PhishStats Pricing: API Plans, Free Tier & Cost Examples (2026)

Pricing overview

PhishStats provides an API for accessing real-time phishing data, including URLs, IP addresses, and domains. The pricing model is structured around a tiered subscription system, primarily differentiating between plans based on the maximum number of API requests allowed per hour. A free tier is available for initial testing and low-volume use cases, offering a limited number of requests without cost. For users requiring higher throughput, several paid plans are offered, starting at $20 per month. These paid plans scale up in price as the hourly request limit increases, providing options for individual security researchers up to large security operations centers (SOCs) and threat intelligence platforms. The specific details for each plan, including exact rate limits and monthly costs, are outlined on the official PhishStats API documentation page.

The API facilitates programmatic access to a continuously updated database of identified phishing threats, which can be integrated into various security tools and workflows. Developers typically interact with the API using standard HTTP requests and receive responses in JSON format. This approach allows for flexible integration into custom applications or existing security infrastructure, such as SIEM systems or automated incident response platforms. For instance, a security analyst might use the API to automatically verify suspicious URLs flagged by email filtering systems. The consistency of JSON responses across different API endpoints simplifies parsing and data extraction for developers, as detailed in the Google Developers documentation on JSON-LD, a common data interchange format.

Plans and tiers

PhishStats organizes its API access into distinct plans, each tailored for different usage levels and budgetary considerations. The core distinction between plans is the hourly API request limit, which directly impacts how frequently and extensively a user can query the PhishStats database.

Each paid tier provides an API key that authenticates requests and enforces the specified rate limits. Users upgrading from the free tier will receive a new API key or have their existing key's permissions elevated to reflect the chosen plan. The PhishStats API documentation provides specific instructions on how to manage API keys and monitor usage, which is a common practice across many API providers to help users stay within their plan limits, as discussed in AWS API Gateway developer guides on managing API keys.

The Starter plan is suitable for developers integrating phishing data into a single application or for individual security professionals needing consistent access beyond the free tier's constraints. The Basic and Pro plans progressively increase the request volume, making them appropriate for organizations with a higher demand for real-time threat intelligence, such as those running automated scanning processes or maintaining internal threat databases. The Enterprise plan is designed for organizations with custom requirements, potentially including extremely high request volumes, specialized data feeds, or dedicated technical support. Interested parties for the Enterprise plan typically contact PhishStats directly for a tailored quote and service level agreement (SLA), as outlined on their PhishStats API documentation page.

Free tier and limits

PhishStats offers a free tier that permits API access with a rate limit of 50 requests per hour. This tier is primarily intended for evaluation purposes, personal projects, and non-commercial security research. It allows developers and security enthusiasts to explore the API's capabilities, test integrations, and understand the data structure without any financial commitment. The free tier provides access to the same core phishing data feeds as the paid plans, ensuring that users can accurately assess the utility and relevance of the data for their specific use cases.

To access the free tier, users typically need to register on the PhishStats website and obtain an API key. This key is then used to authenticate all API requests. While the 50 requests per hour limit is suitable for manual lookups and small-scale scripting, it is generally insufficient for continuous monitoring, large-scale data ingestion, or integration into production systems that require high availability and frequent data updates. Exceeding this limit will result in rate-limiting errors, requiring users to wait until the next hour to make further requests. This mechanism is a standard practice for managing resource utilization in web services, as described in Cloudflare's API rate limiting documentation.

A key consideration for the free tier is its restriction to non-commercial use. Organizations or individuals planning to integrate PhishStats data into commercial products, services, or internal operational tools that contribute to revenue generation are expected to upgrade to a paid plan. This distinction ensures that the free tier remains available for its intended purpose of fostering community use and initial development, while commercial applications contribute to the maintenance and enhancement of the PhishStats service. Users should carefully review the terms of service associated with the PhishStats API plans to ensure compliance with usage policies.

Real-world cost examples

Understanding the practical cost of using PhishStats involves considering typical usage patterns and how they align with the available plans. These examples illustrate how different scenarios map to specific pricing tiers.

1. Individual Security Researcher: A researcher manually checking up to 30 suspicious URLs per hour during an investigation. This usage falls comfortably within the free tier's 50 requests/hour limit. Their monthly cost would be $0.

   • Scenario: Ad-hoc lookups for personal research or blog posts.
   • Estimated Usage: ~20-30 requests/hour during active periods.
   • Recommended Plan: Free Tier.
   • Cost: $0/month.

2. Small Business with Automated Email Filtering: A small business wants to integrate PhishStats into its email gateway to automatically check URLs in incoming emails. If they receive approximately 1,000 emails per hour containing URLs that need checking, and their system makes one API request per URL, they would require 1,000 requests per hour.

   • Scenario: Automated URL verification for email security.
   • Estimated Usage: 1,000 requests/hour.
   • Recommended Plan: Starter (2,000 requests/hour).
   • Cost: $20/month.

