FlowRunner
Pricing
Theme

urlscan.io

Identity & Security

Connect AI agents to urlscan.io. Agents detonate suspicious URLs in a real browser, retrieve verdicts and contacted domains, search the historical scan database, and capture page screenshots and DOM snapshots.

8 actions available
A suspicious link arrives from an email, ticket, or chat message
Scan and Wait submits the URL and polls until the browser scan finishes
Agent reads the verdict, contacted domains, and technologies from the result
Get Screenshot captures the rendered page as evidence
Agent classifies the URL as malicious, suspicious, or clean
The reporting channel receives the verdict and screenshot link
An analyst confirms a malicious verdict before an incident is opened

What This Integration Enables

Agents detonate suspicious links from emails, tickets, or chat to check for phishing, malware, or brand abuse before users click them, enrich threat-intelligence workflows by searching the historical scan database with ElasticSearch query syntax for a domain, IP, hash, or filename, capture full-page screenshots and rendered DOM of a page for evidence, monitoring, or visual review, and check remaining API quota before running batch scans. The scan lifecycle is submit, wait, result: Submit Scan returns a uuid, Get Scan Result returns the analysis once ready, and Scan and Wait combines both into one step. Scan visibility can be public, unlisted, or private, and screenshots and DOM snapshots are only available after a scan completes; the connector stores screenshots in FlowRunner file storage and returns a downloadable URL. The connector covers the scan, search, and artifact surface; the surrounding flow decides which scans run automatically and where an analyst confirms a verdict before it drives a response.

Without FlowRunner

Manual link checks An analyst opens a suspicious link in a sandbox by hand and eyeballs the result
No historical context Checking whether a domain was seen before means searching several tools
Evidence gathered ad hoc Screenshots for a phishing report are captured manually and inconsistently

With FlowRunner

Automated detonation Scan and Wait returns a full browser-based verdict in a single operation
Searchable scan history Search Scans queries the historical database for a domain, IP, hash, or filename
Evidence in flow Get Screenshot and Get DOM Snapshot capture the page as a documented flow step

Use Case Scenarios

Suspicious-link detonation from chat

A [Slack](/integrations/slack) message surfaces a suspicious link. The agent runs Scan and Wait to detonate it in a real browser, reads the verdict and contacted domains from the result, and captures the rendered page with Get Screenshot. It replies in the channel with a summary of the verdict and a screenshot link. The team gets a real detonation result in the thread instead of someone risking a click to find out.

Historical hunt for a phishing domain

When a phishing domain turns up, the agent calls Search Scans to find recent scans of that domain across urlscan.io's historical database. If the search returns malicious verdicts, the agent opens a tracked investigation for the SOC. The team learns whether the domain has a history of abuse without stitching together several intel tools by hand.

Verdict to threat-intelligence record

After Scan and Wait completes, the agent records the URL, verdict, and screenshot URL into the threat-intelligence record by creating an event and attaching the URL as an IOC in [MISP](/integrations/misp). The scan result feeds the intel platform automatically, so a one-off detonation becomes durable, searchable intelligence.

Human-in-Loop Highlight

Acting on a verdict is the moment to pause, because a scan verdict is a signal, not a decision, and opening an incident or warning users has real consequences if the verdict is wrong. The agent does the detonation and evidence gathering on its own: it scans the URL, reads the verdict and contacted infrastructure, and captures the screenshot and DOM. Before the result triggers a response, it stops and asks the analyst through Slack: "Scanned [URL], verdict [malicious/suspicious] with [count] flagged behaviors, screenshot attached. Open an incident, warn the reporting users, or dismiss as a false positive?" The analyst decides. The agent handles the scan and the evidence; the person owns the action the verdict triggers.

Agent processes routinely
Detects exception requiring judgment
Clear match Continues automatically
Ambiguous Routes to human via Slack
Human decides
Agent resumes with decision

Agent Capabilities

8 actions

Scanning

3
  • Scan and Wait Submits a URL and polls until the scan finishes, returning the finished result in a single operation. The default for synchronous detonation.
  • Submit Scan Submits a URL for a full browser-based scan and returns a scan uuid and result links.
  • Get Scan Result Returns the full analysis (contacted domains, IPs, requests, technologies, verdicts) once a scan finishes.

Search

1
  • Search Scans Searches the historical scan database with ElasticSearch query syntax for a domain, IP, hash, or filename.

Artifacts

3
  • Get Screenshot Stores the scan's page screenshot PNG in file storage and returns a downloadable URL for evidence.
  • Get Live Screenshot Captures a live screenshot and stores the PNG in file storage.
  • Get DOM Snapshot Returns the rendered DOM of the scanned page as text.

Account

1
  • Get Quotas Checks remaining API quota before running batch scans.

Start building with urlscan.io

$100 in credits. No card required. Connect in minutes.