AzemSec — Phishing Scanner for Business

The problem

Phishing is still the most common way businesses get hit

It doesn't need to be sophisticated. A convincing email, one distracted employee, and you're dealing with wire fraud, ransomware, or a data breach.

91% of cyberattacks start with an email

Spam filters block bulk spam. They don't block targeted attacks where someone spent time crafting an email specifically for your company. That's the gap.

Verizon DBIR 2024

Average loss for a German SME: €35,000–€180,000

Wire transfer fraud, stolen credentials, ransomware recovery. German SMEs are a disproportionate target — attackers assume no dedicated security team.

BSI Lagebericht 2024

NIS2 made phishing protection a legal requirement

Since October 2024, companies in critical sectors in Germany must implement technical security measures — including protection against phishing attacks. Fines go up to €10M.

NIS2-Umsetzungsgesetz

How it works

Ten seconds. No training required.

Something feels off

Unexpected sender, odd wording, urgency. Instead of clicking or ignoring, the employee copies the email into AzemSec.

We check it against real databases

770,000+ phishing domains, MalwareBazaar, RDAP domain age, SPF/DKIM/DMARC, brand impersonation — all at once. Takes a few seconds.

Plain verdict. Not a number.

SAFE, SUSPICIOUS, or DANGER — with a plain explanation of what triggered it. No security background required to understand the result.

IT keeps the audit trail

Every scan is logged. IT managers can see what the team encountered, run reports, and export the data for NIS2 compliance documentation.

Forwarded email — pending review

From: [email protected]

Your Amazon account has been locked. Verify within 24 hours or your account will be permanently closed.

Domain registered 2 days ago

Amazon impersonation

SPF failed

Reply-To points elsewhere

4 urgency phrases

Not in databases yet — new attack

DANGER — DO NOT CLICK

5 threat signals. Block sender, tell IT.

NIS2 requires this. We built it.

The NIS2 Directive has been German law since October 2024. Companies in scope must implement technical security measures against phishing and document them. AzemSec covers both — DSGVO-compliant, governed by German law.

Book a demo

—

Every scan is logged

Timestamp, verdict, user, type. Export the full log for your NIS2 compliance documentation whenever you need it.

—

German law. No US data risk.

DSGVO-compliant. BfDI as supervisory authority. Your data stays under German jurisdiction.

—

Builds real habits

Checking before clicking is the single most effective thing employees can do. AzemSec makes it fast enough that they actually do it.

—

Monthly reports for management

Shows what threats your team encountered and how they handled them. Useful for both internal review and external audits.

Pricing

Straightforward pricing

14-day free trial on all plans. No card needed to start. Cancel any time — § 355 BGB withdrawal right applies.

Starter

^€0/mo

1 user · 3 scans/day

Try it out. No commitment.

Email phishing detection
URL / domain check
60+ detection rules
Plain-language results
Team seats
Scan history
NIS2 export
Priority support

Team

^€49/mo

Up to 10 users · Unlimited scans

For teams that need coverage and compliance documentation.

Everything in Starter
Up to 10 seats
Unlimited scans
90-day scan history
NIS2 compliance export
Monthly threat report
Email support (24h)
White-labelling

Business

^€149/mo

Up to 50 users · Unlimited scans

For larger firms, MSPs and anyone who needs reseller rights.

Everything in Team
Up to 50 seats
Unlimited history
API access
White-label option
MSP reseller margin
Dedicated support
Custom onboarding

50+ users, or need something custom?

Custom seat count, SLA, API integration with your email platform, dedicated account manager, volume pricing. We reply within 24 hours.

Custom SLA API Volume pricing Account manager German support On-premise

All prices excl. VAT · Stripe · Visa · Mastercard · Amex · Cancel any time

Questions

Frequently asked questions

Sign up for Team or Business, invite your team from the dashboard. They each get their own account under your billing. Takes about 5 minutes.

Yes. Brand new attacks won't be in any database yet. AzemSec is a strong first check, not a replacement for judgement. We're honest about this in every result.

The email text is sent to third-party threat databases for checking. We store the scan result (score, verdict, timestamp) — not the email body itself. We don't keep your email content on our servers.

AzemSec handles the phishing detection and audit logging parts of NIS2. Team and Business plans include exportable logs. For full NIS2 compliance you'll also need an incident response plan, asset management, and access controls — AzemSec is one piece of that.

