A browser-based phishing and malicious URL detector — paste any link, get a threat score in under a second. Thirteen detection heuristics, zero backend, nothing ever leaves your browser.
Paste a URL below and scan it. Use the example chips inside the tool if you don't have one handy — one is a real phishing pattern, one's a clean legitimate site, one sits in between.
Most phishing awareness material tells people to "check the URL carefully" without ever explaining what to actually look for. The gap between that advice and the technical reality — typosquatting, IP-literal hosts, the classic @-symbol redirect trick, throwaway TLDs — is exactly where most people get caught.
URLSentinel is my attempt to make that checklist concrete and instant. Paste a link, see exactly which red flags it trips and why, in language that doesn't require a security background to understand.
The scanner runs 13 independent heuristic checks against the URL's structure, host, and path — no machine learning, no external threat-intel API, just well-documented patterns that show up disproportionately often in real phishing campaigns. A few examples:
Raw IPs instead of domain names bypass DNS-based detection and hide the real operator.
Browsers ignore everything before @ — so "paypal.com@evil.com" actually loads evil.com.
.xyz, .top, .click and similar are free or near-free — disposable infrastructure for campaigns that get abandoned the moment they're flagged.
Typosquatted domains ("paypa1" for "paypal") catch the eye scanning too fast to notice the swap.
Paths containing login/verify/confirm/account combined with other flags raise the composite score.
bit.ly, tinyurl and similar hide the real destination — common for slipping past email link scanners.
Each flag carries a severity weight; the weights sum into a 0–100 threat score with a plain-language explanation attached to every flag that fired. No single rule decides the verdict — it's the combination that matters, same as real-world triage.
This was a deliberate constraint, not an accident: the entire tool runs client-side. There's no server, no API call, no logging. Whatever URL you paste — including any sensitive or internal links — never leaves your browser tab.
For a tool whose entire purpose is inspecting potentially sensitive links, that felt like the only acceptable design. A "free phishing checker" that quietly logs every URL submitted to it would be a worse privacy posture than the phishing emails it's meant to catch.
Heuristic security tools live or die on false-positive rate. It's trivial to write a rule that flags everything suspicious-sounding; the hard part is calibrating severity so that legitimate sites — short government domains, brand-new but real startups, internal company tools — don't get torched alongside actual phishing.
I ended up spending more time tuning the scoring weights against legitimate edge cases than writing the detection logic itself. That ratio surprised me, and it's the same ratio I now expect from any classification problem, security or otherwise.