CUPELON

Features

Everything Cupelon does to surface email risk across your organization, built for environments where data can't leave your boundary.

Domain Reputation Tracking

Cupelon builds sender domain reputation from your users' native email behavior. When users flag messages as junk or rescue them, those signals feed into a rolling reputation score per sender domain.

Key Capabilities

  • Crowdsourced signals: Reputation is built from real user behavior across your organization — not external feeds
  • Deduplication: Multiple reports from the same user don't inflate scores — each user counts once
  • Auto-decay: Reputation resets over time so domains can recover from false positives
  • Org-specific intelligence: Spear phishing targeting your users gets caught, even if no external feed has seen it

Contextual Warning Banners

Color-coded warning banners are injected directly into email bodies based on threat level. Banners apply retroactively — when a domain's reputation changes, all existing messages from that domain are updated.

YellowCaution

Early warning — multiple users have flagged this sender

OrangeWarning

Pattern match — message resembles known phishing campaigns

RedAlert

High threat — strong consensus or confirmed threat indicators

BlueNotice

Mixed signals — likely newsletter or nuisance mail, not a threat

Customization

  • Custom templates: Full HTML editor per banner state — match your organization's branding
  • Configurable thresholds: Adjust sensitivity levels via the dashboard
  • Safe domain allowlist: Bypass banner logic entirely for trusted senders

Inline Phishing Training

Instead of sending fake phishing emails, Cupelon injects educational training panels into real phishing attempts. Users learn from actual threats at the point of attack — not from simulations they learn to ignore.

Each email is analyzed across multiple dimensions — link integrity, sender authentication, language patterns, domain reputation, and more. The composite analysis determines whether a training panel is shown and at what severity level.

What Gets Analyzed

Domain reputation & age
Threat indicator matches
Campaign pattern similarity
Urgency & pressure language
Link display mismatches
Email authentication failures
Reply-to address anomalies
Attachment risk assessment
Lookalike domain similarity
Character pattern anomalies

Why Not Simulations?

Traditional Simulation

  • Expensive per-user licensing
  • Users learn to spot fake emails, not real ones
  • Creates resentment and distrust
  • Separate portal from daily workflow
  • Periodic campaigns miss day-to-day threats

Cupelon Inline Training

  • Included in Pro and Enterprise tiers
  • Users learn from the actual attacks they receive
  • Educational, not punitive
  • Delivered in the inbox — zero friction
  • Continuous, real-time feedback loop

One-Click Training Acknowledgment

When a user reads the training panel on a medium- or high-risk message, they click “I've reviewed this” to acknowledge the warning. That single click creates a timestamped, auditable training record — no separate portal, no annual CBT marathon, no tracking spreadsheet.

What Gets Logged

  • User identifier (hashed)
  • Timestamp of acknowledgment
  • Message threat level and category
  • Specific signals shown (link mismatch, auth failure, etc.)
  • User action taken (acknowledged, flagged, reported)

Compliance Export

  • Downloadable training log per user or org-wide
  • Proof of continuous phishing awareness training
  • Maps to CMMC AT.L2-3.2.1, NIST 800-171 03.02.01, CJIS 5.2
  • Supports annual training evidence for auditors
  • No separate training platform required

Supports Mandatory Training Requirements

Every major compliance framework requires annual phishing awareness training — but almost none require phishing simulations. Cupelon's inline training with acknowledgment logging can help organizations demonstrate compliance with training requirements across these frameworks:

CMMC — AT.L2-3.2.1 Role-Based Risk Awareness
NIST 800-171 — 03.02.01 Literacy Training
FedRAMP Low/Moderate — AT-2, AT-2(3)
FISMA — AT-2 (via NIST 800-53)
CJIS — Policy Area 5.2
IRS 1075 — Section 6.2

FedRAMP High (AT-2(1)) is the only baseline that explicitly requires phishing simulations. For all other frameworks, Cupelon's inline training with documented acknowledgments can serve as supporting evidence of continuous phishing awareness training. Consult your compliance advisor to confirm requirements for your organization.

Lookalike Domain Detection

Algorithmic detection of impersonation domains using multiple analysis techniques. No static blocklists to maintain — catches zero-day lookalike domains the moment they appear in your mail flow.

Detection Capabilities

  • Visual impersonation: Detects characters that look similar across different scripts and alphabets
  • Typo variants: Catches common misspellings and character transpositions of your protected domains
  • Structural tricks: Identifies subdomain abuse, hyphenation attacks, and TLD swaps

How It Differs

  • No blocklist maintenance: Purely algorithmic — no feeds to subscribe to or lists to update
  • Zero-day coverage: Catches brand new domains on first appearance
  • Configurable sensitivity: Adjust the detection threshold to balance coverage vs. false positives

Threat Correlation

Cupelon automatically extracts indicators of compromise from flagged emails and correlates them across sender domains. When the same threat indicators appear from multiple senders, the system recognizes coordinated campaigns and elevates the threat level.

IOC Extraction

URLs, contact information, and content fingerprints are automatically extracted from flagged messages and tracked across your organization.

Campaign Detection

Messages with similar content are automatically clustered together, revealing phishing campaigns that use slightly modified templates across different sender domains.

