urlscan.io
Identity & SecurityConnect AI agents to urlscan.io. Agents detonate suspicious URLs in a real browser, retrieve verdicts and contacted domains, search the historical scan database, and capture page screenshots and DOM snapshots.
What This Integration Enables
Agents detonate suspicious links from emails, tickets, or chat to check for phishing, malware, or brand abuse before users click them, enrich threat-intelligence workflows by searching the historical scan database with ElasticSearch query syntax for a domain, IP, hash, or filename, capture full-page screenshots and rendered DOM of a page for evidence, monitoring, or visual review, and check remaining API quota before running batch scans. The scan lifecycle is submit, wait, result: Submit Scan returns a uuid, Get Scan Result returns the analysis once ready, and Scan and Wait combines both into one step. Scan visibility can be public, unlisted, or private, and screenshots and DOM snapshots are only available after a scan completes; the connector stores screenshots in FlowRunner file storage and returns a downloadable URL. The connector covers the scan, search, and artifact surface; the surrounding flow decides which scans run automatically and where an analyst confirms a verdict before it drives a response.
Without FlowRunner
With FlowRunner
Use Case Scenarios
Suspicious-link detonation from chat
A [Slack](/integrations/slack) message surfaces a suspicious link. The agent runs Scan and Wait to detonate it in a real browser, reads the verdict and contacted domains from the result, and captures the rendered page with Get Screenshot. It replies in the channel with a summary of the verdict and a screenshot link. The team gets a real detonation result in the thread instead of someone risking a click to find out.
Historical hunt for a phishing domain
When a phishing domain turns up, the agent calls Search Scans to find recent scans of that domain across urlscan.io's historical database. If the search returns malicious verdicts, the agent opens a tracked investigation for the SOC. The team learns whether the domain has a history of abuse without stitching together several intel tools by hand.
Verdict to threat-intelligence record
After Scan and Wait completes, the agent records the URL, verdict, and screenshot URL into the threat-intelligence record by creating an event and attaching the URL as an IOC in [MISP](/integrations/misp). The scan result feeds the intel platform automatically, so a one-off detonation becomes durable, searchable intelligence.
Human-in-Loop Highlight
Acting on a verdict is the moment to pause, because a scan verdict is a signal, not a decision, and opening an incident or warning users has real consequences if the verdict is wrong. The agent does the detonation and evidence gathering on its own: it scans the URL, reads the verdict and contacted infrastructure, and captures the screenshot and DOM. Before the result triggers a response, it stops and asks the analyst through Slack: "Scanned [URL], verdict [malicious/suspicious] with [count] flagged behaviors, screenshot attached. Open an incident, warn the reporting users, or dismiss as a false positive?" The analyst decides. The agent handles the scan and the evidence; the person owns the action the verdict triggers.
Agent Capabilities
8 actionsScanning
3- Scan and Wait Submits a URL and polls until the scan finishes, returning the finished result in a single operation. The default for synchronous detonation.
- Submit Scan Submits a URL for a full browser-based scan and returns a scan uuid and result links.
- Get Scan Result Returns the full analysis (contacted domains, IPs, requests, technologies, verdicts) once a scan finishes.
Search
1- Search Scans Searches the historical scan database with ElasticSearch query syntax for a domain, IP, hash, or filename.
Artifacts
3- Get Screenshot Stores the scan's page screenshot PNG in file storage and returns a downloadable URL for evidence.
- Get Live Screenshot Captures a live screenshot and stores the PNG in file storage.
- Get DOM Snapshot Returns the rendered DOM of the scanned page as text.
Account
1- Get Quotas Checks remaining API quota before running batch scans.
Start building with urlscan.io
$100 in credits. No card required. Connect in minutes.