Phishing protection you call like Google Safe Browsing.

REST API, MCP server, inbound email, browser extension (coming soon). One analysis pipeline for four very different enterprise scenarios - without rebuilding your compliance stack.

Request a demo Create a token

✓ DPA incl. EU SCC✓ p95 under 5 sec✓ EU hosting: Frankfurt & Falkenstein

"An API for the question is this real? - in the shape we already call Safe Browsing with."- Theo, backend architect

What you bring A bearer token, an HTTPS connection, an OpenAPI 3.1 client library. That's it.

What we bring A stable API, an MCP server for AI agents, a heuristic fallback on model outage, signed audit trails for compliance.

Four scenarios

Who wires Scampilot into enterprises.

We talked to four very different teams. Each use case has its own page with a concrete stack and compliance notes.

Persona 01IT & Security

IT admins & security teams

Protect 250 employees from spear-phishing without replacing your mail infrastructure. One forward connector and an Outlook add-in.

M365 connectorGoogle WorkspaceSIEM webhook

See the use case →

Persona 02Banking & Fintech

Banks & fintechs

Classify "phishing@my-bank.de" automatically. Thousands of customer-submitted mails per day, 90 % genuine, 10 % false alarms - no need to triage by hand.

BaFin / MaRiskBulk triageAudit trail

See the use case →

Persona 03Mail providers

Email providers & ESPs

"Check this mail" button for your webmail UI. End customers get the report in your branding; you pay per analyzed message.

White-labelBulk APIWebhook push

See the use case →

Persona 04Developers & integrators

Developers & AI agents

REST + MCP for your own client, Slack bot, or Claude agent. Structured responses, OpenAPI spec, stable contracts.

REST v1MCP serverOpenAPI 3.1

See the use case →

Compliance

Contracts your compliance team waves through.

One table, one PDF, one DPA. Not four weeks of back and forth.

Data processing (GDPR Art. 28)	Standard DPA as an appendix to the main contract. EU SCC for AI and email sub-processors.
Hosting	EU hosting provider, sites in Falkenstein and Nuremberg. DE/EU, ISO/IEC 27001 certified.
Storage encryption	LUKS full-disk on all DB hosts. Backups separately encrypted with a dedicated key.
Transport security	TLS 1.3 enforced. HSTS with a 6-month header + preload entry.
Audit trail	Append-only audit log for all privileged actions. Available on request as a database export for audits.
Pen test	Annual, by a BSI-approved assessor. Latest report available under NDA.
SLA	99.5 % uptime on the business tier (in preparation). Q2 2026.

Integration

Three paths, depending on pace.

Start fast or integrate thoroughly - we meet you where you are.

Inbound-email connector (day 1)

Forward suspicious mails to an address, webhook reply to your endpoint. No code, just a mail rule in the helpdesk. Fastest path to a pilot.

REST API (sprint 1)

Bearer token, JSON body, OpenAPI 3.1 spec. Generate a client in PHP, Python, Go, Java, TypeScript. Per-user bucket rate limit across all tokens.

MCP server (sprint 2)

If you already have an AI agent (Claude, Cursor, your own LLM stack), the agent gets Scampilot as a tool. Over HTTP transport or locally over stdio.