Certifiedunder the Multi-Agent System module in the Mastering AI Agents program.Certifiedunder the Multi-Agent System module in the Mastering AI Agents program.
Phishing attacks remain one of the most persistent and damaging cybersecurity threats faced by organizations today. Security teams must quickly analyze suspicious emails while ensuring legitimate communication is not mistakenly blocked. This requires systems that are not only accurate but also transparent and explainable.
This project presents a multi-agent AI phishing detection system that combines deterministic security analysis with explainable AI. The architecture is designed to simulate how real-world Security Operations Centers (SOC) investigate suspicious emails using layered detection, structured risk scoring, and human validation.
Instead of relying solely on large language models, the system prioritizes deterministic detection for reliability and uses AI only for explanation. A human-in-the-loop stage ensures that final decisions remain interpretable and safe, making the system suitable for real-world cybersecurity workflows.
This system demonstrates how multi-agent AI can improve phishing detection in real-world security environments. It enables security teams to automatically analyze suspicious emails, reduce manual investigation time, and generate explainable phishing risk scores that can be reviewed before taking action.
The architecture reflects how modern Security Operations Centers combine deterministic detection, AI reasoning, and human oversight to prevent phishing attacks safely while maintaining operational efficiency.
β Deterministic phishing detection (no AI hallucinations)
β Email header analysis (SPF, DKIM, DMARC)
β Content inspection for phishing language & URLs
β DNS & WHOIS domain intelligence
β Policy-driven risk scoring
β Prefect-based orchestration
β Optional CrewAI explanation layer (non-decision-making)
β Fully unit-tested using pytest
β Python 3.11 compatible (Windows & Linux)
The following diagram illustrates how multiple specialized agents collaborate within a structured orchestration pipeline.
Deterministic detection first, LLM explanation second
phishing_analyzer_project/
β
βββ phishing_analyzer/
β βββ __init__.py
β β
β βββ agents/ # Multi-agent system modules
β β βββ __init__.py
β β βββ detection_agent.py # Detection Agent β performs phishing analysis
β β βββ risk_agent.py # Risk Scoring Agent β calculates severity & action
β β βββ explanation_agent.py # Explanation Agent (CrewAI) β generates AI explanation
β β βββ human_agent.py # Human-in-the-loop Agent β analyst validation step
β β
β βββ samples/ # Sample .eml phishing emails for testing
β βββ detector.py # Core detection & scoring engine logic
β βββ guardrails.py # Safety policies, validation & redaction
β βββ prefect_flow.py # Prefect orchestration for multi-agent pipeline
β βββ crewai_explainer.py # CrewAI-based optional explanation engine
β
βββ tests/ # Unit tests (pytest)
β βββ test_ingestion.py
β βββ test_header_analysis.py
β βββ test_content_analysis.py
β βββ test_dns_auth.py
β βββ test_domain_analysis.py
β βββ test_risk_scoring.py
β
βββ images/
β βββ title.png
β βββ architecture.png # Architecture & cover images
β
βββ requirements.txt
βββ pyproject.toml
βββ README.md
This project implements a structured multi-agent phishing detection system where specialized agents collaborate to analyze suspicious emails and generate a final security assessment.
Performs deep phishing detection by analyzing:
This agent produces structured technical findings from the email.
Calculates the overall phishing risk score based on signals generated by the Detection Agent.
Responsibilities:
Generates a human-readable explanation of the phishing analysis for security analysts and non-technical stakeholders.
This agent is optional at runtime but remains an integral part of the multi-agent architecture.
Implements a human validation step before final action is taken.
All agents are orchestrated using a Prefect workflow that coordinates execution, ensures reliability, and manages the end-to-end phishing analysis pipeline.
This system analyzes suspicious emails using a coordinated multi-agent pipeline that combines deterministic phishing detection, risk scoring, AI explanation, and human validation.
Each agent performs a specialized role to ensure reliable and explainable phishing detection.
The system follows a structured multi-agent workflow:
Email Ingestion
Loads and parses email data from .eml files.
Detection Agent
Analyzes headers, content, domains, and authentication signals to identify phishing indicators.
Risk Scoring Agent
Calculates overall phishing risk score and determines severity and recommended action.
Human Review Agent (Human-in-the-Loop)
Allows a security analyst to approve, block, or escalate the decision before final output.
Explanation Agent (CrewAI)
Generates a human-readable explanation of the analysis for analysts and stakeholders.
This structured workflow ensures reliable phishing detection while maintaining transparency and human oversight.
Traditional phishing detection systems often rely on a single model or rule-based engine, which can limit transparency and reliability. This system adopts a multi-agent architecture where each agent performs a specialized task such as header inspection, content analysis, domain intelligence, and risk scoring.
By separating responsibilities across agents, the system becomes easier to maintain, test, and extend. Each agent contributes structured findings that are combined into a final risk assessment, making the decision process transparent and explainable.
This modular approach mirrors how real-world security teams analyze suspicious emails using layered validation rather than relying on a single automated decision.
The system prioritizes deterministic phishing detection techniques such as header validation, domain intelligence, authentication checks, and structured risk scoring. These methods provide reliable and reproducible results.
AI is used selectively for generating human-readable explanations of the findings rather than making final decisions. This hybrid approach ensures both accuracy and transparency, allowing analysts to understand why an email is flagged without relying entirely on probabilistic model outputs.
This architecture can support enterprise email security teams by automating the initial analysis of suspicious emails while maintaining human oversight. Security analysts can use the structured output to make faster and more consistent decisions.
The system can also serve as a foundation for building SOC automation tools, training datasets, or advanced threat analysis pipelines where explainability and reliability are critical.
Python 3.11 (recommended)
python -m pip install -r requirements.txt python -m pip install -e .
C:\Python311\python.exe -m phishing_analyzer.prefect_flow --eml phishing_analyzer/samples/phish_high_confidence.eml
Run all unit tests:
python -m pytest -v
Tests cover:
samples/phish_high_confidence.eml
================ FINAL REPORT ================
1οΈβ£ EXECUTIVE SUMMARY
This email shows strong indicators commonly associated with phishing attacks.
2οΈβ£ FINAL VERDICT
Decision: Block
3οΈβ£ RISK SCORE
Score: 36
Severity: High
4οΈβ£ KEY FINDINGS
- Header issue: SPF failed
- Header issue: DMARC failed
- Content indicator: Urgent or credential-harvesting language detected
- Domain age: Unable to determine
- Authentication issue: SPF missing
- Authentication issue: DMARC missing
- Authentication issue: DKIM missing
5οΈβ£ EVIDENCE
From Email: alert@goog1e-security.com
From Domain: goog1e-security.com
SPF Result: fail
DKIM Result: missing
DMARC Result: spf=fail dkim=none dmarc=fail
6οΈβ£ SUGGESTED ACTION
Do NOT interact with this email. Block sender and report to security.
================ AI EXPLANATION ================
{'status': 'skipped', 'reason': 'CrewAI not installed'}
While the system demonstrates a robust multi-agent architecture, it currently focuses on deterministic phishing detection using structured signals. Future improvements could include integration with threat intelligence feeds, advanced URL sandboxing, and continuous learning from analyst feedback.
The modular design allows these enhancements to be incorporated without major architectural changes.
MIT License
This project demonstrates how multi-agent AI systems can be safely applied in cybersecurity environments where reliability, explainability, and human oversight are critical.