How I Saved My Startup $4.65M by Building Our Own Anti-Phishing System

TL;DR: Our CISO got phished. Instead of buying a $200k/year enterprise solution, we built our own system. Phishing success dropped from 12% to 0.8%. Here's exactly how.

Hey IH!

Last month, something embarrassing happened. Our CISO - yes, our Chief Information Security Officer - clicked a phishing link. Within 5 minutes, three other senior managers had clicked it too.

That's when I realized our security awareness training was basically useless.

The Problem with Traditional Solutions

We got quotes from enterprise security vendors:

• Proofpoint: $180k/year

• Mimecast: $200k/year

• Barracuda: $150k/year

For a 50-person startup? No way.

Plus, these solutions are:

• Bloated with features we don't need

• Require dedicated staff to manage

• Lock you into multi-year contracts

What We Built Instead

We spent 3 weeks building our own solution using:

• SendGrid Inbound Parse (free tier)

• AWS Lambda for processing

• OpenAI API for content analysis

• Cloudflare Workers for URL checking

• Slack webhooks for alerts

Total cost: ~$200/month

The Technical Stack

1. Email Authentication (2 hours to implement)

# Lambda function for DMARC analysis def check_email_auth(headers): spf = headers.get('Received-SPF') dkim = headers.get('DKIM-Signature') dmarc = headers.get('Authentication-Results') score = 0 if 'pass' in spf: score += 30 if dkim: score += 30 if 'pass' in dmarc: score += 40 return score

2. AI-Powered Content Analysis (1 day to build)

# OpenAI GPT-4 for phishing detection def analyze_content(email_body): prompt = f""" Analyze this email for phishing indicators: - Urgency tactics - Authority exploitation - Suspicious requests - Grammar/spelling errors Email: {email_body} Return risk score 0-100. """ response = openai.Completion.create( model="gpt-4", prompt=prompt, max_tokens=100 ) return parse_risk_score(response)

3. Real-time URL Checking (3 hours)

// Cloudflare Worker for URL reputation addEventListener('fetch', event => { event.respondWith(checkURL(event.request)) }) async function checkURL(request) { const url = new URL(request.url).searchParams.get('check') // Check URL age const domain = new URL(url).hostname const whois = await fetch(`https://api.whois.com/${domain}`) const age = calculateDomainAge(whois) // Check against threat feeds const threats = await checkThreatFeeds(url) return new Response(JSON.stringify({ safe: age > 30 && threats.length === 0, risk_score: calculateRisk(age, threats) })) }

4. Automated Response System

# Slack integration for instant alerts def alert_security_team(threat): slack_webhook = os.environ['SLACK_WEBHOOK'] message = { "text": f"🚨 Phishing Attempt Detected", "attachments": [{ "color": "danger", "fields": [ {"title": "From", "value": threat['sender']}, {"title": "Subject", "value": threat['subject']}, {"title": "Risk Score", "value": threat['score']}, {"title": "Recipients", "value": threat['recipients']} ], "actions": [ {"type": "button", "text": "Block Sender", "url": block_url}, {"type": "button", "text": "Quarantine All", "url": quarantine_url} ] }] } requests.post(slack_webhook, json=message)

The Results

Before:

• 12% phishing success rate

• 4+ hours to detect breaches

• 8 incidents/month requiring cleanup

• $50k/year in lost productivity

After (90 days):

• 0.8% phishing success rate

• 7 minutes average detection

• 1 incident/month

• $4.65M potential breach avoided

Cost Breakdown

Monthly costs:

• AWS Lambda: $15 (~500k emails)

• OpenAI API: $120 (GPT-4 analysis)

• Cloudflare Workers: $5

• SendGrid: $0 (free tier)

• Slack: $0 (existing subscription)

• Domain reputation API: $50

Total: $190/month vs $15,000/month for enterprise solutions

Key Learnings

1. Start simple: Our MVP was just SPF/DKIM checking + Slack alerts. Took 1 day.

2. Use existing APIs: Don't rebuild what others have solved. We use 6 different APIs.

3. Focus on YOUR threats: We get mostly invoice/payment fraud. We optimized for that.

4. Make it visible: Slack alerts create peer pressure. People learn FAST when everyone sees their clicks.

5. Iterate based on data: We add new rules weekly based on what gets through.

Want to Build Your Own?

I'm considering open-sourcing this. The code needs cleanup, but it could help other startups.

Interest level?

• Yes, definitely want this

• Maybe, depends on the stack

• Nah, I'll buy a solution

Also happy to answer questions about implementation details!

P.S. - I wrote a detailed technical guide covering email authentication, ML detection, and incident response. Check it out: https://ncse.info/how-to-prevent-phishing-attacks/