Evaluating anti-phishing vendors is frustrating. Every vendor says they stop 99.9% of threats. Every demo looks impressive. Every sales deck includes the same buzzwords: AI-powered, zero-day detection, advanced threat protection. But once you are under contract, you discover the gaps - in detection, in support, in pricing transparency, or in the fine print.
This checklist gives you 10 questions to ask any anti-phishing vendor before you sign. These are the questions that separate vendors who can actually protect your business from vendors who are just good at demos. Based on the 2026 threat landscape, where phishing accounts for 36% of breaches (2024 Verizon DBIR) and the average breach costs $4.88 million (IBM 2024 Cost of a Data Breach).
The 10-Question Vendor Evaluation Checklist
1. How Many Detection Engines Do You Run, and Which Ones?
Why to ask: “AI-powered” is not an answer. You need to know the specific engines, the specific threat intelligence feeds, and whether they run in parallel or sequentially. A vendor who cannot name their engines is reselling a single provider’s technology with a markup.
Good answer: Named engines (e.g., Vade Secure, Sophos, Webroot), running simultaneously, with different detection methodologies (signature, heuristic, behavioral, ML).
Red flag: “Our proprietary AI” with no specifics. “We use machine learning” as the entire answer.
“No single threat intelligence database catches everything. That’s why Phish Protection cross-references every email against Vade Secure, Sophos, Halon Classify, Webroot BCTI, and proprietary weighting algorithms simultaneously.” - Adam Lundrigan, CTO, DuoCircle
Phish Protection’s answer: 5 named detection engines running in parallel, plus proprietary weighting algorithms.
2. Do You Scan Before or After Delivery?
Why to ask: This is the most important architectural question. Pre-delivery scanning stops threats before users see them. Post-delivery remediation means the threat sits in the inbox for seconds to minutes while the system decides - and users open emails fast.
Good answer: Pre-delivery inline scanning. Sub-second latency. Threats never reach the inbox.
Red flag: “We remediate within seconds.” Remediation means the email was already delivered.
Phish Protection’s answer: Pre-delivery gateway scanning with sub-second latency. Threats are blocked before the inbox.
3. What Happens to URLs After the Email Is Delivered?
Why to ask: Delayed weaponization - sending clean URLs that are swapped to malicious destinations hours later - is one of the most effective attack techniques in 2026. If the vendor only checks URLs at delivery time, every delayed-weaponization attack gets through.
Good answer: Every URL is rewritten and re-analyzed at the moment the user clicks. Full redirect chain resolution.
Red flag: “We check URLs at time of delivery.” No time-of-click capability.
“Time-of-click protection is the single most important advancement in email security in the last five years.” - Brad Slavin, General Manager, DuoCircle
Phish Protection’s answer: Every URL rewritten and re-scanned at click time, including redirect chain and URL shortener resolution.
4. How Do You Detect BEC Attacks That Have No Malicious Payload?
Why to ask: BEC costs $125,000 per incident on average (FBI IC3 2024). These attacks have no malware, no malicious links, and no attachments. They impersonate trusted senders and request financial actions. If the vendor’s BEC detection is just a blocklist, it will miss the attacks that matter.
Good answer: Display name analysis, lookalike domain detection, behavioral baselines, first-contact warnings, reply-to manipulation detection.
Red flag: “We block known malicious domains.” BEC attacks use new domains and free email accounts.
Phish Protection’s answer: BEC detection including display name spoofing, domain impersonation, behavioral analysis, and first-contact flagging.
5. What Is Your Published Pricing?
Why to ask: Vendors who hide pricing behind “contact sales” are optimizing for larger deals, not transparency. As a small or mid-sized business, you should know what the product costs before you commit a meeting.
Good answer: Published per-user or per-mailbox pricing on the website. Monthly billing available. No minimum commitment.
Red flag: “Contact our sales team for a custom quote” as the only option. Multi-year contract required for reasonable pricing.
“When I talk to prospects about phishing protection, I don’t lead with features - I lead with math. A single successful BEC attack costs $125,000 on average. Phish Protection for a 50-person company costs $49 a month. The ROI calculation writes itself.” - Dan Calkin, VP of Sales, DuoCircle
Phish Protection’s answer: Published pricing from $19/month. No contract. See pricing.
6. What Does Your Free Trial Actually Include?
Why to ask: Some vendors offer “free trials” that require a credit card, limit features, cap at 5 users, or expire in 7 days. A real trial lets you deploy the full product across your actual environment for long enough to see real results.
