urlscan.io Review
Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL
Quick Verdict
Security researchers and OSINT analysts who need a safe, browser-isolated way to inspect suspicious URLs, analyze phishing infrastructure, or document what a website looked like at a specific point in time
Pros
- + Full-page screenshot + complete HTTP request log for any URL — no local browser required
- + Captures DOM snapshot, JavaScript variables, cookies, and resource fingerprints at time of scan
- + Search 800+ million historical scans by domain, IP, screenshot hash, ASN, or certificate
- + Completely free for public scans — no account required for most use
- + Identifies technologies, CDN, hosting provider, and infrastructure relationships automatically
Cons
- − Public scans are visible to anyone — scanning sensitive internal URLs exposes them to the index
- − Dynamic content and JavaScript-heavy sites may not fully render in the scanner environment
- − Private scans require paid plan
- − Rate limits apply to free tier API access
- − Not a vulnerability scanner — shows what's there, not whether it's exploitable
What urlscan.io Is
urlscan.io puts URLs under a microscope. Submit a URL and get a detailed report.
The report includes a full-page screenshot, HTTP requests, final DOM, JavaScript variables, cookies, certificates, IPs contacted, and a fingerprint of every resource loaded.
All this happens in a sandboxed browser, so you're never exposed to the URL. You're safe from phishing, malware, and sketchy infrastructure; urlscan.io takes the hit.
The public index is a feature. Every scan is stored, and you can search historical scans by domain. If you've seen a domain before, you can see what it looked like months ago. The index helps operators who may miss things.
• HTTP requests
• final DOM
• JavaScript variables
• cookies
• certificates
• IPs contacted
• a fingerprint of every resource loaded
What It's Good For
Analyzing suspicious URLs safely. urlscan.io lets you examine a URL without risk. Submit it, and it opens in a controlled browser on their infrastructure. No infection risk.
When using urlscan.io, you get a phishing email and a suspicious link.
The process works by submitting the URL, which is then isolated by urlscan.io.
urlscan.io has over 800 million historical scans of its infrastructure. You can search by IP address, ASN, hosting provider, certificate hash, or page content to find connected domains. If you know one bad domain, you can find others with the same IP or TLS certificate. For example, one phishing site can be linked to multiple domains.
The website activity is documented with timestamped screenshots and DOM captures. These show a website's activity at a point in time, which is useful for fraud investigations. The scans are linked to a permanent URL.
The importance of this feature lies in the fact that it preserves evidence without alteration.
Scan reports list every detected technology, including CMS, CDN, analytics platforms, payment processors. No manual source code review is needed.
This provides quick tech profiles.
Phishing pages often reuse kits. urlscan.io's hash-based search finds pages with identical resources. A confirmed phishing page can reveal an entire campaign.
This can be a shortcut in investigations, as finding the kit can help find the campaign.
How It Works in Practice
Submit a URL at urlscan.io and receive results within 30-60 seconds.
The report provides a wealth of information, including network details, a screenshot, resources loaded, and JavaScript analysis.
The report is dense, and key things to focus on are open ports and any unusual resource requests.
The urlscan.io screenshot analysis is not perfect; it sometimes misses things. However, it serves as a good triage tool, allowing you to determine within a minute if a site is likely to be trouble.
The API is where urlscan.io truly excels, offering 150 requests per minute. This enables you to use the tool effectively by making automated queries to monitor sites, track changes, and flag suspicious patterns.
- Summary: IP, ASN, hosting provider, country, HTTP status, page title, and detected technologies
- Screenshot: A full-page render at the time of the scan
- HTTP transactions: Every request made, including main page, subresources, and third-party calls
- DOM: The full HTML source after JavaScript execution
- Variables: JavaScript globals set on page load
- Links: All outbound links found on the page
- Certificates: The TLS certificate chain for the domain
The search API is free, with rate limits applying.
You can query by domain, using the format domain:example.com, or by hash, using hash.sha256:[value].
You can build scripts around it and automate threat hunting.
What to Be Careful About
Public scans are live immediately. Don't feed it auth tokens, session IDs, or internal IP addresses.
The Pro plan offers private scans, which don't get indexed.
urlscan.io has limits. Heavy JavaScript sites or those that detect bots may prevent a complete scan. It doesn't mean the scan failed; it means the target fought back.
Comparison to Alternatives
VirusTotal detects known-malicious content, but misses the page content itself. urlscan.io fills that gap. They serve different purposes. Use VirusTotal for known threats. urlscan.io analyzes unknown infrastructure.
Browserling and AnyRun offer interactive sandboxed browsing, good for malware. urlscan.io is faster, better for bulk OSINT searches.
The Wayback Machine captures historical snapshots, without JavaScript execution or network requests recorded. urlscan.io shows page behavior, not just static content. That is the key difference.
Reviewed April 2026. Tool available at urlscan.io.
See Also
Threat Hunting with OSINT
Threat hunting is about finding the threats that evade detection. You need tools that gather and analyze data from various sources.
OSINT for Threat Hunting
Open-source intelligence (OSINT) plays a crucial role. It helps you gather information about potential threats.
IP and Domain Reputation
IP and domain reputation tools help. They tell you if an IP or domain is known to be malicious.
Best Threat Hunting Tools
The top tools for threat hunting are Maltego, Shodan, Censys, and VirusTotal.
Maltego visualizes relationships between IPs, domains, and more, and offers a free version, with a price range of free to $850/month. Shodan searches for internet-connected devices, useful for finding exposed services, with a price range of $99 to $1,440/month. Censys focuses on certificate and SSL/TLS data, similar to Shodan, with a price range of $25 to $250/month. VirusTotal analyzes files, URLs, and IPs for malware, and offers a free API, with a price range of free to custom.
How to Choose
Your budget and workflow are key considerations.
Integration
Some tools integrate with others, which can streamline your process.
Data Coverage
Comprehensive data coverage is essential to find threats before they cause harm.
Next Steps
Explore these tools to see what works best for you.
Further Reading
For more information, read the Best Threat Hunting Tools article or the Domain and IP OSINT Guide.
Tool Relationships
Similar Tools
Shodan
Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.
VirusTotal
Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains
C2 Tracker
A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.
Web Check
Paste a URL and get DNS records, SSL details, security headers, tech stack, WHOIS, and 100+ more domain intelligence checks in a single browser view — in under thirty seconds.
Community Rating
Ratings from security researchers. No third-party tracking.
Rate this tool:
This review reflects testing as of 2026-04-02. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →