploy Sentinel inside each client environment. Every reported email receives automated analysis. Your analysts focus on real threats, not manual triage.

  • Reduce analyst workload across your client base
  • Deliver immediate feedback to end users
  • Lightweight container — minimal infrastructure footprint
  • No cross-client data contamination
Learn More for MSPs
Organizations & Businesses

Give employees answers when they report.

Every phishing report becomes a learning moment. Employees receive plain-language explanations. Security teams receive structured triage automatically.

  • Immediate feedback to reporting employees
  • Reinforce security awareness training naturally
  • Security team receives structured triage reports
  • Surface active campaigns before they spread
Learn More for Businesses

Security Design

Built to run quietly and safely inside your environment.

Every architectural decision in Ephemeral Sentinel was made to minimize operational risk, attack surface, and data exposure.

🚫
No Inbound Ports
Sentinel polls outbound. Nothing reaches into your environment.
📡
IMAP Polling
Outbound-only connectivity. Compatible with strict firewall policies.
💨
Ephemeral Processing
Email content processed in memory. Never written to disk or retained.
🏠
No External APIs
Analysis is fully local. No email content leaves your environment.
📐
No AI Dependencies
Deterministic rule-based analysis. Consistent and auditable results.

Example Output

What users receive after reporting.

Every analysis returns a structured report explaining what was found, in plain language that doesn't require a security background to understand.

RE: Your McAfee subscription has been renewed — Reference #7741902 Malicious
Authentication Results
SPF FAIL Sending IP not authorized by domain
DKIM NEUTRAL No valid signature present
DMARC FAIL Message does not conform to policy
Signals Detected
Domain registered 72 hours ago High-abuse TLD (.top) Machine-generated domain pattern Phishing language — urgency & financial trigger Reply-To mismatch
Attack Narrative
This is a callback phishing attempt. The sender impersonates a known software vendor and presents a fabricated renewal charge designed to create urgency. The recipient is instructed to call a fraudulent support number to extract financial information or remote access credentials.
Recommended Action
Do not call the number or interact with any links in the message. Mark as phishing and delete. If you received this on a corporate device, notify your security team.
View Full Example Report

About

Built by a practitioner, for operational environments.

Ephemeral Sentinel was created by a security and infrastructure practitioner with decades of experience in operational environments — environments where phishing reports accumulate in unattended mailboxes, analysts are stretched too thin for manual triage, and the feedback loop between reporting users and security teams never closes.

The tool exists because the problem is structural, not motivational. Organizations don't fail to respond to phishing reports because they don't care — they fail because manual review at scale doesn't work. Sentinel was designed to remove that constraint.

It was built to be the kind of tool a practitioner would actually want deployed: no external dependencies, no data retention, no inline risk, no AI black box. Deterministic analysis, delivered automatically, to the people who need it.

Get Started

Ready to close the loop?

Review the architecture to understand how Sentinel fits your environment, or explore the example report to see what your users would receive.

View Architecture See Example Report

Ephemeral Sentinel is available for pilot deployments with MSPs and organizations that want to improve phishing reporting workflows.

Discuss a Pilot