AI-native security awareness
Run your phishing program from Claude.
PhishSpot ships a full MCP server and REST API — build campaigns, pull results, and manage contacts in natural language. Build-only by design: a human always presses launch.
- ~60 MCP tools + a full REST API at /api/v1
- Build-only safety model — the AI never sends
- Signed webhooks push every event to your stack
- Token-scoped & audit-logged
- Built in the EU
Get API + MCP access
Thanks — we’ll be in touch.
Check your inbox: we’ll propose a demo slot within one business day.
Built for automation
MCP server
Drive PhishSpot from Claude in natural language — build-only, a human presses launch.
REST API
Token-authenticated JSON API at /api/v1: campaigns, contacts, courses, domains and more.
Signed webhooks
HMAC-SHA256 with retries — a click becomes an alert in your SIEM in seconds.

Quick questions
Does the AI send emails to employees?
No. The MCP tools prepare a campaign up to the review step but never send. A human launches it from the interface.
Is access audit-logged?
Yes — tokens are scoped, and MCP operations are logged.
What does the REST API cover?
Essentially the whole admin app: campaigns, results, recipients, templates, contacts, courses, domains, autopilots and webhooks.
