Documentation
Rubiscout Docs
Everything you need to analyze emails, investigate threats, and integrate Rubiscout into your security workflow.
Features
Full capability matrix — everything Rubiscout does, organized by outcome.
View features →
How-to Guide
Step-by-step instructions — intake, results tabs, investigative bench, CLI, MCP.
Read the guide ↓
API Reference
Interactive OpenAPI 3.1 reference with live try-it console and curl examples.
Open reference →
Changelog
Every notable update to Rubiscout, newest first.
See what's new →
Quick Start
Rubiscout analyzes email headers and full emails for phishing, spoofing, BEC attacks, and authentication failures. No account required.
Paste your email
Copy raw headers or the full email and paste into the input on the home page.
Click Analyze
Rubiscout runs AI forensics, live DNS lookups, IP reputation checks, and spam scoring in parallel.
Read the verdict
A plain-English verdict, risk score, and actionable recommendations appear within seconds.
Submitting Email
Paste — Headers or Full Email
Open any email in your client, find the "Show Original" or "View Source" option, copy everything, and paste it into the input box.
How to open raw email in common clients
Forward to analyze@rubiscout.com
Forward any suspicious email to analyze@rubiscout.com and receive a complete analysis reply within seconds — verdict, risk score, authentication badges, routing hops, recommendations, and a link to the full interactive report.
- Gmail: ⋮ → Forward as attachment
- Outlook: Ctrl+Alt+F
- Apple Mail: Option+Cmd+F
Drag & Drop .eml Files
Drag an .eml file from your file manager directly onto the input area. Rubiscout reads the full file and populates the input automatically — supports full MIME emails including attachments.
Browser Bookmarklet
Install the Rubiscout bookmarklet once from the Features page. When you open an email's raw source in your browser, click the bookmarklet — Rubiscout opens in a new tab with the headers pre-filled.
This works on Gmail's "Show original" page, Outlook's message source view, and any page that displays raw email text.
Reading Results
Results are organized into tabs. The Summary tab is always shown first — the remaining tabs contain progressively deeper technical detail.
Plain-English verdict, risk score (Low/Medium/High/Critical), 2–4 specific signals that drove the score, and 3–5 actionable recommendations. This is the tab for non-technical users.
SPF, DKIM, and DMARC results in a semicircular gauge. Shows alignment mode (relaxed or strict), the published DMARC policy (none/quarantine/reject), and ARC chain validation for forwarded emails — per-hop auth results and chain integrity.
Step-by-step trace of every mail server the message passed through. Each hop shows the server name, IP, timestamp, and delay. Delays over 5 minutes are amber; over 30 minutes are red. The originating IP is shown with geolocation and flag.
Live DNS lookups run at analysis time for SPF, DMARC, MTA-STS, TLS-RPT, and BIMI records — showing what the domain actually publishes. Also shows IP reputation results across five DNSBL blacklists, DNSSEC status, and FCrDNS (forward-confirmed reverse DNS).
Available when a full email (including body) is submitted. Shows spam score (0–10) with a breakdown of which rules triggered, CAN-SPAM compliance checks (List-Unsubscribe, physical address, non-deceptive subject, plain-text alternative), MIME structure tree with suspicious attachment flags, and a sanitized body preview in plain text or HTML.
All extracted header fields: From, Return-Path, Reply-To, Message-ID, X-Mailer, and more. Includes a toggle to view the full raw header with field names highlighted. Also shows hop count, ARC presence, and other structural metadata.
Community-submitted verdicts for this analysis (phishing, BEC, spam, legitimate, unknown) shown as a distribution chart. Any user can submit a verdict on a shared analysis page — no account required.
AI Investigative Bench
The Investigative Bench is a persistent AI chat panel alongside the analysis results. It loads every detail of the analysis automatically — you never need to re-paste anything. Powered by Claude Opus 4.8.
Getting Started
After running an analysis, the bench panel appears on the right side of the results. Four questions tailored to the specific risk signals found are pre-generated — click any to start immediately, or type your own question.
What to Ask
The bench has full context of the analysis. Useful question types:
"Why does a DMARC p=none policy matter? What can an attacker do with it?"
"Could this Reply-To mismatch be legitimate, or is it always suspicious?"
"What does it mean that this email originated in Russia but claims to be from PayPal.com?"
"Write an IT security alert I can send to all staff warning them about this phishing campaign."
"Write a report I can send to our bank's fraud team about this wire transfer request."
"What is the significance of the ARC chain being broken at hop 2?"
Drafting Security Content
The bench can produce complete, copy-paste-ready documents based on the analysis context:
- — IT security alerts and all-staff warnings
- — HR notices for BEC / CEO fraud attempts
- — Phishing incident reports (internal ticketing)
- — Fraud reports for financial institutions
- — CISO briefings with technical and business impact
- — End-user security awareness training snippets
Bench via API
The bench experience is powered by the POST /api/v1/investigate endpoint. For SOC integration and automation, use the API directly — see the Streaming Investigation Agent section below.
