diff --git a/README.md b/README.md
index 82639a5e30dcd00d8e02febd3b1b4df340cfdef3..0dfb63a426a1195410b20b209266684767bac696 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,25 @@
 # phishstats
-Check phishstats API for keywors, ASN...
+
+This python script check phishstats API for domains, keywords, ASN...
+
+It keeps track of findings in a sqlite database and warnds you only ONCE for each new discovery
+
+So you can crontab this script and get notified only for new security incidents
+
+
+## Usage
+
+phishstats.py [full path to config file]
+
+
+## Configuration file
+
+The configuration file contains your phiststats API requests, and keywords you want to hightlight in results
+
+phishstats search patterns like (url,like,~YourDomainName~) separated by ,;,
+searches: (url,like,~your.domain.com~),;,(title,like,~domain.com~)
+
+specific keywords to look for in results like specific@email.domain separated by ,;,
+keywords: support@domain.com,;,vip@domain.com
+
+path to the databasedb_file: /tmp/phishstats.sqlite
diff --git a/phishstats.py b/phishstats.py
new file mode 100644
index 0000000000000000000000000000000000000000..dd277ee2eff5941656caf8eea7754580afd3e6a8
--- /dev/null
+++ b/phishstats.py
@@ -0,0 +1,113 @@
+#
+# phishstats.py
+#
+# Check phishstats API for keywors, ASN...
+#
+import sys
+import requests
+import re
+import time
+import sqlite3
+import os.path
+
+# Phishstats base url for API
+base_url='https://phishstats.info:2096/api/phishing?_where='
+
+# Phishstats earches
+searches=[]
+
+# Keywords to look after in search results
+keywords=[]
+
+# delay between two API calls
+request_delay=5
+
+# timeout for an API call
+request_timeout=120
+
+# print debug messages
+debug=1
+
+# Program logic blow this line
+
+if len(sys.argv) < 2:
+    print("Usage: phishstats.py [config file]")
+    sys.exit(1)
+
+config_file=sys.argv[1]
+
+# Returns the parameter from the specified file
+def get_config(parameter, file_path):
+    # Check if secrets file exists
+    if not os.path.isfile(file_path):
+        print("ERROR: Config file (%s) not found"%file_path)
+        sys.exit(0)
+
+    # Find parameter in file
+    with open( file_path ) as f:
+        for line in f:
+            if line.startswith( parameter ):
+                return line.replace(parameter + ":", "").strip()
+
+        # Cannot find parameter, exit
+        print(file_path + "  Missing parameter %s "%parameter)
+        sys.exit(0)
+# enddef
+
+# get param
+searches=get_config("searches",config_file).split(',;,')
+keywords=get_config("keywords",config_file).split(',;,')
+db_file=get_config("db_file",config_file)
+
+sql = sqlite3.connect(db_file)
+db = sql.cursor()
+db.execute('''CREATE TABLE IF NOT EXISTS phishstats (search text, phishing text)''')
+
+#
+# bool isKnown(json_data, search)
+#
+# true  json_data for search already known
+# false entry not found
+#
+def isKnown(search, json_data):
+    db.execute('SELECT * FROM phishstats WHERE search = ? AND phishing = ?', (search, str(json_data)))  # noqa
+    last = db.fetchone()
+    if last is None:
+        return False
+    return True
+#enddef
+
+def addPhishing(search, json_data):
+    db.execute("INSERT INTO phishstats VALUES ( ? , ? )",(search,str(json_data)))
+    sql.commit()
+#enddef
+
+def lookup(search,json_data):
+    for key, value in json_data[0].items():
+        for k in keywords:
+            if k.lower() in str(value).lower():
+                if not isKnown(search,json_data):
+                    print("[NEW]",key, ":", value)
+                    addPhishing(search,json_data)
+                else:
+                    #debug, print old entries too
+                    if debug: print("[OLD]",key, ":", value)
+#enddef
+
+for search in searches:
+    if debug: print("Searching for", search, "...", end='')
+    try:
+        response = requests.get(base_url + search, timeout=request_timeout)
+        jsonResponse = response.json()
+    except:
+        print("ERROR: Request failed!",search)
+
+    if debug: print("done.")
+    if len(jsonResponse) > 0:
+        lookup(search,jsonResponse)
+
+    time.sleep(request_delay)
+
+
+sys.exit(0)
+# end
diff --git a/template-phishstats.conf b/template-phishstats.conf
new file mode 100644
index 0000000000000000000000000000000000000000..28415a644aaca26f1c29722f74a812d755e648b7
--- /dev/null
+++ b/template-phishstats.conf
@@ -0,0 +1,8 @@
+# phishstats search patterns like (url,like,~YourDomainName~) separated by ,;,
+searches: (url,like,~your.domain.com~),;,(title,like,~domain.com~)
+
+# specific keywords to look for in results like specific@email.domain separated by ,;,
+keywords: support@domain.com,;,vip@domain.com
+
+# path to the database
+db_file: /tmp/phishstats.sqlite