Yes — cancel any time, access runs to end of period. German consumers have a 14-day right of withdrawal under § 355 BGB. Email [email protected] to cancel.

Business plan includes white-label rights and a reseller margin. You can deploy AzemSec under your own brand and charge your clients. Get in touch for partner details.

Terms of Service

Last updated: April 2026

These Terms govern your use of azemsec.com.

1. Operator

AzemSec is operated by an individual based in Germany. German law applies — DSGVO, BDSG, TMG.

2. Plans and Payment

Starter (free), Team (€49/mo, 10 seats), Business (€149/mo, 50 seats), Enterprise (custom). All prices excl. VAT. Billed via Stripe.

3. Right of Withdrawal (§ 355 BGB)

Consumers have a 14-day right of withdrawal from new subscriptions. Contact [email protected].

Model Withdrawal: To: AzemSec, [email protected] — I withdraw from my subscription started on [date]. Name: _____ Date: _____

4. Acceptable Use

No unlawful use, reverse engineering, or automated abuse.

5. Liability

Full liability for intentional misconduct and gross negligence. Limited for simple negligence. Unlimited for life/body/health.

6. Governing Law

German law where mandatorily applicable. CISG excluded. ODR: ec.europa.eu/consumers/odr. We do not participate in arbitration.

Privacy Policy

Last updated: May 2026 · DSGVO / GDPR (EU) 2016/679 · BDSG

1. Controller

AzemSec · [email protected] · azemsec.com

2. What we process and why

Account data

Name and email on registration, stored via Firebase (Google LLC). Used solely to provide the service. Legal basis: Art. 6(1)(b) GDPR.

Scan data

Scan type, score, verdict, timestamp. Logged-in scans linked to your account. Anonymous scans stored without identifier. The email body you paste is sent to third-party threat databases for analysis but not stored on our servers. Legal basis: Art. 6(1)(f) GDPR.

Payment data

Processed entirely by Stripe, Inc. We never see or store card details.

Browser storage

Stored in your browser localStorage — never sent to our servers: az_lang (language), az_hist (local scan history), az_theme (display), az_cookies (notice dismissed). Firebase stores auth tokens to keep you logged in. Legal basis: § 25 TTDSG — technically necessary.

Contact emails

Name and email stored when you contact us or book a demo. Not used for marketing. Legal basis: Art. 6(1)(f) GDPR.

3. Data retention

Scan metadata — 90 days, then deleted automatically
Account data — until you request deletion
Payment records — up to 10 years (§ 257 HGB)
Demo/contact emails — deleted within 12 months if no business relationship follows

4. Third-party services

Firebase / Google LLC — auth and database. USA, SCCs. firebase.google.com/support/privacy
Cloudflare, Inc. — hosting, CDN, DDoS protection. Sets technically necessary cookies (__cf_bm). USA, SCCs.
Stripe, Inc. — payment processing. USA, SCCs. stripe.com/privacy
EmailJS — transactional email (demo requests, contact). Processes name and email. emailjs.com/legal/privacy-policy
PhishDestroy — phishing domain database. Domain names extracted from your scan are sent for lookup. No personal data transmitted.
URLhaus, MalwareBazaar, ThreatFox (abuse.ch) — malware and threat intelligence databases. Domain names sent for lookup. No personal data transmitted.
RDAP (regional domain registries) — domain age verification. Domain names sent to check registration date. No personal data transmitted.
Local heuristics — brand impersonation detection, urgency language analysis, header analysis (SPF/DKIM/DMARC), link and attachment analysis run entirely within our Cloudflare Worker. No data is sent to any external service for these checks.
ipapi.co — used once on first visit to detect country for language selection. Your IP is sent. We store nothing. Fallback: Cloudflare /cdn-cgi/trace.

No analytics services, advertising networks, or tracking pixels are used.

5. Your rights

Access (Art. 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21). To exercise any right including account deletion: [email protected]. We respond within 30 days.

Supervisory authority: BfDI, Graurheindorfer Str. 153, 53117 Bonn. bfdi.bund.de

6. International transfers

Firebase, Cloudflare, Stripe and EmailJS are US-based. Transfers are covered by Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR.