3. Mid-sized SOC for Incident Response: A Security Operations Center (SOC) needs to frequently query PhishStats as part of its incident response playbook. They might process 200 incidents daily, with each incident involving an average of 10 API calls for various phishing indicators (URLs, IPs, domains). Assuming an 8-hour workday, this translates to about 250 requests per hour (200 incidents * 10 calls / 8 hours).

   • Scenario: Proactive threat hunting and incident response automation.
   • Estimated Usage: 250 requests/hour for incident response, plus additional ad-hoc lookups, potentially peaking at 1,000-2,000 requests/hour.
   • Recommended Plan: Starter ($20/month) or Basic ($50/month) for higher burst capacity.
   • Cost: $20 - $50/month.

4. Threat Intelligence Platform Integration: A company building a threat intelligence platform that ingests data from multiple sources and needs to enrich internal logs with PhishStats data. They might process 5,000 new log entries with URLs every hour, requiring a corresponding number of API calls.

   • Scenario: Large-scale data enrichment for a commercial threat intelligence platform.
   • Estimated Usage: 5,000 requests/hour consistently.
   • Recommended Plan: Basic (5,000 requests/hour).
   • Cost: $50/month.

5. Global Security Vendor: A large security vendor offering a managed security service that requires real-time phishing detection across thousands of clients. Their aggregated API usage could easily exceed 15,000 requests per hour, potentially reaching hundreds of thousands or millions daily.

   • Scenario: High-volume, mission-critical integration for a global security service.
   • Estimated Usage: 15,000+ requests/hour.
   • Recommended Plan: Pro ($100/month) or Enterprise (Custom).
   • Cost: $100+/month, potentially custom pricing.

These examples highlight the importance of accurately estimating anticipated API usage to select the most cost-effective plan. Underestimating usage can lead to rate-limiting issues and service interruptions, while overestimating can result in unnecessary expenditure. Most API providers, including PhishStats, offer dashboards or logging capabilities to help users monitor their API request volume, enabling them to adjust their plans as their needs evolve. Information on monitoring API usage is often found in the PhishStats API documentation, alongside details on rate limits and error handling.

How the pricing compares

When evaluating PhishStats pricing, it is useful to compare its model against alternative threat intelligence APIs. Competitors in this space often offer similar data feeds, but their pricing structures and rate limits can vary significantly. Key alternatives include URLScan.io and AbuseIPDB, among others.

• URLScan.io: This service focuses on scanning and analyzing URLs, providing detailed reports. URLScan.io offers a free tier for public scans and a paid API for private scans and higher volumes. Their pricing is often structured per scan or per credit, which can be different from PhishStats's hourly request limit model. For instance, a developer might use URLScan.io's API to submit a URL for analysis, incurring a charge per submission, whereas PhishStats charges for querying its existing database of known phishing sites. This difference in operational model means direct price-per-request comparisons are not always straightforward; it depends on whether the user needs to submit new URLs for analysis or query a pre-populated threat feed.

• AbuseIPDB: Specializing in IP address blacklists and reporting, AbuseIPDB provides an API for checking IP reputation. Like PhishStats, it offers a free tier with limited requests (1,000 requests/day for their free plan) and paid plans that increase the daily request quota. AbuseIPDB's pricing is typically per 10,000 requests, which can be converted to a daily or monthly equivalent for comparison. For example, their Basic plan at $25/month for 100,000 requests/day offers a much higher daily volume than PhishStats's Starter tier, but AbuseIPDB focuses on IP reputation rather than comprehensive phishing URL data, as detailed in the AbuseIPDB pricing page. This makes PhishStats more specialized for phishing-specific threat intelligence.

• OpenPhish: Another dedicated phishing intelligence provider, OpenPhish also offers real-time phishing feeds. While specific public pricing for their API is often not as transparently published as PhishStats, they typically cater to enterprise clients with custom pricing models based on data volume, update frequency, and integration requirements. OpenPhish focuses on a similar dataset but may offer different data formats or delivery mechanisms, such as bulk feeds, which could influence overall cost for high-volume users. Organizations might compare the data freshness and coverage between PhishStats and OpenPhish's threat feeds to justify different price points.

PhishStats's model of fixed monthly fees for specific hourly request limits provides predictability for budgeting. For users primarily focused on querying a continually updated database of phishing URLs, IPs, and domains, PhishStats offers a competitive entry point with its $20/month Starter plan, providing 2,000 requests per hour. This can be more economical than alternatives that charge per scan or have higher baseline costs for similar request volumes for specific data types. The choice often depends on the specific type of threat intelligence needed (e.g., URL analysis, IP reputation, or phishing feeds), the required volume, and the preference for a subscription-based versus a pay-per-use model. Developers should also consider the ease of API integration, documentation quality, and support, though these factors are not directly reflected in pricing.