Integration guide

PhishNet STIX and TAXII schema

STIX/TAXII consumers need predictable object semantics, versioning and confidence fields when phishing intelligence enters SIEM, SOAR or sharing workflows.

Request demoRead researchOpen dashboard

Direct answer

Does PhishNet support STIX? The product model supports STIX-style export bundles and TAXII-ready integration patterns.

Research framing

Schema quality is a buyer trust signal. A feed that cannot explain its object model creates more work for analysts.

Attack mechanism

PhishNet maps observables, indicators, reports, relationships, sightings, campaigns, malware/tooling references and evidence links while preserving source and confidence metadata.

Evidence and source model

Evidence fields include provenance, first/last seen, freshness, liveness, capture refs, source tier, confirmation state and Belgian relevance reason.

Belgian and European relevance

Country-specific fields allow Belgian and Benelux consumers to preserve local context inside global standards.

How PhishNet operationalizes this

PhishNet keeps schema docs public and examples redacted, while authenticated customers receive operational export samples.

Analyst implications

The operational question is not whether an isolated row looks interesting. The question is whether the signal is fresh, provenance-rich, corroborated, evidence-ready and connected to brands, sectors, infrastructure, kits, mule routes or public-warning context. PhishNet therefore presents confirmed, corroborated suspicious, review-candidate and context-only states separately.

Limits and uncertainty

Not every downstream platform supports every field; integrations should prefer explicit custom properties over losing uncertainty.

Research takeaway

Phishing intelligence becomes valuable when repeated structure appears: the same brand on new infrastructure, the same kit across domains, the same phone or IBAN route after takedowns, the same ad/search pathway, or the same evidence pattern in multiple independent source families.

How PhishNet uses this

Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.

Selected sources and research

These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.

APWG Phishing Activity Trends Reports ENISA Threat Landscape 2025 Why Phishing Works, Dhamija, Tygar and Hearst, CHI 2006 CCB Belgium: phishing messages surge

Common questions

Does PhishNet support STIX?

The product model supports STIX-style export bundles and TAXII-ready integration patterns.

Why keep confirmation state in STIX?

Because a review candidate should not be consumed like a confirmed malicious indicator.

Related reading

Platform

Data API and exports

Feed confirmed and reviewable phishing intelligence into existing tooling.
Platform

How to ingest PhishNet into MISP

A public-safe guide to structuring PhishNet phishing intelligence for MISP sharing communities.