urlscan.io logo urlscan.io

urlscan.io Blog

Fast checks using the new Malicious Lookup API

Changelog Product Api

Today we are announcing a new API endpoint for looking up observables on urlscan.io: The Malicious Lookup API. This new endpoint enables fast checks against our database of malicious websites and is meant to answer a simple question:

Has this hostname/domain/IP/URL been observed hosting malicious content?

The API answers this question efficiently with predictable performance.

Background

A common use-case for customers of the urlscan platform is to check historical scan results to determine whether a particular item had been seen in connection with malicious activity. This type of lookup was always possible using the Search API, but was slow and relatively expensive to run across 10 years of history and billions of scan results. The new Malicious Lookup API was created to answer that simple questions more efficiently.

The API could be used as a cheap pre-check before performing more expensive actions: If a website has already (or recently) been seen in connection with malicious activity, then maybe it does not need to be scanned again.

API Reference

The Malicious Lookup API is available via the following endpoint:

GET /api/v1/malicious/{type}/{value}

The type parameter selects what kind of observable to query:

  • ip – Look up an IP address (e.g. 192.0.2.1)
  • hostname – Look up an exact hostname match (e.g. www.example.com)
  • domain – Look up an apex domain, covering all subdomains (e.g. example.com)
  • url – Look up an exact page URL (URL-encoded, e.g. https%3A%2F%2Fexample.com%2Fpath)

Note: URLs are canonicalised automatically: The protocol and query parameters are discarded before running the lookup.

The response includes the observable, its type, the number of malicious scan results it was seen in, and when it was first and last seen:

{
    "observable": "testsafebrowsing.appspot.com",
    "type": "hostname",
    "count": 2445,
    "firstSeen": "2023-05-22T06:17:07.535Z",
    "lastSeen": "2026-03-23T10:49:14.046Z"
}

cURL example

curl -X GET \
  'https://urlscan.io/api/v1/malicious/hostname/testsafebrowsing.appspot.com' \
  -H 'api-key: YOUR_API_KEY_HERE'

About the urlscan classification approach

A website will be flagged as malicious by urlscan under the following conditions:

  • The website is hosting what appears to be phishing or brand impersonation.
  • The website is not hosted on a legitimate domain for whatever brand or organisation it claims to represent.

urlscan does not flag hostnames or domains as malicious purely based on their domain name or community verdicts. Our main focus is the content of these websites. As a result, even legitimate domains and hostnames will be flagged when they host malicious content. A platform like Google Docs on docs.google.com could appear as malicious if there are some pages on that hostname which are hosting malicious content.

Availability

This endpoint is available to urlscan Pro customers. For full details, see the API documentation.