7. Changes

We update this policy when our data practices change. The date at the top reflects the last update.

Datenschutzerklärung

Zuletzt aktualisiert: Mai 2026 · DSGVO (EU) 2016/679 · BDSG

1. Verantwortlicher

AzemSec · [email protected] · azemsec.com

2. Welche Daten wir verarbeiten und warum

Kontodaten

Name und E-Mail-Adresse bei der Registrierung, gespeichert über Firebase (Google LLC). Ausschließlich zur Diensterbringung. Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO.

Scan-Daten

Scan-Typ, Score, Urteil, Zeitstempel. Angemeldete Scans werden dem Konto zugeordnet, anonyme ohne Kennung. Der eingefügte E-Mail-Text wird zur Analyse an Bedrohungsdatenbanken gesendet, aber nicht auf unseren Servern gespeichert. Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO.

Zahlungsdaten

Vollständig über Stripe, Inc. abgewickelt. Wir sehen oder speichern keine Kartendaten.

Browser-Speicher

Im localStorage gespeichert — verlässt Ihr Gerät nicht: az_lang (Sprache), az_hist (Scan-Verlauf), az_theme (Anzeige), az_cookies (Hinweis bestätigt). Firebase speichert Auth-Token zur Anmeldung. Rechtsgrundlage: § 25 TTDSG — technisch notwendig.

Kontakt-E-Mails

Name und E-Mail bei Kontaktaufnahme oder Demo-Buchung. Keine Nutzung für Marketing. Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO.

3. Speicherdauer

Scan-Metadaten — 90 Tage, dann automatische Löschung
Kontodaten — bis zur Löschanfrage
Zahlungsbelege — bis zu 10 Jahre (§ 257 HGB)
Demo-/Kontakt-E-Mails — Löschung innerhalb von 12 Monaten ohne Geschäftsverhältnis

4. Drittanbieter

Firebase / Google LLC — Authentifizierung und Datenbank. USA, SCC.
Cloudflare, Inc. — Hosting, CDN, DDoS-Schutz. Setzt technisch notwendige Cookies (__cf_bm). USA, SCC.
Stripe, Inc. — Zahlungsabwicklung. USA, SCC. stripe.com/de/privacy
EmailJS — Transaktionale E-Mails. Verarbeitet Name und E-Mail. emailjs.com/legal/privacy-policy
PhishDestroy — Phishing-Domain-Datenbank. Aus dem Scan extrahierte Domain-Namen werden zur Prüfung gesendet. Keine personenbezogenen Daten.
URLhaus, MalwareBazaar, ThreatFox (abuse.ch) — Malware- und Bedrohungsdatenbanken. Domain-Namen werden zur Prüfung gesendet. Keine personenbezogenen Daten.
RDAP (regionale Domain-Registrare) — Domain-Altersverifizierung. Domain-Namen werden zur Prüfung des Registrierungsdatums gesendet. Keine personenbezogenen Daten.
Lokale Heuristiken — Marken-Impersonation, Dringlichkeitssprache, Header-Analyse (SPF/DKIM/DMARC), Link- und Anhang-Analyse laufen vollständig in unserem Cloudflare Worker. Für diese Prüfungen werden keine Daten an externe Dienste gesendet.
ipapi.co — Einmalig beim ersten Besuch zur Spracherkennung. IP-Adresse wird übertragen. Wir speichern nichts. Fallback: Cloudflare /cdn-cgi/trace.

Keine Analyse-Dienste, Werbenetzwerke oder Tracking-Pixel.

5. Ihre Rechte

Auskunft (Art. 15), Berichtigung (16), Löschung (17), Einschränkung (18), Übertragbarkeit (20), Widerspruch (21). Anfragen an [email protected]. Antwort innerhalb von 30 Tagen.

Aufsichtsbehörde: BfDI, Graurheindorfer Str. 153, 53117 Bonn. bfdi.bund.de

6. Drittlandübermittlung

Firebase, Cloudflare, Stripe und EmailJS haben ihren Sitz in den USA. Übermittlung auf Grundlage von Standardvertragsklauseln (SCC) gem. Art. 46 Abs. 2 lit. c DSGVO.

7. Änderungen

Diese Erklärung wird bei Änderungen unserer Datenpraktiken aktualisiert.

Liability Notice