A sandbox for the web
urlscan.io itself is a free service, but we also offer commercial products for heavy users and organisations that need additional insight.
We created urlscan.io in late 2016 to solve these problems. Our focus has always been to break down the vast amount of data from a website page navigation into digestible chunks. We're analyst-first, we always strive to understand and anticipate the pieces of information that would be helpful during an investigation and the attributes that allow pivoting. Just like you would use a malware sandbox to analyse suspicious files, you can use urlscan.io to do the same thing but with URLs.
Johannes has been working in InfoSec since 2011. He spent the last six years in the CrowdStrike Threat Intelligence team. In late 2016 he created urlscan.io.
Q: Can our company use the service and data on it commercially?
A: Yes in general, using urlscan.io as part of your daily workflow (for things like SOC processes, investigations, reports) is totally fine. If you want to do a large volume of queries, submit a lot of scans or be able to integrate our data into one of your commercial offerings we'd ask you to contact us first to work out what is acceptable use under our free usage tier and what kind of use requires a commercial agreement.
Q: What is difference between Public,
Unlisted, and Private scans? Do they deliver different
A: The scans all deliver the same results. The difference between the scan type is their visibility in the search results.
Private and Unlisted scans do not appear on the frontpage or in the public search-results or aggregations.
Private scans can only be opened if you know their unique ID. If you submitted a private scan while logged in, you will be able to find your own private scans in your search. We don't share private scan information with third parties (including our sponsors and commercial customers), ever.
Unlisted scans can be found by vetted security researchers and companies which are subscribers to our urlscan Pro platform.
Make sure you understand the differences as outline in our API documentation.
Q: When should I choose Public,
Unlisted, or Private when scanning?
A: These are some guidelines to decide when to use which visibility:
Public: There is no PII or confidential data in the URL and you want it to be discoverable by other researchers.
Unlisted: There might be PII or mildly sensitive data on the site, but you want security vendors and reputable researches to be able to pick up this data to improve their products and take action (for example takedown requests).
Private: Nobody but you should be able to see the results of the scan.
Q: How can I request the content of a scan to be removed from your website?
A: Please use the orange Report button on the result page of the scan.
Q: Can you prevent my domain from being scanned? Can you bulk-delete existing scans?
A: Yes, please send us a email at firstname.lastname@example.org with the domains or URL patterns you'd like us to blacklit.
Q: Does urlscan.io show whether a website contains malware or phishing attempts?
A: Yes, we have some basic mechanisms for determining whether a website contains malicious content. Our proprietary phishing detection mechanism tracks 400 popular brands and can identify phishing or impersonation attempts of these brands.
We do record file downloads, but we do not detect whether a downloaded file is malicious, e.g. a malicious executable.
Q: Does urlscan.io detect when a malicious site is no longer active, e.g. cleaned up?
A: No, our website scans only provide point-in-time snapshots of the website content, we do not re-crawl existing scans.
Q: Can I use the "malicious" verdicts on urlscan.io as a blocking feed?
A: We don't recommend it as the occasional false positive verdicts still occur.
Q: Can I search urlscan.io for pages which have been detected as malicious?
A: This feature is available as part of the commercial urlscan Pro subscription and not available through the community search.
Q: How does urlscan.io work?
A: We use the Google Chrome browser in Headless Mode to browse to the URLs submitted by users. We record the interaction of the page with the Internet and after the page has finished loading, we annotate the results with additional data sources.
Q: Do you store results indefinitely?
A: No, we will delete private scans after a certain age and we don't make any guarantees about the retention of any type of scan in the future. If you need the results of a scan make sure to download it.
Q: Why is the screenshot and DOM snapshot empty
for some scans?
A: We don't store the screenshot and DOM snapshot if we determine the page to be empty, i.e. not containing any visible content and not loading any resources.
Q: Do you offer different browser locations/countries?
A: Not right now, we might include this feature in the future.
Thanks to our corporate sponsors for helping us keep the community service up and running!
- SecurityTrails - Security Data and APIs
We Offer Paid API and Data Services for Top Security Companies. Tap into a treasure-trove of cyber security gold and get the info you can’t find anywhere else.
- ipinfo.io - IP Address API and Data Solutions
We're the trusted source for IP address data, handling 12 billion API requests per month for over 1,000 businesses and 100,000+ developers.