API — POST /analyze
Fast synchronous endpoint. Submit raw email headers or a full email, receive a complete forensic verdict as JSON in 3–8 seconds.
Authentication
Include your API key in the Authorization header.
Authorization: Bearer rbs_live_...
Request
POST https://rubiscout.com/api/v1/analyze
Content-Type: application/json
Authorization: Bearer rbs_live_...
{
"header": "Delivered-To: ...\nReceived: from ...\n..."
}The header field accepts the full raw email text including body, or headers only. Max 500 KB.
Response
{
"id": "a1b2c3d4-...", // UUID — use with GET /analyses/:id
"verdict": "High",
"summary": "This email...",
"riskScore": "High",
"riskReasoning": [
"SPF hard fail — originating IP not authorized",
"Reply-To domain differs from From domain",
"DMARC p=none — no enforcement"
],
"fields": {
"from": "support@paypal.com",
"returnPath": "bounce@malicious.xyz",
"replyTo": "collect@attacker.net",
"messageId": "<abc@malicious.xyz>",
"subject": "Your account has been suspended"
},
"routingPath": ["mail.malicious.xyz", "mx.example.com"],
"hops": [...],
"recommendations": [
"Do not click any links in this email",
"Report to your IT security team immediately"
],
"spf_result": "fail",
"dkim_result": "none",
"dmarc_result": "fail",
"dnsCheck": { "spf": true, "dmarc": true, "mtaSts": false, ... },
"ipBlacklist": { "listed": true, "lists": ["Spamhaus ZEN"] },
"ipCountry": { "code": "RU", "name": "Russia" },
"bodyAnalysis": { // null if no body submitted
"hasBody": true,
"spamScore": { "total": 6.8, "level": "High", "rules": [...] },
"mimeStructure": { ... },
"compliance": [...],
"preview": { "text": "...", "html": "..." }
}
}curl Example
curl -X POST https://rubiscout.com/api/v1/analyze \
-H "Authorization: Bearer rbs_live_..." \
-H "Content-Type: application/json" \
-d '{"header": "'"$(cat suspicious.eml)"'"}'API — POST /investigate (Streaming Agent)
The investigation endpoint runs a multi-step AI agent over a full RFC 2822 email. It streams results in real time via Server-Sent Events (SSE). Designed for SOC teams, SOAR integration, and security automation pipelines.
Powered by Claude Opus 4.8. The agent runs up to 12 tool-use turns, extracting IOCs, mapping TTPs to MITRE ATT&CK, and producing prioritized SOC recommendations.
What the Agent Does
The agent has access to five live tools it calls autonomously:
dns_lookupResolves SPF, DMARC, MX, A, and TXT records for sender and reply-to domains in real time.ip_intelChecks the originating IP against DNSBL blacklists and returns geolocation and ASN information.domain_intelEvaluates domain age, registration patterns, and suspicious TLD signals for sender domains.extract_urlsParses the email body and headers to extract all URLs, including obfuscated and encoded links.url_reputationChecks extracted URLs for phishing keywords, suspicious TLDs, IP-based hostnames, and excessive subdomain depth.Request
POST https://rubiscout.com/api/v1/investigate
Content-Type: application/json
Authorization: Bearer rbs_live_...
Accept: text/event-stream
{
"email": "From: support@paypal.com\r\nReceived: from...\r\n\r\nDear customer..."
}The email field must be the full RFC 2822 email string. Both \\r\\n and \\n line endings are accepted. Max 2 MB.
SSE Stream Format
The response is a stream of text/event-stream events. Each event has a type field in the JSON data.
event: tool_call
data: {"type":"tool_call","tool":"dns_lookup","input":{"domain":"paypal.com","record_type":"TXT"}}
event: tool_result
data: {"type":"tool_result","tool":"dns_lookup","result":{"records":["v=spf1 ip4:..."],"error":null}}
event: tool_call
data: {"type":"tool_call","tool":"ip_intel","input":{"ip":"185.234.219.47"}}
event: tool_result
data: {"type":"tool_result","tool":"ip_intel","result":{"listed":true,"lists":["Spamhaus ZEN"],"country":"RU","asn":"AS12345 MALICIOUS-HOSTING"}}
event: reasoning
data: {"type":"reasoning","text":"The originating IP 185.234.219.47 is listed on Spamhaus ZEN and geolocates to Russia. The From domain paypal.com has a valid SPF record, but the sending IP fails SPF — meaning this server is not authorized to send on behalf of paypal.com. Combined with the Reply-To pointing to a .xyz domain registered 3 days ago..."}
event: complete
data: {"type":"complete","report":{...}}Event Types
tool_callAgent is about to invoke a tool. Contains tool name and input parameters.tool_resultTool execution result. Contains the raw data returned from the tool.reasoningA text chunk of the agent's intermediate reasoning. Stream these to show live thinking.completeFinal event. Contains the complete structured report (see below). Always the last event.errorEmitted if the agent encounters a fatal error. Contains an error message string.Complete Report Structure
The complete event payload contains:
{
"type": "complete",
"report": {
"id": "a1b2c3d4-...", // Stored analysis UUID
"verdict": "Critical",
"risk_score": 9, // 0–10
"risk_reasoning": "...", // Paragraph summary of key signals
"summary": "...", // Plain-English one-sentence summary
"email": {
"from": "support@paypal.com",
"subject": "Your account has been suspended",
"originating_ip": "185.234.219.47",
"spf": "fail",
"dkim": "none",
"dmarc": "fail"
},
"iocs": {
"ips": ["185.234.219.47"],
"domains": ["malicious-collect.xyz", "paypa1.com"],
"urls": ["https://malicious-collect.xyz/verify"],
"emails": ["collect@malicious-collect.xyz"]
},
"ttps": [
{
"id": "T1566.001",
"name": "Phishing: Spearphishing Attachment",
"tactic": "Initial Access"
},
{
"id": "T1598.003",
"name": "Phishing for Information: Spearphishing Link",
"tactic": "Reconnaissance"
}
],
"recommendations": [
"Block sending IP 185.234.219.47 at your email gateway",
"Add malicious-collect.xyz to DNS blocklist",
"Submit to APWG eCrime exchange: https://apwg.org/ecx/"
],
"investigated_at": "2026-07-02T10:23:44.000Z"
}
}MITRE ATT&CK TTP Mapping
The agent maps observed behaviors to MITRE ATT&CK for Enterprise technique IDs. Tactics covered include Initial Access (T1566.x), Reconnaissance (T1598.x), Collection (T1114.x), and Command & Control (T1071.x). Each TTP includes the technique ID, full name, and parent tactic.
