URLScan and Utilities
URLScan.io
URLScan is a service that visits URLs in a virtual browser and records everything that happens: network requests, technologies used, screenshots, final verdict.
What it returns
from src.tools.urlscan import urlscan_lookupresult = await urlscan_lookup("http://phishing-example.com/login")| Field | Description |
|---|---|
verdict | Verdict: benign, malicious, suspicious |
malicious | Whether it is malicious (bool) |
score | Malice score (0-100) |
categories | Categories (phishing, malware, scam…) |
technologies | Detected technology stack |
domain | Final domain (after redirects) |
ip | Server IP |
country | Server country |
server | Web server |
screenshot | URL of the screenshot |
request_count | Number of HTTP requests made |
Phishing signals
URLScan is especially good at detecting phishing because it visits the page and sees what it actually displays. Look for:
- Login forms impersonating well-known brands
- SSL certificates with deceptive names
- Chained redirects to malicious domains
- Loading resources from known malware CDNs
Free tier
5,000 scans/day. Scans are public — anyone can see the result if they know the UUID.
Utility tools
search_history
Queries whether an IOC was investigated before in the local database.
from src.tools.history import search_historyresult = await search_history("185.220.101.34")# → {"found": true, "last_seen": "2026-03-05", "cached_result": {...}}Useful for:
- Avoiding investigating the same IOC twice
- Seeing if an IOC’s reputation has changed since last time
- Building threat history
pivot_investigate
Extracts related IOCs from a result and prepares them for further investigation.
from src.tools.pivot import pivot_investigateiocs = await pivot_investigate(virustotal_result)# → ["evil.com", "185.220.101.35", "attacker@protonmail.com"]The agent uses this function for auto-pivot: after analyzing an IP, it extracts domains, related IPs or emails and investigates them automatically (up to 2 levels).
classify_threat_type
Local classifier based on keywords that assigns a threat category:
from src.tools.threat_classifier import classify_threat_typeresult = await classify_threat_type("host distributing emotet banking trojan")# → {"type": "banking_malware", "family": "emotet", "confidence": 0.87}Available categories: ransomware, banking_malware, apt, phishing, c2, botnet, infostealer, cryptominer, ddos, exploit_kit.
Requires no API key or LLM — it is local classification by regex and keywords.