- Tines - Security Automation and Orchestration (SOAR) Platform
The Tines security automation platform helps the world's leading security teams automate any manual task. Making them more effective and efficient.
- Joe Security - Automated Malware Analysis - Joe Sandbox
Analyse Malware in a Depth Previously Not Possible. Unleash the power of deep malware analysis to your CERT, CIRT, SOC or IR team! Fully automated or manual.
- DTonomy - DTonomy AIR | SOAR with Adaptive Intelligence
DTonomy’s AI Assisted Incident Response (AIR) platform manages alerts from multiple security tools and infrastructure, uncovers hidden patterns and automates manual time-consuming and repetitive tasks, freeing up analysts to focus on the most strategic problems.
These projects utilize urlscan.io:
- Phish.ly - Analyze suspicious emails with Tines & urlscan
urlscan.io was covered by these posts, articles and screencasts:
- securitytrails.com Blog - It's never been easier to make a great product: A chat with Johannes Gilger from urlscan.io (May 2, 2019)
- tines.io - Automating abuse inbox management and phishing response (July 27, 2018)
- The Daily Beast - Russian Hackers’ New Target: a Vulnerable Democratic Senator (July 26, 2018)
- securitytrails.com Blog - URLScan.io: the best way to scan any website (July 16, 2018)
These are industry reports that leverage urlscan.io or its data in some way.
- 2020-07-06 - Malwarebytes - Credit card skimmer targets ASP.NET sites
- 2020-07-06 - Sansec - North Korean hackers are skimming US and European shoppers
- 2020-05-12 - Max Kersten - Pivoting on the skimmer’s domain name (MageCart Hunting)
- 2020-01-31 - Reversing Labs - RATs in the Library
- 2019-12-18 - Trustwave - Anyone Can Check for Magecart with Just the Browser
- 2019-08-21 - Anomali - Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks
- 2019-08-19 - Anomali - Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations
- 2019-04-26 - BleepingComputer - GitHub-Hosted Magecart Card Skimmer Found on Hundreds of Stores
- 2019-03-19 - Anomali - “Bad Tidings” Phishing Campaign Impersonates Saudi Government Agencies and a Saudi Financial Institution
- 2019-02-25 - Anomali - Online Bidding-Themed Phishing Campaigns Aims to Trick U.S. Federal Government Contractors
- 2019-02-19 - Geekflare - Detecting Security Threats on the Web through API
- 2019-02-19 - Anomali - Phishing Campaign Spoofs United Nations and Multiple Other Organizations
- 2019-02-15 - Anomali - Phishers Target Texas Department of Transportation Contractors with Online Bidding Scheme
urlscan.io is not the only service that can be used to browse and analyse a website. These are some similar services, some provided invaluable inspiration for this very service!
Lists of similar & related services
- Investigate & report phishing pages by SwiftOnSecurity
- Blocklists of Suspected Malicious IPs and URLs by Lenny Zeltser
- urlquery.net (defunct) - Scans sites and looks up domains/IPs on various blacklists. This service inspired us to build urscan.io.
- keycdn speed test - Website speed test, employs similar techniques and inspired some features on this site
- WebPagetest - Exhaustive speed-testing service with different locations, browser and options
- pingdom Website speed test
- Trackography - Find out who is tracking you when you are reading your favourite news online.
- Web Cookies Scanner - HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, supercookies, evercookies as well as SSL/TLS and HTTP security
- Hardenize - Helping you deploy the latest security standards
- Browserless - A headless browser in the cloud
- browserless - Chrome as a service in docker. Run on our cloud, or bring your own.
- Puppeteer - Headless Chrome Node API, maintained by the Google Chrome Team
- Lighthouse - analyzes web apps and web pages, collecting modern performance metrics and insights on developer best practices.
- Awesome chrome-devtools - Awesome tooling and resources in the Chrome DevTools ecosystem
- The IP geo-location is courtesy of the MaxMind GeoIP Lite database.
- ASN information is thanks to Team Cymru's IP-to-ASN mapping service.
- We detect technologies on a website using the definitions from the Wappalyzer Project.
- The country flags are part of the flag-icon-css library.
urlscan.io is not affiliated with any of the services we link to on our results pages. Linking to any site does not constitute an endorsement or guarantee of fitness of the data.