Run #9 — Full Report

http://localhost:8088

Suites: phishing,evasion,ai_redteam  |  Status: done  | 2026-02-23 08:04:27 UTC

New Run History
22passed 1failed 0skipped 27total 81% pass rate

⚠ Vulnerabilities Found (2)

MEDIUM Open Redirect Abuse

Trusted domain open redirects to malicious pages not flagged

Fix: Parse redirect destination URL and scan that too

HIGH Volume Red Team Failure

Only 0% detection rate on 6 AI-generated attacks

Fix: Review bypassed categories and add missing signals

Phishing ( 12 pass / 0 fail / 12 total)
fake_paypal CAUGHT → block | risk=critical | 3 signals | Would have saved David $200 4ms
fake_facebook CAUGHT → block | Would have stopped the 2-year hack chain 3ms
real_paypal Real PayPal correctly ALLOWED 3ms
ip_login IP address login BLOCKED | signals: ['ip_address_login', 'brand_impersonation', 'http_login_page'] 3ms
punycode Punycode domain BLOCKED 6ms
official_sites_allow All 10 official sites correctly ALLOWED 1056ms
phishing_bulk All 24 phishing URLs caught (100% detection rate) 2489ms
37_brands_stress All 37/37 brands detected (100%) 36135ms
long_subdomain_evasion Deep subdomain attack caught: block 3ms
double_extension Double extension caught: block 2ms
https_not_safe HTTPS phishing site still blocked - good 2ms
signal_quality 3 well-formed signals returned: ['suspicious_tld', 'brand_impersonation', 'http_login_page'] 3ms
Evasion ( 5 pass / 0 fail / 8 total)
encoding_bypass All 4 URL-encoded evasions caught 4587ms
subdomain_stacking All 6 subdomain stacking attacks caught (100%) 19ms
homoglyph All 5 homoglyph attacks caught 4660ms
open_redirect Open redirect handling: 1 blocked, 0 challenged, 3 allowed — open redirects on trusted domains are hard to detect 10ms
shortener_challenge 3/4 URL shorteners allowed through without challenge — destination is unknown, risk cannot be assessed 24ms
typosquatting Caught 6/8 (75%) — missed: google triple-o; facebook 00→oo 7863ms
combo_attacks All 3 multi-technique evasion attacks caught 1494ms
evasion_fp_check All 3 legitimate sites still correctly allowed after evasion tests 7ms
Ai_redteam ( 5 pass / 1 fail / 7 total)
attacker_model Attacker model: dolphin-mistral:7b — adversarial generation ready 19ms
redteam_banks Model generated text but no parseable URLs: https://www-chase-co-com https://microbankofamerica-net https://wellsfargopay-net https://paypalverif-xyz https://citibanksecurel-tk https://logins-com https://chasesecurelogin-tk https://bankofameric 22283ms
redteam_elderly dolphin-mistral:7b | 7 elderly-targeted URLs | 7/7 caught (100%) 18519ms
redteam_evasion dolphin-mistral:7b evasion | 8 URLs | 8/8 caught (100%) 7546ms
gap_analysis No bypass gaps found in test set — all 4 caught by GuardDex 3558ms
defender_ai_supplement phi3:mini caught 3 ambiguous scam URLs that needed AI context 8138ms
stress_volume 6 AI-generated URLs | 0 caught (0%) | avg 9ms/scan | total 52ms 8960ms