Cupelon Threat Network

The Cupelon Threat Network is a crowd-sourced intelligence layer built from anonymized threat data contributed by organizations across the community. Every participant makes the network stronger — and gets stronger protection in return.

Available to all Community tier users at no cost. The more organizations that participate, the faster new threats are identified and the more accurate reputation scores become.

Cross-Organization Intelligence

  • Domain reputation: Aggregate sender reputation across all participating organizations — not just your own
  • Campaign clusters: Detect coordinated phishing campaigns that span multiple targets
  • URL reputation: Community-wide tracking of suspicious URLs and redirect chains

Cupelon Threat Score

  • Composite score: A single 0–100 threat score per domain, combining reputation signals from across the network
  • Real-time updates: Scores adjust as new reports flow in from community members
  • API access: Query Cupelon Scores programmatically to integrate with your existing security tooling

E-Signature Platform Verification

Spoofed DocuSign, Adobe Sign, and SignNow emails are among the most dangerous phishing lures because users expect to click links in them. Cupelon verifies e-signature messages against curated allowlists and flags imposters before anyone clicks.

What Gets Verified

  • Sender domain: Checked against verified sending domains for DocuSign, Adobe Sign, SignNow, HelloSign, PandaDoc, and more
  • Link destinations: Signing links must resolve to the real platform — not a lookalike
  • Authentication: SPF, DKIM, and DMARC must all pass for verified platforms
  • Display name consistency: Flags mismatches between claimed brand name and actual sender domain

Zero Ambiguity Scoring

  • Verified legitimate: Real DocuSign from docusign.net with full auth = safe, score reduced
  • Confirmed spoofed: Fake DocuSign from a lookalike domain = maximum threat score
  • Lookalike detection: Algorithmically detects domains that visually resemble legitimate e-signature platforms
  • 10 platforms covered: DocuSign, Adobe Sign, SignNow, HelloSign, PandaDoc, Nitro Sign, OneSpan, SignEasy, Zoho Sign, DigiSigner

High-Stakes Message Categories

Certain message categories are too important to rely on a single score. Cupelon automatically detects high-stakes messages and applies full-depth analysis regardless of the initial threat score.

E-Signatures

DocuSign, Adobe Sign, and 8 other platforms — verified or flagged as spoofed

Wire Transfers

Payment instructions, ACH transfers, and urgent payment requests get the highest scrutiny

Banking Alerts

Account alerts, transaction notifications, and suspicious activity warnings

MFA / 2FA Codes

Verification codes, one-time passwords, and security codes from unknown senders

Password Resets

Password change requests, account recovery, and credential expiration notices

IT Admin Notices

Account suspension, security alerts, and mailbox quota warnings from claimed IT departments

Auto-Sweep to Junk

When the Cupelon Score exceeds a configurable threshold, messages are automatically moved to junk or quarantine — removing high-confidence threats from the inbox before users see them.

How It Works

  • Configurable threshold: Default 80/100 — adjust between 50 and 95 to match your risk tolerance
  • Junk or quarantine: Move to the user's junk folder (default) or to an admin-managed quarantine
  • One-click rescue: Users can move messages back to the inbox if the sweep was wrong
  • Rescue feedback: Rescued messages improve domain reputation — reducing false positives over time

Compliance Safety

  • Never moves controlled content: Messages with CUI, ITAR, or classification markings are never auto-swept
  • Full audit trail: Every sweep and rescue is logged with sender, score, threshold, and top signals
  • Quarantine digest: Daily summary of quarantined messages so nothing gets lost

Alerting & Notifications

Configurable alert rules fire on threat events and deliver email notifications to your security team with cooldown timers to prevent alert fatigue.

Email Alerts

  • Distribution list delivery: HTML alerts sent to your security team's email distribution list
  • Configurable triggers: Alert on new threat domains, campaign clusters, reputation changes, or score thresholds
  • Cooldown timers: Prevent alert fatigue with configurable quiet periods between notifications

Product Dashboard

Full-featured management dashboard with no external dependencies — works in air-gapped environments with no internet access required.

  • Domain reputation overview
  • Threat indicator tracking
  • Event timeline & search
  • Alert rule management
  • System configuration
  • Banner template editor
  • Safe domain allowlist
  • Audit log viewer
  • License & system status

Compliance Data Gate

Cupelon runs entirely on your infrastructure — your email data never reaches Cupelon by default. If you choose to opt into Threat Network sharing, an automatic compliance marking filter scans every message before any anonymized data leaves your network. Messages containing CUI, ITAR, classification banners, or handling caveats are blocked from sharing — automatically, with no configuration required.

What Gets Detected

CUI category markings
Classification banners (SECRET, TOP SECRET)
FOUO / NOFORN / ORCON caveats
ITAR / Export Controlled content
Paragraph-level markings
X-Protective-Marking headers

This filter cannot be disabled. It runs before any data enters the sharing pipeline, ensuring controlled content never leaves your boundary — even if sharing is enabled.

See It in Action

Deploy in 2 minutes, see results immediately. No sales calls required.

View PricingSecurity & Compliance