What is URLScan.io primarily used for?

URLScan.io is primarily used for analyzing suspicious websites, detecting phishing attempts, identifying malware, and gathering threat intelligence related to web-based threats. It provides detailed reports on URL behavior.

Does URLScan.io offer a free tier?

Yes, URLScan.io offers a free tier that allows up to 50 public scans per day for non-commercial use. Paid tiers are available for increased limits and private scanning features.

Can I integrate URLScan.io with my existing security tools?

Yes, URLScan.io provides a RESTful API and a Python SDK that allow integration with various security tools, SIEM systems, threat intelligence platforms, and custom applications for automated analysis.

What kind of information does a URLScan.io report contain?

A typical report includes screenshots, network requests made by the page, redirect chains, IP addresses, domains contacted, extracted indicators of compromise (IOCs), and details about page behavior and JavaScript execution.

Is URLScan.io GDPR compliant?

Yes, URLScan.io states that it is compliant with GDPR regulations, addressing data privacy concerns for its users.

What is the difference between public and private scans?

Public scans are visible to other users on the URLScan.io platform and contribute to the public archive. Private scans are not publicly visible and are typically available with paid subscriptions, suitable for analyzing sensitive URLs.

URLScan.io — Website Security and Threat Intelligence API

Overview

URLScan.io provides a service for analyzing websites and collecting threat intelligence. It allows users to submit a URL, which is then visited by a set of automated browsers. During this process, URLScan.io records various data points, including network requests, DOM content, JavaScript execution, and screenshots. This collected information is compiled into a detailed report that helps identify malicious indicators, such as redirects to known phishing sites, downloads of suspicious files, or attempts to exploit browser vulnerabilities.

The platform is primarily used by security researchers, incident response teams, and developers who need to assess the safety of web links programmatically. Its API enables automated submission of URLs and retrieval of scan results, facilitating integration into security tools, SIEM systems, and threat intelligence platforms. For example, a security team might integrate URLScan.io into their email gateway to automatically scan URLs found in suspicious emails, or a threat intelligence analyst might use it to investigate newly registered domains for potential malicious use.

URLScan.io is particularly effective in scenarios requiring dynamic analysis of web content. Unlike static analysis tools that only examine code without execution, URLScan.io executes the webpage in a controlled environment, observing its real-time behavior. This dynamic approach helps uncover client-side exploits, obfuscated malicious JavaScript, and multi-stage redirects that static analysis might miss. The service also maintains a public archive of scanned URLs, contributing to a broader understanding of current web-based threats and allowing researchers to explore historical data. Its developer experience is noted for a RESTful API with clear documentation and examples, simplifying integration for common use cases.

While URLScan.io offers a public service for non-commercial use, which allows up to 50 public scans per day, commercial users and those requiring private scans can subscribe to paid tiers. Private scans are crucial for investigating sensitive or internal URLs without exposing them publicly. The platform's capabilities are well-suited for proactive threat hunting, incident investigation, and enhancing web application security by identifying external threats linked to user-generated content or third-party integrations.

Key features

Automated URL analysis: Submits URLs to a sandbox environment and collects data on network requests, DOM, and page behavior.
Detailed scan reports: Generates comprehensive reports including screenshots, redirect chains, IP addresses, domains, and extracted indicators of compromise (IOCs).
Threat intelligence API: Provides programmatic access to submit URLs, retrieve scan results, and query the public scan archive for historical data according to the official API reference.
Malware analysis capabilities: Identifies and reports on suspicious file downloads and execution within the analyzed web page.
Phishing detection: Helps identify phishing attempts by analyzing page content, redirects, and associated infrastructure.
Customizable scan options: Allows specifying browser type, geolocation, and custom HTTP headers for targeted analysis.
Public archive: Maintains a searchable database of public scans for community threat research and historical analysis.

Pricing

URLScan.io offers a free tier for non-commercial use with daily scan limits and public visibility. Commercial and advanced usage is available through paid subscriptions, which provide increased scan volumes, private scanning, and enhanced API access. Pricing tiers are structured to accommodate different usage levels.

