Rapid Anti-phishing Network Takedown Analysis System (RANTAS) is a phishing detection and reporting platform designed for security teams to track, manage, and respond to phishing threats.

• Case Management - Track phishing cases from submission to resolution
• Typosquat Detection - Monitor certificate transparency logs for domains typosquatting your brands
• AI-Powered Phishing Detection - LLM-based content analysis for social engineering, brand impersonation, and credential harvesting
• Email Reporting - Send takedown notices via SMTP or Microsoft Graph API
• XARF Export - Generate eXtended Abuse Reporting Format reports
• Dashboard & Analytics - Visualize phishing trends and response metrics
• Role-Based Access Control - Granular permissions for team members

AI analysis detects social engineering, brand impersonation, credential harvesting, and psychological manipulation tactics

• Docker & Docker Compose
• PostgreSQL 15+
• Redis 7+
• Node.js 20+ (for local frontend development)
• Python 3.10+ (for local backend development)

1. Clone the repository

   git clone https://github.com/deprito/rantas.git
   cd rantas

2. Copy environment files

   cp env.example .env
   cp backend/env.example backend/.env
   cp frontend/env.example frontend/.env.local

3. Configure environment variables

   At minimum, set these variables in .env:

   # Database
   POSTGRES_USER=rantas
   POSTGRES_PASSWORD=<generate-secure-password>
   POSTGRES_DB=rantas
   
   # Security
   SECRET_KEY=<generate-with-openssl-rand-hex-32>
   WEBHOOK_SECRET=<generate-secure-token>
   DEFAULT_ADMIN_PASSWORD=<set-initial-admin-password>

4. Start with Docker Compose

   docker compose up -d

5. Access the application

   • Frontend: http://localhost:3001
   • Backend API: http://localhost:9000
   • Flower (Celery monitoring): http://localhost:5557

After initial setup, log in with:

• Username: admin
• Password: The value you set for DEFAULT_ADMIN_PASSWORD in .env

Important: Change the default admin password immediately after first login.

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  Frontend   │────▶│   Backend   │────▶│  Database   │
│  (Next.js)  │     │  (FastAPI)  │     │ (PostgreSQL)│
└─────────────┘     └─────────────┘     └─────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │    Redis    │
                    │  (Celery)   │
                    └─────────────┘
                           │
           ┌───────────────┼───────────────┐
           ▼               ▼               ▼
    ┌──────────┐   ┌──────────┐   ┌──────────┐
    │  Worker  │   │   Beat   │   │  Flower  │
    └──────────┘   └──────────┘   └──────────┘

See the following files for all available options:

RANTAS supports two methods for sending takedown notices:

SMTP (traditional):

SMTP_ENABLED=true
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
[email protected]
SMTP_PASSWORD=your-app-password

Microsoft Graph API (Microsoft 365):

GRAPH_ENABLED=true
GRAPH_TENANT_ID=<your-tenant-id>
GRAPH_CLIENT_ID=<your-client-id>
GRAPH_CLIENT_SECRET=<your-client-secret>

Configure brands to monitor in .env:

BRAND_IMPACTED=["Example Corp","Test Corp"]
HUNTING_MIN_SCORE=50
HUNTING_ALERT_SCORE=80

RANTAS includes optional AI-powered content analysis using Ollama (LLM-based detection). This feature analyzes webpage content for:

• Social engineering tactics (urgency, threats, too-good-to-be-true offers)
• Brand impersonation (mimicking legitimate companies)
• Credential harvesting (passwords, credit cards, sensitive data requests)
• Suspicious patterns (poor grammar, mismatched branding, fake security badges)

Enable AI analysis in backend/.env:

OLLAMA_ENABLED=true
OLLAMA_BASE_URL=https://ollama.com/api
OLLAMA_API_KEY=your-api-key-here
OLLAMA_MODEL=glm-5
OLLAMA_TIMEOUT=60

Using self-hosted Ollama:

OLLAMA_ENABLED=true
OLLAMA_BASE_URL=http://localhost:11434/api
OLLAMA_MODEL=llama3.2

The AI analysis runs automatically on the public submission page (/public/submit) and displays detailed threat analysis with recommendations.

cd backend
python -m venv venv
source venv/bin/activate  # or `venv\Scripts\activate` on Windows
pip install -r requirements.txt
uvicorn app.main:app --reload

cd frontend
npm install
npm run dev

# Backend tests
cd backend
pytest

# Frontend tests
cd frontend
npm test

docker compose -f docker-compose.yml up -d

# Set your registry host (e.g., ghcr.io/your-org)
export REGISTRY_HOST=ghcr.io/your-org

docker compose -f docker-compose.ghcr.yml up -d

See docker-compose.ghcr.yml for private registry deployment configuration.

To build and push images to your own registry:

# Set registry credentials
export REGISTRY_HOST=ghcr.io/your-org
export REGISTRY_USERNAME=your-username
export REGISTRY_PASSWORD=your-token

# Build and push
./scripts/build-ghcr.sh

The images will be pushed as:

• ${REGISTRY_HOST}/rantas-backend:latest
• ${REGISTRY_HOST}/rantas-frontend:latest

Once running, access the interactive API docs at:

• Swagger UI: http://localhost:9000/docs
• ReDoc: http://localhost:9000/redoc

Please report security vulnerabilities to [email protected]. See SECURITY.md for details.

1. Change default passwords - Always set DEFAULT_ADMIN_PASSWORD before deployment
2. Use HTTPS - Never deploy without TLS termination in production
3. Rotate secrets - Regularly rotate SECRET_KEY and WEBHOOK_SECRET
4. Restrict CORS - Update CORS_ORIGINS to your actual domains
5. Monitor logs - Enable logging and monitor for suspicious activity

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

This project is licensed under the MIT License - see the LICENSE file for details.

• Built with FastAPI and Next.js
• Uses Celery for async task processing
• Typosquat detection inspired by CertStream

Need Help? Open an issue on GitHub or contact the development team.