An intelligent phishing detection system using multi-agent AI architecture with Gmail integration and gamified security training.
Four specialized agents collaborate to analyze suspicious messages:
| Agent | Role |
|---|---|
| Classifier | Gemini AI-powered classification with confidence scores and reason tags |
| Evidence | TF-IDF similarity search to find related real-world phishing examples |
| Memory | Manages user profiles, tracks performance, and identifies weak spots |
| Coach | Generates personalized tips, explanations, and interactive quizzes |
- OAuth 2.0 secure connection with encrypted token storage
- Batch triage of up to 50 unread emails
- Auto-labeling:
ThreatIQ/Safe,ThreatIQ/Suspicious,ThreatIQ/Phishing - Optional: auto-archive safe emails, mark phishing as spam
- 12 curated cybersecurity lessons (passwords, 2FA, phishing, social engineering, etc. for now we only have 12 lessons but we can add more later)
- 3-question quiz per lesson with instant feedback
- XP rewards (10-50 XP based on score)
- Level progression and streak tracking
- 7-day activity calendar
- Performance statistics with charts (Recharts)
- Category-specific accuracy tracking
- Weak spot identification
- Analysis history with correctness indicators
| Layer | Technologies |
|---|---|
| Frontend | Next.js 14, TypeScript, TailwindCSS, ShadCN UI, Recharts |
| Backend | FastAPI, Python 3.11, Google Gemini API, scikit-learn |
| Auth | Firebase (Email/Password + Google Sign-In) |
| Database | MongoDB Atlas (free tier) |
| Hosting | Vercel (frontend), Render (backend) |
ThreatIQ_Agent/
βββ frontend/ # Next.js 14 web app
β βββ src/app/ # Pages (analyze, dashboard, lessons, history)
β βββ src/components/ # UI components (Navbar, GmailIntegration)
β βββ src/lib/ # API client, Firebase config
βββ backend/ # FastAPI Gateway (port 8000)
β βββ app/agents/ # Classifier, Evidence, Memory, Coach
β βββ app/routers/ # API endpoints (analysis, gmail, lessons, profile)
β βββ app/services/ # Gmail OAuth, crypto, triage
β βββ app/data/ # Lessons content
βββ services/
β βββ analysis-service/ # Stateless AI microservice (port 8010)
β βββ ml/ # Offline ML training pipeline
β βββ train_classifier.py
β βββ evaluate_classifier.py
β βββ experiment_log.csv
β βββ error_analysis.md
β βββ artifacts/ # Saved model & vectorizer (.gitignored)
βββ eval/ # Evaluation & testing pipeline
β βββ data/ # Golden set (40) + sample set (200)
β βββ tests/ # Pytest + DeepEval test suites
β βββ lib/ # Gemini LLM-judge wrapper
βββ mobile/ # Expo React Native app
β βββ app/ # Expo Router screens
β βββ src/ # Components, lib, theme
βββ docs/ # Architecture documentation
βββ docker-compose.yml # Local microservices orchestration
- Python 3.9+
- Node.js 18+
- MongoDB Atlas account
- Firebase project
- Google AI Studio API key
cd backend
python -m venv venv
venv\Scripts\activate # Windows
# source venv/bin/activate # macOS/Linux
pip install -r requirements.txt
cp .env.example .env # Configure your keys
uvicorn app.main:app --reloadBackend runs at http://localhost:8000
cd frontend
npm install
cp .env.local.example .env.local # Configure Firebase
npm run devFrontend runs at http://localhost:3000
cd mobile
npm install
cp .env.example .env # Configure Firebase + API URL
npx expo start # Scan QR with Expo GoBuild APK:
eas build -p android --profile previewThe web app is also installable on mobile devices:
- Open the deployed Vercel URL on your phone
- Install via browser menu: "Add to Home Screen" (iOS) or "Install App" (Android)
- Runs as standalone app with offline support
# Required
GEMINI_API_KEY=your_gemini_api_key
MONGODB_URI=mongodb+srv://user:pass@cluster.mongodb.net/
MONGODB_DB_NAME=threatiq
# Firebase Admin SDK
FIREBASE_PROJECT_ID=your_project_id
FIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
FIREBASE_CLIENT_EMAIL=firebase-adminsdk@project.iam.gserviceaccount.com
