Unphish v2 Docs

Analyst workflows

How an analyst triages the threat feed, reviews classifications, works a case, and monitors the watchlist.

The day-to-day of an Unphish analyst, from the intake queue to a case ready for enforcement.

Video uploads in progress

Tutorial recordings are still uploading and transcoding, so the players below are placeholders for now. The outlines are final — videos will appear here automatically once processing completes.

Upload in progress

The threat feed, end to end

5:10

Open /dashboard/threat-feed, use the filters, and understand the Agent Review, Client Review, Watchlist, and Dismissed queues.

Upload in progress

The classification run

4:30

How the confidence score and label are produced, and the visual, NLP, domain, and evidence sub-scores behind them.

Upload in progress

Overriding a classification

2:50

Disagree with the model? Override with a reason — and see how that override becomes training feedback.

Upload in progress

Working a case

5:40

The case detail page — screenshots, DNS / WHOIS / RDAP / SSL / redirect / HTML evidence, and the timeline.

Upload in progress

Notes, tags, and priority

3:00

Typed notes (analyst / client / system), tagging, and how priority combines client policy, severity, and SLA risk.

Upload in progress

Watchlist and resurrection

3:45

Watch dormant or in-setup domains so a future change re-triggers triage instead of slipping past.

Upload in progress

Sending a case for client approval

3:20

When policy requires authorization — send to client review, set the reviewer scope, and resume on their decision.

On this page