Analyst workflows
How an analyst triages the threat feed, reviews classifications, works a case, and monitors the watchlist.
The day-to-day of an Unphish analyst, from the intake queue to a case ready for enforcement.
Video uploads in progress
Tutorial recordings are still uploading and transcoding, so the players below are placeholders for now. The outlines are final — videos will appear here automatically once processing completes.
The threat feed, end to end
5:10Open /dashboard/threat-feed, use the filters, and understand the Agent Review, Client Review, Watchlist, and Dismissed queues.
The classification run
4:30How the confidence score and label are produced, and the visual, NLP, domain, and evidence sub-scores behind them.
Overriding a classification
2:50Disagree with the model? Override with a reason — and see how that override becomes training feedback.
Working a case
5:40The case detail page — screenshots, DNS / WHOIS / RDAP / SSL / redirect / HTML evidence, and the timeline.
Notes, tags, and priority
3:00Typed notes (analyst / client / system), tagging, and how priority combines client policy, severity, and SLA risk.
Watchlist and resurrection
3:45Watch dormant or in-setup domains so a future change re-triggers triage instead of slipping past.
Sending a case for client approval
3:20When policy requires authorization — send to client review, set the reviewer scope, and resume on their decision.