urlscan.io A sandbox for the web


urlscan.io is a free service to scan and analyse websites. When a URL is submitted to urlscan.io, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates. This includes the domains and IPs contacted, the resources (JavaScript, CSS, etc) requested from those domains, as well as additional information about the page itself. urlscan.io will take a screenshot of the page, record the DOM content, JavaScript global variables, cookies created by the page, and a myriad of other observations. If the site is targeting the users one of the more than 900 brands tracked by urlscan.io, it will be highlighted as potentially malicious in the scan results.

urlscan.io itself is a free service, but we also offer commercial products for heavy users and organisations that need additional insight.


Our Mission

Our mission is to allow anyone to easily and confidently analyse unknown and potentially malicious websites. We realised early on that even for battle-hardened web developers and security researchers its a frustrating experience to record page interactions and additional metadata from websites, on the off chance of finding the needle in the haystack. Even worse, a single observation is often meaningless without the necessary context. Is this domain something that websites usually load third-party JavaScript from? Are any other reputable websites talking to this weird IP address on the Cayman Islands?

We created urlscan.io in late 2016 to solve these problems. Our focus has always been to break down the vast amount of data from a website page navigation into digestible chunks. We’re analyst-first, we always strive to understand and anticipate the pieces of information that would be helpful during an investigation and the attributes that allow pivoting. Just like you would use a malware sandbox to analyse suspicious files, you can use urlscan.io to do the same thing but with URLs.

urlscan Pro

The urlscan Pro – Threat Hunting platform is our complete solution that allows your team to harness our API, get access to our Phishing URL Feed, and use our powerful urlscan Pro portal to hunt for related websites and infrastructure.


Phishing URL Feed

Our phishing detection flags thousands of malicious and phishing URLs every day, many of them targeting one of the 900+ popular brands we track. You can retrieve the feed of detected URLs via our API.



You can use the features of products via the UI or the API, it does not make a difference. All of our products are API-first, meaning you never have to use our UI unless you want to.



All of our Tiers work with the majority of popular SOAR platforms. Just plug your API key into your SOAR platform and you are ready to go!


Proof of Value

If you are unsure if our product meet your needs we would be happy to set you up for a 30-day free trial of any tier, no strings attached.



Do you require a plan that goes beyond our available commercial tiers? Do you need a custom payment schedule? Contact us and we will figure something out!



Do you want to use our data or APIs in your own product? Talk to us about the available options!



urlscan Pro – Overview

Our urlscan Pro platform combines the best of our products and capabilities into one powerful solution. urlscan Pro allows your team to tap into all the URLs analysed through urlscan.io and the URLs detected by our phishing detection engine. It helps threat analysts by exposing more powerful query capabilities and pulling in more data to make sense of infrastructure and scanned websites. Users of urlscan Pro have access to the following list of tools and resources.


Log in and see what’s up on the Dashboard. Read about News and upcoming changes to the platform, check out the visual changelog. For newcomers, we included a video walkthrough of the platform.


Visual Search Page

Use the powerful Visual Search to quickly determine whether the search you performed is turning up interesting results. Quickly skim the search results and look at high-level attributes of a scan. Check the prevalence indicator for artifacts which might be interesting to pivot on. Use additional query modifiers to perform leading-wildcard and regex searches. Limit the search to the scans detected as phishing and malicious URLs. Use virtual search-modifiers to only look at scans performed by yourself or your team.


Result Page

Get the fastest possible summary of a particular scan result. See high-level attributes of the website and get pointers about pivotable attributes. See recent scans on the same IP address, hostname and network as the scan in question. Look at the Similar Pages result to find pages with a large degree of structural similarity.


Saved Searches & Email Alerts

Save interesting hunting searches and get an email alert whenever there are new hits for your search.


Tracked Brands

Take a look at the 900+ brands we are tracking. Understand their legitimate web presence and high-level properties such as their industry vertical and country of origin. Look at all detected scans targeting a specific brand or industry vertical. Use helpful hunting pointers to find additional interesting scans.


Live Scanning

Use our Live Scanning feature to quickly scan websites from different geographical locations, using different browser settings. Evade geo-fencing restrictions and customise the output of the scanner. Use the scanner to grab files, or scan Tor .onion URLs.


Newly observed hostnames & domains

Search through our real-time search index of newly observed hostnames & domains. Use our powerful search syntax to limit your results to interesting hits. Set up saved searches for new hostnames. Use this feature for discovering brand impersonation or as a lightweight attack surface discovery mechanism.



urlscan.io Phishing URL Feed


urlscan.io detects thousands of suspicious, malicious and phishing URLs every day. Our organic phishing URL detection is able to pinpoint these attacks and associate them with one of the 680+ popular brands that we track. The feed of these detected URLs is available to our customers to ingest into their Threat Intelligence systems or improve their own security products.

The feed can be retrieved as CSV or JSON. It includes following pieces of metadata for each detected URL:

  • Full URL, Page Domain & TLD of phishing page
  • Targeted Brand, Industry Vertical, Country of Origin
  • IP address & GeoIP information of the IP hosting the phishing page
  • ASN and ASN Name hosting the phishing URL


Software Sources Ltd is urlscan.io’s reseller