Good answer: Full-featured trial. No credit card required. Enough duration to see real threats blocked (30+ days). No artificial user limits.
Red flag: Credit card required. 7-14 day trial. Feature-limited “starter” version. Requires scheduling a demo first.
Phish Protection’s answer: 60-day free trial, no credit card, full features, no user limit. Start trial.
7. How Long Does Deployment Take, and What Changes to My Infrastructure?
Why to ask: Solutions that require MX record changes, on-premise hardware, endpoint agents, or professional services create risk, delay, and ongoing maintenance burden. The best solutions deploy via configuration changes to your existing email platform.
Good answer: Mail flow rule or API connection. Under 10 minutes. No MX record changes. No hardware or agents. Self-service deployment.
Red flag: “Our professional services team will schedule an onboarding session.” Requires hardware shipment. MX changes that create a single point of failure.
“Our customers are IT professionals at small businesses. They don’t have time for a two-week onboarding - they need protection that works in five minutes.” - Vasile Diaconu, Operations Lead, DuoCircle
Phish Protection’s answer: Mail flow rule configuration. Under 5 minutes. No MX changes. No hardware. No agents.
8. What SLA Do You Offer for Uptime and Support Response?
Why to ask: Email security is infrastructure-critical. If the gateway goes down, email stops. You need to know the vendor’s uptime commitment and what happens when you need help - especially during an active phishing incident.
Good answer: 99.9%+ uptime SLA. 24/7 support. Under 1-hour response for critical issues. Multiple support channels (phone, email, chat).
Red flag: No published SLA. Email-only support. “Business hours” response. “Community forums” as the support model.
Phish Protection’s answer: 24/7 US-based support via phone, email, and chat. Contact support.
9. Does Your Solution Validate Email Authentication (SPF, DKIM, DMARC)?
Why to ask: Since February 2024, Google and Yahoo require authentication. Since May 2025, Microsoft rejects unauthenticated email from high-volume senders. Your anti-phishing vendor should enforce authentication on inbound email and ideally help you manage your own authentication records.
Good answer: Full SPF/DKIM/DMARC validation on inbound. Authentication failure reporting. Integration with or recommendation for SPF management and DMARC monitoring tools.
Red flag: “We check SPF” with no mention of DKIM or DMARC. No reporting on authentication failures.
Phish Protection’s answer: Full SPF/DKIM/DMARC validation. For DMARC monitoring, see DMARC Report. For SPF flattening, see AutoSPF.
10. What Platforms Do You Support, and Where Is the Biggest Gap?
Why to ask: Google Workspace has strong native phishing detection. Microsoft 365 does not - Defender for Office 365 consistently underperforms against targeted attacks. The biggest return on investment from anti-phishing software is on M365 environments. A vendor who does not understand this distinction is not paying attention to the threat landscape.
Good answer: Acknowledges the M365 detection gap. Purpose-built M365 integration. Also supports Exchange, Google Workspace, and generic SMTP.
Red flag: Claims equal value for all platforms. Does not differentiate between M365 and Google Workspace threat profiles.
Phish Protection’s answer: Purpose-built for Microsoft 365 (where the biggest gap is). Also supports Exchange, Google Workspace, and any SMTP server.
Vendor Evaluation Scorecard
Use this during your evaluation calls:
| Question | Vendor A | Vendor B | Phish Protection |
|---|---|---|---|
| Named detection engines | ___ | ___ | ✅ 5 engines |
| Pre-delivery scanning | ___ | ___ | ✅ |
| Time-of-click URL protection | ___ | ___ | ✅ |
| BEC behavioral detection | ___ | ___ | ✅ |
| Published pricing | ___ | ___ | ✅ From $19/mo |
| Full-featured free trial | ___ | ___ | ✅ 60 days |
| Deploy in under 10 minutes | ___ | ___ | ✅ Under 5 min |
| 24/7 support with SLA | ___ | ___ | ✅ |
| Email authentication | ___ | ___ | ✅ SPF/DKIM/DMARC |
| M365 gap awareness | ___ | ___ | ✅ |
Scoring:
| Score | Assessment |
|---|---|
| 9-10 | Strong vendor - well-positioned for 2026 threats |
| 7-8 | Solid with gaps - investigate which questions they could not answer |
| 5-6 | Significant concerns - you will discover the gaps after signing |
| Under 5 | Look elsewhere |
Start Your Evaluation
Start a 60-day free trial of Phish Protection - no credit card, no sales call required. Or use the BEC Cost Calculator to quantify your current phishing risk exposure.