# Gmail OAuth (optional)
GOOGLE_CLIENT_ID=your_client_id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your_client_secret
GOOGLE_REDIRECT_URI=http://localhost:8000/api/gmail/callback
TOKEN_ENCRYPTION_KEY=your_fernet_key # Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# CORS
CORS_ORIGINS=http://localhost:3000NEXT_PUBLIC_API_URL=http://localhost:8000
NEXT_PUBLIC_FIREBASE_API_KEY=your_api_key
NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=your_project.firebaseapp.com
NEXT_PUBLIC_FIREBASE_PROJECT_ID=your_project_id
NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET=your_project.appspot.com
NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID=your_sender_id
NEXT_PUBLIC_FIREBASE_APP_ID=your_app_id| Method | Endpoint | Description | Auth |
|---|---|---|---|
| POST | /api/analyze |
Full analysis with profile tracking | Yes |
| POST | /api/analyze-public |
Demo analysis (no auth) | No |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/gmail/connect |
Get OAuth URL |
| GET | /api/gmail/status |
Check connection |
| POST | /api/gmail/triage |
Run inbox triage |
| POST | /api/gmail/disconnect |
Revoke tokens |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/lessons/today |
Get today's lesson |
| POST | /api/lessons/complete |
Submit quiz answers |
| GET | /api/lessons/progress |
Get XP, level, streaks |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/profile/{user_id} |
Profile & stats |
| GET | /api/profile/{user_id}/history |
Analysis history |
Interactive Docs: http://localhost:8000/docs
GitHub Actions runs on every push/PR:
- Frontend:
npm ciβnpm run lintβnpm run build - Backend:
pip installβpython -m compileallβpytest - Evaluation: Deterministic tests (always) + DeepEval LLM-judge (if
GEMINI_API_KEYsecret is set)
Deployment auto-triggers on main branch merge.
Automated quality assurance using DeepEval with pytest integration.
# Deterministic tests (no API key needed, instant)
cd eval
pytest -k "not geval" -v
# Full suite with LLM-as-judge (needs Gemini API key)
$env:GEMINI_API_KEY="your-key" # Windows
python -m pytest -v| Test Type | What It Checks | API Key? |
|---|---|---|
| Label Match (40 tests) | Each golden-set item classified correctly | No |
| Accuracy Threshold | Overall accuracy above baseline | No |
| Confidence Range | All scores between 0β1 | No |
| Error Check | No classification errors | No |
| GEval Explanation Quality | LLM judges if explanations are specific and educational | Yes |
| GEval Classification Correctness | LLM judges if decisions are sound | Yes |
| GEval Batch Quality | LLM judges overall classification quality | Yes |
Uses
gemini-2.0-flash-litefor LLM-judge to avoid quota conflicts with the analysis service.
See eval/README.md for full details.
Offline, reproducible ML training pipeline for phishing email classification using classical ML.
cd services/analysis-service/ml
python train_classifier.py --max_features 5000 --C 1.0
python evaluate_classifier.py| Component | Description |
|---|---|
| Model | TF-IDF + Logistic Regression |
| Dataset | 2,000 emails (balanced), stratified 70/15/15 split |
| Reproducibility | Seeds set for random, numpy, sklearn |
| Tracking | Each run logged to experiment_log.csv |
| Error Analysis | Documented in error_analysis.md |
| Artifacts | phishing_model.joblib, tfidf_vectorizer.joblib |
See services/analysis-service/ml/README.md for full details.
vercel --prodAdd NEXT_PUBLIC_* env vars in Vercel dashboard.
- Build:
pip install -r requirements.txt - Start:
uvicorn app.main:app --host 0.0.0.0 --port 10000 - Add all
.envvariables in Render dashboard.
- Firebase ID tokens for all protected endpoints
- Gmail OAuth tokens encrypted with Fernet (AES-128)
- Server-side token exchange (frontend never sees OAuth tokens)
- CORS restricted to specific origins
- MongoDB TLS encryption
MIT
Built with love by Jay & Eman