What we got wrong about phishing scanner positioning
Three weeks after we shipped the phishing scanner in ARK's Shield tier, a user message arrived that made me close my laptop and think for twenty minutes. She'd run a scan on a suspicious link her daughter had received, tapped the result, and then written: 'I felt like I could finally let her have her phone back without checking it every five minutes.' Not 'great tool.' Not 'caught a phishing attempt.' Just relief.
We positioned it like a security researcher's problem
When we started building the phishing scanner, we talked about it in technical terms. QR code detection. URL parsing. Real-time threat intelligence. We built marketing copy around 'detection rates' and 'advanced heuristics.' We benchmarked against other solutions. We thought we were selling a scanner.
The truth is, we were solving for ourselves. We were building something we'd want to peer at in a GitHub issue, not something a parent needed at 10 p.m. when their teenager asked 'Is this link safe?'
So for months, we positioned ARK's phishing scanner as if it were competing with enterprise security tools. We talked about false positives and threat families. We mentioned the breadth of our URL coverage. Not one piece of positioning landed with our actual users.
The moment we reframed it
The shift happened during beta testing. One user, a small business owner managing devices for two other staff members, told us: 'I don't need to be a security expert to keep my team safe.' Another said she liked being able to check a link from WhatsApp in six seconds without leaving the app. No fanfare. Just practical relief.
We realised we weren't positioning a phishing scanner. We were positioning permission. Permission to check a link quickly. Permission to not second-guess every suspicious message. Permission to hand a device to someone you care about without that nagging feeling that you've missed something.
That reframe changed how we talked about the feature. We stopped leading with detection methods. We started with the moment: a link arrives, you tap it into ARK, and within seconds you have a clear answer. One-tap remediation deep-links mean if something is suspicious, you're two taps away from blocking it. No jargon. No rabbit holes.
Why phishing scanners had the positioning problem in the first place
The category had spent years trying to prove sophistication. Every security app was racing to show how clever their detection was. The result was a lot of noise and very little trust.
Most people don't want a phishing scanner that makes them feel like they need a security degree to understand the results. They want a tool that answers one question: is this safe or not? And if it's not, they want to know what to do next without thinking.
ARK's approach across all its scans (device permissions, stalkerware, breach exposure, the rest) follows the same pattern: run the scan, show the result clearly, offer one-tap fixes. The phishing scanner wasn't different, but we were marketing it like it was.
What the user actually cares about (and what they don't)
Since we repositioned, the feedback shifted. Users stopped asking about our detection methodology. They started asking things like 'Can I scan a screenshot?' (Shield users can, by pasting a QR code or URL directly). 'How fast is it?' (seconds). 'Can I check someone else's link?' (yes, one scan at a time, no bulk processing). These are the questions that matter to a person holding a phone, not a question that matters to a tech writer.
What users don't care about: the size of our threat database, how many researchers we employ, whether we update signatures every six hours or every twelve. They care about whether the scan gives them an answer they can act on.
This wasn't just true for the phishing scanner. We saw the same pattern across all Shield features. Dark-web monitoring wasn't about breach alertness until we framed it as 'know if your details appear on dark-web forums.' Wi-Fi analyser wasn't about network diagnostics until we called it 'check if your home network is exposing you.' The feature was always the same. The permission we were granting had just been invisible in our messaging.
The positioning we almost built instead
If we'd stayed on our original path, the phishing scanner would have been bundled with talk of 'advanced threat detection' and 'zero-day awareness.' It would have lived in the part of ARK's positioning that tried to compete with enterprise tools. It would have confused our actual users, who are privacy-conscious people aged 25 to 45, parents, small business owners, and people who've lived through a data breach. Not security researchers.
The category of mobile security has spent so long trying to sound scientific that it stopped sounding human. We nearly did the same thing. The correction felt small (a few rewrites of messaging, a shift in how we talked about the feature in our launch notes) but the effect was immediate. Shield tier adoption picked up. Users started leaving detailed feedback instead of generic approval ratings.
Looking back, the phishing scanner wasn't a positioning problem. It was a reminder that we were building for people, not for the security industry.
If you're running a security tool right now and you catch yourself using words like 'sophisticated detection' or 'threat intelligence,' it might be worth asking: who am I actually talking to, and what problem are they actually trying to solve?
Ready to try ARK by MRVL?
One tap to download. No sign-up wall.