How Saber Works

Saber combines static analysis, JavaScript rendering, reputation databases, and AI to deliver a confident risk verdict on any URL — in seconds

Saber is the world's first phishing scanner that understands social engineering in Arabic

The Scanning Process

Every scan follows the same multi-layer pipeline. Each stage builds on the previous one, so the final verdict is grounded in evidence from multiple independent sources.

01

Submit

Paste a URL or IP address — or scan a QR code with your camera or by uploading an image. Saber extracts the link and runs the appropriate scan automatically.

02

Reputation Check

Multiple community threat-intelligence feeds and domain blocklists are checked simultaneously. Highly-trusted domains receive an instant safe verdict based on global traffic rankings. Domain registration age and registrar reputation are also evaluated.

03

Page Fetch

Saber retrieves the live page using a stealth browser with realistic fingerprints that bypass bot-detection. Scroll and mouse simulation reveals forms that only appear after user interaction. For image-locked pages, OCR extracts visible text in 18 languages. JavaScript hooks capture credential exfiltration attempts, keylogger behavior, and clipboard reads at the browser level.

04

Signal Analysis

Dozens of signals are evaluated across domain structure, TLS certificate, page content, redirect behavior, and brand patterns. Every scan is matched against a cross-scan database of confirmed phishing kit structural fingerprints and favicon hashes — when any new domain deploys the same page template as a known phishing kit, it is flagged instantly without an AI call. ICO/presale fraud vocabulary, raw crypto payment addresses, and behavioral exfiltration hooks are also evaluated.

05

AI Verdict

The AI answers four structured questions: what the page intends to do, what brand it claims to be, whether that claim matches the domain, and how strong the supporting evidence is. The verdict is derived deterministically from those four answers — no second AI call needed.

What We Analyze

Saber evaluates signals across six categories. No single signal is conclusive — the risk verdict reflects the weight of evidence across all of them.

Domain & Infrastructure

  • Domain registration age and history
  • TLS certificate validity and issuer
  • DNS configuration and nameservers
  • Hosting provider reputation (abused ASN detection)
  • Subdomain structure and impersonation patterns
  • Top-level domain risk classification

Content & Brand Analysis

  • Credential harvesting form detection
  • Brand impersonation and trust-borrowing indicators
  • Deceptive language, urgency, and prize-scam patterns
  • Wallet drainer and seed phrase harvesting detection
  • Government ID collection and fake KYC detection
  • Banking brand impersonation on free hosting platforms

Redirect & Network Behavior

  • Redirect chain length and destinations
  • Final landing URL verification
  • Cross-domain navigation patterns
  • Network-level evasion techniques
  • Bot-challenge and CAPTCHA interception detection

Reputation Databases

  • Multiple community-maintained phishing and malware feed databases
  • Google Web Risk (MALWARE, SOCIAL_ENGINEERING, UNWANTED_SOFTWARE)
  • WHOIS / RDAP registrant and domain age data
  • Certificate Transparency log history (domain establishment signals)
  • Tranco top-1M global domain trust ranking
  • Cross-scan phishing kit structural fingerprints and favicon hash database

JavaScript Rendering

  • Full browser-level page execution with stealth fingerprint randomisation
  • Scroll and mouse simulation to reveal interaction-gated forms
  • OCR text extraction for image-locked content in 18 languages
  • XHR and fetch hook monitoring for credential exfiltration to Telegram, Discord, and webhooks
  • Keylogger, clipboard read, and WebAuthn behavioral hook detection

TLS & Certificate Signals

  • Certificate authority and trust level classification
  • Common name and subject validation
  • Certificate Transparency log history (domain establishment signals)
  • Wildcard and SAN coverage analysis
  • Certificate mismatch detection

Built for Arabic Speakers

World's First

Saber is the world's first phishing scanner that understands social engineering in Arabic — both in the message you submit and in the page content it analyzes.

1
01

Arabic social engineering in messages

When you paste an Arabic SMS, WhatsApp message, or email, Saber reads it natively. It detects urgency language, impersonation patterns, prize-scam phrasing, and suspicious keywords written in Arabic — not just transliterated or translated text.

2
02

Arabic page content analysis

Saber analyzes the full Arabic text of a phishing page — headings, body copy, form labels, and call-to-action buttons. Brand impersonation, financial fraud terminology, and deceptive language are detected directly in Arabic without any translation step.

3
03

Language-aware AI explanations

When the submitted message or scanned page is in Arabic, the AI verdict and explanation are delivered in Arabic. You receive threat context in your language — not a machine-translated afterthought.

AI Verdict Layer

After all signals are collected, an AI model reviews the full picture and issues a structured verdict with a threat classification and a plain-language explanation — available in English and Arabic.

Four-axis judgment

The AI answers four specific questions: what the page intends to do, what brand identity it claims, whether that claim is consistent with the domain and evidence, and how strong the operator's proof is. These axes capture every known attack class without requiring a hardcoded list of threat patterns.

Deterministic verdict derivation

A pure-Python asymmetry rule maps the four axes to one of 8 typed verdicts: safe, suspicious, uncertain, phishing, wallet drainer, malware download, fake KYC, or banking SPA impersonation. No second AI call — the verdict is fully reproducible from the axes.

Bilingual explanations

AI explanations are available in both English and Arabic. When the scanned page or submitted message is in Arabic, the verdict context is delivered in Arabic — not a machine-translated afterthought.

Risk Levels

Every scan produces one of four verdicts. When the evidence is ambiguous, Saber errs on the side of caution.

Safe

No significant threat indicators were found. The domain, content, and behavior all appear consistent with a legitimate site.

Suspicious

One or more signals warrant caution. The site may be legitimate, but we recommend not submitting credentials or sensitive information.

Uncertain

The page was inaccessible or bot-blocked during the scan. There is not enough observable evidence to confirm safety — treat the link with caution.

Dangerous

Strong evidence of an active attack. Saber identifies five specific threat types: phishing, wallet drainers, malware downloads, fake KYC identity theft, and banking SPA impersonation. Do not proceed.

Built for Trust

Every scan generates a shareable public report with a permanent URL. Security researchers, IT teams, and individuals can document and share threat findings — no account required to view a report.

Shareable public reports

Every scan generates a permanent public report URL you can share with anyone — no account needed to view it.

Independent signal sources

Saber cross-references multiple independent data sources so no single compromised or outdated feed can skew the verdict.

Community-reinforced detection

Once a phishing kit is confirmed, its structural fingerprint and favicon hash are stored. Every future deployment of the same template — on any domain — is flagged instantly without an AI call.