Redaction methodology for dangerous public IOCs

Research question. How much detail can public phishing research safely show?
Thesis. Public research should preserve pattern, provenance and method while withholding full dangerous values, secrets, victim data and exploit-enabling details.

Why this matters

This article connects public research concepts to PhishNet's sanitized daily observations and graph-backed operational model.

Belgian context

Belgian public examples should show local relevance such as brand category, language, route type or warning overlap without exposing full victim-facing IOCs.

What PhishNet observes

PhishNet's public layer can only show sanitized observations, but the research method starts from operational facts: daily snapshots, source families, confirmation states, evidence readiness, Belgian relevance reasons and graph relationships. When this article discusses a pattern, the public module attached to the page is designed to show high-level counts, source overlap, redacted examples and why the pattern matters without exposing full dangerous IOCs. Research institutions can use this as a reproducible public window into the richer authenticated datasets.

Research framing

Redaction methodology for dangerous public IOCs should be studied as a system rather than a single indicator. The useful unit of analysis is the connection between a lure, a distribution channel, infrastructure, evidence, and the route toward credentials, money, malware, or contact with an attacker. That is why PhishNet treats public data as a graph: each domain, URL, certificate, phone number, IBAN, sender ID, kit marker, source and evidence artifact becomes more meaningful when its relationships are visible.

Mechanism

Publishing full live phishing URLs can unintentionally amplify harm. Over-redaction, however, makes research unverifiable. The challenge is to keep enough structure for readers to understand the evidence.

Observable evidence

Safe public examples can show entity type, source family, country, confirmation state, confidence, first/last seen, partial domain/TLD, route type, sanitized screenshot description and why the example matters.

Belgian and Benelux relevance

Belgian public examples should show local relevance such as brand category, language, route type or warning overlap without exposing full victim-facing IOCs.

How PhishNet studies it

PhishNet public pages redact operational indicators, while authenticated users see full domain/URL/phone/IBAN values except raw secrets, tokens and victim data. This creates a clean boundary between public research and operational response.

Operational workflow

A useful workflow starts with discovery, but it cannot stop there. The signal must be normalized, deduplicated, enriched, scored, linked to evidence and placed in a decision state. PhishNet keeps those steps visible: where the signal came from, whether it is fresh, whether it is technically live, whether it is independently corroborated, what brand or country it targets, what evidence exists, and what export or handoff action is appropriate. This turns research into an analyst process rather than a static article.

Metrics that matter

The most useful metrics are not only totals. Defenders need unique contribution by source, confirmation split, freshness split, verified-live coverage, brand pressure, country relevance, evidence readiness, route reuse and cluster recurrence. A high count with weak provenance can be less useful than a smaller set of observations linked to official warnings, screenshots, liveness, repeated kit markers or mule-route reuse. The research library therefore explains which metrics matter for each attack pattern.

How this differs from a blocklist

A blocklist asks whether an indicator should be blocked. Phishing OSINT asks a wider set of questions: who or what is being impersonated, what source saw it, what evidence supports it, what infrastructure does it share, what route moves the victim toward money or credentials, and what action should follow. That broader framing is what makes the same data useful for CERT teams, journalists, banks, telecoms, regulators and public-sector coordinators.

Country comparison lens

Country comparison prevents false confidence. A campaign may be hosted outside Belgium, use a global TLD, reuse an English-language kit and still be highly relevant to Belgian victims because the brand, phone route, IBAN, public-service reference or local language points back to Belgium. Conversely, a Belgian-looking domain can be benign or irrelevant without evidence. PhishNet therefore treats country as an explained relevance score rather than a simple suffix, IP geolocation or source label.

Evidence handoff lens

For CERT and public-sector users, the final value is not just knowing that a pattern exists. The value is being able to hand off a defensible case: source provenance, timestamps, screenshots or archived artifacts, redirect chain, liveness state, extracted entities, confidence, legal/sensitivity notes and a clear next action. This is why the platform links research topics back to Evidence, Fusion Graph, Kit Intelligence, Source Quality and export profiles instead of leaving readers with abstract commentary.

Open-data and active-OSINT boundary

Public research should be transparent about what is known and what is deliberately withheld. Open data can explain source families, campaign patterns, country pressure and sanitized examples. Authenticated workflows can carry the operational values, full evidence and exports. Sensitive active-OSINT artifacts, raw credentials, victim data and exploit-enabling details require stricter controls. This boundary lets PhishNet be useful to journalists and researchers while still serving operational CCB/CERT users responsibly.

What this means for defenders

The operational value is prioritisation. Defenders do not need every possible weak signal treated as equally malicious; they need to know what is confirmed, what is corroborated, what is a review candidate, and what is context only. A serious phishing OSINT platform must preserve uncertainty, expose provenance, and still move quickly enough that analysts can act before the campaign has already disappeared.

What this means for buyers

Potential buyers should look for the ability to answer practical questions quickly: what is fresh today, what is confirmed, what is only suspicious, what is uniquely Belgian, what evidence is ready, what can be exported, and what source gaps remain. A platform that cannot answer those questions without a long live query is not an operational intelligence platform. PhishNet's public pages describe the method; the authenticated product exposes the rows, graph, evidence and exports.

Methodological limits

Redaction can hide useful reproducibility details. Citation metadata, snapshot dates and source-family descriptions partially offset that limitation.

Research takeaway

The strongest signal is rarely a single spectacular indicator. It is the repeated structure: the same brand abused across channels, the same kit fingerprint across domains, the same shortlink pattern across SMS bursts, the same payment or contact route reused after takedowns, or the same infrastructure timing around certificates and hosting. That repeated structure is what turns open data into intelligence. The practical result is a better daily question for analysts: not just what appeared, but what repeated, what is supported by evidence, and what can be acted on now.

Research institution value

For universities, applied cyber labs and fraud-science groups, the value is not only access to fresh data. It is the ability to compare source families, observe confirmation-state transitions, evaluate evidence readiness, study cross-channel reuse and design reproducible longitudinal studies without collapsing every signal into a binary malicious/not-malicious label. This is precisely where a graph-first OSINT platform can support empirical research while preserving public safety.

Research value

• Reproducible daily public snapshots
• Source provenance and confirmation-state separation
• Graph relationships between indicators, routes, evidence and campaigns
• Authenticated access path for deeper operational datasets

Selected sources and research

PhishNet uses public research, official Belgian sources and open OSINT documentation as context. Public pages explain the method and redact examples; authenticated platform views retain operational indicators according to role and policy.

Common questions