urlscan.io logo urlscan.io

urlscan.io Blog

urlscan ML Verdicts for Automated Threat Classification

Changelog Product

Today we’re launching our experimental Machine Learning (ML) Verdicts engine for urlscan.io. This new feature provides automated classification of scan results, helping users quickly identify potentially malicious or benign content through machine learning-powered analysis.

ML verdict on the urlscan Pro scan result page

ML verdict and signature-based detection on the urlscan Pro scan result page

How ML Verdicts Work

Our ML verdict engine analyzes each scan and assigns a likelihood score indicating whether a website is likely to be malicious or not. The score ranges from -100 (Benign) to 100 (Malicious). These verdicts are now visible on scan result pages and in search results within urlscan Pro, providing an additional layer of automated threat intelligence to complement our existing detection capabilities.

The ML verdicts introduce three new searchable fields via our Search API in urlscan Pro:

  • verdicts.engines.score: An integer score from -100 (Benign) to 100 (Malicious).
  • verdicts.engines.malicious: A boolean value (true for scores > 0, false otherwise).
  • verdicts.engines.tags: A list of tags including “urlscan-ml” when processed by our ML engine.

Practical Applications

The ML verdicts open up new possibilities for threat hunting and automated filtering in urlscan Pro:

  • High-confidence malicious scans: Query for verdicts.engines.score:>90 to find scans with high malicious likelihood.
  • Targeted hunting: Search for scans with high ML scores and a specific company name in the page title or text content.
  • Noise reduction: Use an ML score threshold to exclude scans from Saved Search hits.
  • Detection gap analysis: Find high-scoring scans that are not yet detected by our existing brand detection rules.
  • Hosting platform analysis: Identify potentially malicious content hosted on specific infrastructure, domains, or hosting platforms.
ML verdict on the urlscan Pro scan search page

ML verdicts on the urlscan Pro scan search page

Important Limitations

ML verdicts are experimental and should be used accordingly. We fully expect the system to produce misclassifications, including both false positives and false negatives. Customers should not rely on ML scores for any unattended blocking or automated response systems.

These verdicts are designed to augment human analysis and existing security controls, not replace them. We recommend using ML verdicts as one signal among many in your threat analysis workflow.

What’s Next

The urlscan team will use these ML verdicts to enhance our own static and dynamic detection capabilities. As we gather more data and feedback, we’ll continue refining the model to improve accuracy and reduce false classifications.

We’re excited to see how the security community leverages this new capability for threat hunting and analysis. As always, we welcome your feedback as we continue developing this experimental feature.

Availability

ML Verdicts are available starting today for all urlscan.io users and can be accessed through the web interface. Searching and filtering by ML verdicts is available in urlscan Pro via the Search API.

More on urlscan Pro

If you want to learn about the urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trials with no strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.