curl Example
# Stream the investigation to stdout
curl -N -X POST https://rubiscout.com/api/v1/investigate \
-H "Authorization: Bearer rbs_live_..." \
-H "Content-Type: application/json" \
-H "Accept: text/event-stream" \
-d '{"email": "'"$(cat suspicious.eml)"'"}'Python Example (streaming)
import httpx, json
with httpx.stream(
"POST", "https://rubiscout.com/api/v1/investigate",
headers={
"Authorization": "Bearer rbs_live_...",
"Content-Type": "application/json",
},
json={"email": open("suspicious.eml").read()},
timeout=120,
) as r:
for line in r.iter_lines():
if line.startswith("data: "):
event = json.loads(line[6:])
if event["type"] == "reasoning":
print(event["text"], end="", flush=True)
elif event["type"] == "tool_call":
print(f"\n[tool] {event['tool']}({event['input']})")
elif event["type"] == "complete":
report = event["report"]
print(f"\n\nVerdict: {report['verdict']}")
print(f"IOCs: {report['iocs']}")
print(f"TTPs: {[t['id'] for t in report['ttps']]}")SOAR / Webhook Integration
For SOAR pipelines, listen for the complete event only — discard the intermediate events or log them separately. The report's iocs object maps directly to STIX indicator objects. The ttps array maps to STIX attack-pattern objects with ATT&CK IDs.
GET /api/v1/analyses/:id using the id field in the report.CLI
The Rubiscout CLI is a standalone npm package for analyzing emails from the terminal.
Installation
npm install -g rubiscout
Configuration
rubiscout config set-key rbs_live_...
Stores your API key at ~/.config/rubiscout/config.json. Can also be set via the RUBISCOUT_API_KEY environment variable.
Commands
# Analyze from a file rubiscout analyze suspicious.eml # Analyze from stdin cat suspicious.eml | rubiscout analyze - # JSON output (for piping) rubiscout analyze suspicious.eml --json # List recent analyses rubiscout list # Get a specific analysis rubiscout get a1b2c3d4-...
MCP Server
The Rubiscout MCP server exposes analysis tools via the Model Context Protocol — making them available to Claude Code, Cursor, GitHub Copilot, and any other MCP-compatible AI agent. It runs locally on your machine and calls the Rubiscout API on your behalf, so get a free API key at /dashboard before you configure it below.
Installation
No clone or build step required — npx fetches and runs it on demand:
npx rubiscout-mcp
Or install it globally:
npm install -g rubiscout-mcp
Configuration — Claude Desktop / Claude Code
// ~/.claude/settings.json or Claude Desktop config
{
"mcpServers": {
"rubiscout": {
"command": "npx",
"args": ["-y", "rubiscout-mcp"],
"env": {
"RUBISCOUT_API_KEY": "rbs_live_..."
}
}
}
}Get your key from /dashboard first. Alternatively, set RUBISCOUT_API_KEY as a system environment variable and omit the env block.
Available Tools
analyze_emailSubmit a raw email string for full forensic analysis. Returns verdict, risk score, authentication results, IOCs, and recommendations.get_analysisRetrieve a stored analysis by UUID. Returns the full analysis object including all fields.list_analysesList recent analyses with optional filters: page, per_page (max 50), risk_score (Low/Medium/High/Critical).Example Usage in Claude
Once configured, you can ask Claude Code or Claude Desktop directly:
"Analyze this email for me and tell me if it's a phishing attempt" [paste email]
"Get my last 5 analyses and summarize the threat patterns"
"Analyze all .eml files in this directory and flag any Critical or High risk ones"