← All resources
Research

How real-time, zero-day phishing detection actually works

Most protection waits to recognise a threat it has seen before. Real-time, zero-day detection works differently — here’s what that actually means, without the marketing gloss.

Research · 6 min read · By SafeToOpen Research · June 2026

“Real-time, zero-day phishing detection” gets used a lot. It’s worth understanding what it actually means, because the difference from traditional protection is the difference between catching tomorrow’s attack and missing it.

The old way: blocklists and reputation

Traditional web and email protection works from lists — databases of domains and links already known to be malicious. It’s fast and useful, but fundamentally reactive: a site has to be reported, analysed and added before it’s blocked. A brand-new phishing domain — and attackers spin up huge numbers of them — isn’t on any list during the hours that matter most, which is exactly when victims arrive.

Hours
The window between a phishing site going live and landing on a blocklist — the window where most victims are caught.

The real-time way: judge the page itself

Real-time detection doesn’t ask “have we seen this exact site before?” It asks “what is this page, and what is it doing?” As the page loads, it analyses the actual content, structure and behaviour — the way it imitates a known brand’s login, the way it captures and routes what you type, the tell-tale patterns of a credential-harvesting or adversary-in-the-middle page — and makes a judgement on the spot. Because it evaluates the page on its own merits, it can flag a site that has never been seen or reported by anyone.

Why “in the browser, at the point of click” matters

Credential phishing happens inside the browser tab — the layer endpoint and network tools struggle to see. Analysing the page where and when the user actually encounters it means the verdict arrives before a password or session token is entered, not after the damage is done. Pairing the same approach with the inbox covers the other main entry point.

What it doesn’t require

Crucially, this kind of detection doesn’t need to harvest your browsing history to work — it needs to analyse the page in front of you, then discard what it doesn’t need. Protection and privacy aren’t a trade-off.

See it catch the zero-day page

SafeToOpen analyses pages and email in real time, at the point of click — catching never-before-seen phishing that blocklists miss.

How Browser Security works →

The takeaway

The decisive question for any phishing defence is whether it can catch a site no one has reported yet. Blocklists, by definition, can’t. Real-time detection that judges the page as it loads can — which is why it keeps pace with a threat that reinvents its infrastructure every day.

Detection that doesn't wait

Real-time analysis of the page and the inbox — so brand-new phishing is caught the first time it appears.

See how it works →

Sources

  1. Why blocklists fail against never-before-seen threats — SafeToOpen safetoopen.com
  2. IBM Cost of a Data Breach 2025 — phishing the leading initial vector ($4.8M avg), via Bluefin www.bluefin.com
  3. Independent research testing SafeToOpen against live phishing safetoopen.com

External statistics are attributed to their original publishers and were accurate at the time of writing. Figures from industry reports vary by methodology and period; we link to primary sources so you can verify them.

Keep reading

GuideWhy blocklists failGuideWhat is zero-day phishing?ResearchIndependent research puts SafeToOpen to the test
test yourself

Could you spot the fake?

Put this into practice: 12 real-world scams and genuine messages, two minutes, no sign-up.

Take the quiz