Tier Name	Description	Scans Per Day	Cost Per Month
Free	Public scans, non-commercial use	50	$0
Pro	Increased limits, private scans, commercial use	500	$49
Business	Higher limits, enhanced features	2,500	$199
Enterprise	Custom volumes, dedicated support	Custom	Contact for pricing

Pricing as of May 2026. For detailed and up-to-date pricing information, refer to the official URLScan.io pricing page.

Common integrations

Security Information and Event Management (SIEM) systems: Integrate the API to send scan results and IOCs to platforms like Splunk or Elastic SIEM for correlation with other security telemetry.
Email security gateways: Automatically scan URLs in incoming emails to detect phishing and malware links before they reach end-users.
Threat intelligence platforms: Feed URLScan.io data into TI platforms to enrich threat profiles and enhance situational awareness.
Incident response playbooks: Incorporate URL scanning into automated incident response workflows to quickly analyze suspicious URLs during investigations.
SOAR (Security Orchestration, Automation, and Response) platforms: Automate URL analysis as part of broader security playbooks for faster response to threats.
Custom security tools: Developers can integrate the Python SDK or RESTful API into custom scripts and applications for specific security needs as described in the developer documentation.

Alternatives

VirusTotal: A service that analyzes suspicious files and URLs using multiple antivirus engines and website scanners.
Hybrid Analysis: A free malware analysis service that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
Any.Run: An interactive online sandbox for malware analysis, allowing users to interact with the analyzed environment in real-time.

Getting started

To begin using the URLScan.io API, you will typically need an API key, which can be obtained after registering an account. The primary method for interacting with the API involves submitting a URL for scanning and then querying the service for the results. The following Python example demonstrates how to submit a URL and retrieve its scan report ID.


import requests
import json

API_KEY = "YOUR_API_KEY"  # Replace with your actual API key
BASE_URL = "https://urlscan.io/api/v1/scan/"

headers = {'API-Key': API_KEY, 'Content-Type': 'application/json'}

def submit_url_for_scan(target_url):
    payload = {
        "url": target_url,
        "visibility": "public"  # or "private" for paid tiers
    }
    try:
        response = requests.post(BASE_URL, headers=headers, json=payload)
        response.raise_for_status()  # Raise an exception for HTTP errors
        scan_data = response.json()
        print(f"Scan initiated successfully. UUID: {scan_data.get('uuid')}")
        print(f"Scan result page: {scan_data.get('result')}")
        return scan_data.get('uuid')
    except requests.exceptions.RequestException as e:
        print(f"Error submitting URL: {e}")
        return None

def get_scan_results(scan_uuid):
    if not scan_uuid:
        return
    
    result_url = f"https://urlscan.io/api/v1/result/{scan_uuid}/"
    print(f"Polling for results at: {result_url}")
    
    # In a real application, you would loop and wait for the scan to complete
    # For this example, we'll make a single request.
    try:
        response = requests.get(result_url, headers=headers)
        response.raise_for_status()
        results = response.json()
        # print(json.dumps(results, indent=2))
        print(f"Scan results retrieved for {scan_uuid}")
        print(f"Verdict: {results.get('data', {}).get('verdicts', {}).get('overall', {}).get('score')}")
        print(f"Threats found: {results.get('data', {}).get('verdicts', {}).get('malicious', {}).get('url', [])}")
        # More detailed parsing would go here
    except requests.exceptions.HTTPError as http_err:
        if http_err.response.status_code == 404:
            print(f"Scan results not yet available or UUID invalid: {scan_uuid}")
        else:
            print(f"HTTP error retrieving results: {http_err}")
    except requests.exceptions.RequestException as e:
        print(f"Error retrieving scan results: {e}")

if __name__ == "__main__":
    test_url = "http://example.com"
    scan_uuid = submit_url_for_scan(test_url)
    if scan_uuid:
        # In a production scenario, you would implement a delay and retry mechanism
        # to wait for the scan to complete before fetching results.
        print("Waiting a few moments for the scan to process...")
        import time
        time.sleep(30) # Wait for 30 seconds (adjust as needed)
        get_scan_results(scan_uuid)

This Python script first defines a function submit_url_for_scan to send a target URL to the URLScan.io API. It then uses the returned UUID to call get_scan_results, which fetches the completed scan report. For a full list of available API endpoints and response structures, consult the URLScan.io API documentation.

URLScan.io

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

## reviews

## comments

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

# see also

## reviews

## comments