Direct answer
Why use URLScan-style data? It gives defenders screenshots, redirects and page structure that help verify and cluster phishing beyond a raw URL.
Evidence value
A URL without context is weak. A scan with screenshot, HTML, redirect chain, timing, source, page title and hashes is stronger evidence and better clustering material.
Correlation value
Repeated DOM structure, JS filenames, favicons, captcha keys, page titles and redirectors can connect different domains to the same kit or campaign.
Safe publication
Public pages should show redacted examples and high-level patterns. Full IOCs and evidence links stay in authenticated datasets and exports.
How PhishNet uses this
Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.
Selected sources and research
These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.
Common questions
Why use URLScan-style data?
It gives defenders screenshots, redirects and page structure that help verify and cluster phishing beyond a raw URL.
Can public scan data be noisy?
Yes. It must be filtered, deduplicated, scored and connected to source quality and evidence readiness.