Use case · Phishing response

From reported phish to contained account.

The user clicked report, and the clock started. Soarcery picks the message up immediately: headers parsed, links and attachments detonated, the verdict spread scored, and the mailbox cleaned, with identity actions waiting at the gate you control.

Request a demoSee the verdict spread
inquiry / reported-phish
Investigating user-reported message
Parsed headers, sender reputation pulled
Link detonated, credential-harvest page confirmed
Spread scored: tight, malicious. 14 copies found org-wide
14 copies quarantined across mailboxes
Sign-in risk elevated: session revoke awaiting approval
mailbox clean1 action at the gate
The grind

The report queue nobody gets to.

User-reported phishing is the highest-signal feed a SOC has, and the most neglected, because every report costs a manual investigation whether it is a real campaign or a newsletter someone found suspicious.

Slow pickup

Reported messages sit while the campaign keeps landing. The gap between report and response is the attacker's free window.

Manual surgery

Finding every copy, purging every mailbox, checking who clicked: hand-run across email security, identity, and endpoint consoles.

The account question

The message is only half the incident. Whether a credential was actually captured, and what to do about the session, is where the judgment lives.

How Soarcery runs it

One report, end to end.

1

Pick up the report

The moment a user reports a message, an agent opens an inquiry: full headers, body, links, and attachments, with the original preserved as evidence.

2

Detonate and enrich

Links and attachments are detonated and every indicator enriched. Sender history, infrastructure age, and lookalike checks land in the same thread.

3

Score and scope

The verdict spread makes the malicious call explicit. If it is a campaign, the agent finds every copy org-wide and checks click and sign-in activity for affected users.

4

Clean up, gated where it bites

Quarantine and purge can run autonomously within your threshold. Identity actions, like revoking sessions or forcing a reset, wait in the approvals queue with the evidence attached.

The part that matters

The mailbox is the symptom. The account is the blast radius.

Most phishing automation stops at search and purge. Soarcery treats the identity question as the real investigation: did the credential get used, from where, and does the session need to die right now. Those are the calls that deserve a human gate, and they arrive at it with the evidence already assembled.

  • Campaign-wide search and purge, not one mailbox at a time.
  • Sign-in and click activity checked for every recipient, not just the reporter.
  • Identity actions gated by default, with who-approved-what on the trail.
app.soarcery.ai/approvals
The Soarcery approvals queue: high-trust actions proposed by agent charters, each waiting on an explicit human approve or reject

Actual product. Demo data.

Prove it on your queue

Bring last week's reported mail.

Watch the whole flow run on a real report, gates and all.

Request a demoAll solutions