ScanResult schema

TypeScript interface

export interface ScanResult {
    url: string;
    score: number;
    verdict: "phishing" | "suspicious" | "safe";
    reasons: string[];
    executionTimeMs?: Record<string, number>;
}

Fields

url

string

required

The original URL that was submitted for analysis.

score

number

required

Aggregate threat score from 0 to 100. Scores from all active checkers are summed and capped at 100. A higher score means a greater likelihood of being malicious.

verdict

string

required

Threat verdict derived from the score:

"safe" — score is below 40
"suspicious" — score is 40 to 69 (inclusive)
"phishing" — score is 70 or above

reasons

string[]

required

Array of human-readable strings explaining why the score was assigned. The array is empty when no suspicious signals were detected. Each string corresponds to one triggered rule across any checker.

executionTimeMs

object

Optional map of checker name to execution time in milliseconds. Included on every live scan response. Each checker runs concurrently with a 2,500 ms timeout; if a checker times out or errors, its key still appears with the elapsed time.

Show properties

heuristics

number

Time taken by the local heuristics checker (URL structure, DNS, WHOIS).

openphish

number

Time taken by the OpenPhish feed checker.

google_safe_browsing

number

Time taken by the Google Safe Browsing API checker.

urlhaus

number

Time taken by the URLHaus feed checker.

phishtank

number

Time taken by the PhishTank feed checker.

phishstats

number

Time taken by the PhishStats feed checker.

Checker descriptions

Key in `executionTimeMs`	Description
`heuristics`	Local rule-based analysis: URL length, suspicious keywords, HTTPS enforcement, DNS resolution, private IP detection, WHOIS domain age
`openphish`	Checks the URL and hostname against the OpenPhish community phishing feed
`google_safe_browsing`	Queries the Google Safe Browsing API v4 for threat matches
`urlhaus`	Checks the URL against the URLHaus active malware URL feed
`phishtank`	Checks the URL against the PhishTank community phishing database
`phishstats`	Checks the URL and hostname against the PhishStats phishing intelligence feed

Reason strings

The following table lists all reason strings that can appear in the reasons array and what triggers each one.

Reason string	Trigger condition
`"URL very long"`	URL exceeds 200 characters
`"Contains '@' (phishing trick)"`	URL contains an `@` sign
`"Contains suspicious keywords"`	URL contains one or more of: `verify`, `update`, `secure`, `login`, `support`, `account`
`"Hyphens in domain"`	The registered domain contains a hyphen
`"URL is not HTTPS"`	Protocol is `http:` rather than `https:`
`"DNS failed or private network"`	DNS resolution failed or resolved to a private IP address
`"Domain is recently created (<90 days)"`	WHOIS creation date is within the last 90 days
`"Private/Internal network address"`	Host resolves to a private IP (SSRF protection trigger)
`"Google Safe Browsing flagged this URL as dangerous"`	Google Safe Browsing API returned a threat match
`"URL listed in URLHaus (Active Malware)"`	Exact URL match found in the URLHaus feed
`"Exact URL match in PhishTank database"`	Exact URL match found in the PhishTank feed
`"Listed in OpenPhish URL database"`	Exact URL match found in the OpenPhish feed
`"Domain listed in OpenPhish intelligence"`	Hostname match found in the OpenPhish feed
`"Listed in PhishStats database"`	Exact URL match found in the PhishStats feed
`"Domain listed in PhishStats intelligence"`	Hostname match found in the PhishStats feed

Endpoints

Response Types

TypeScript interface

Fields

Checker descriptions

Reason strings

Build docs developers (and LLMs) love

Endpoints

Response Types

​TypeScript interface

​Fields

​Checker descriptions

​Reason strings

Build docs developers (and LLMs) love

TypeScript interface

Fields

Checker descriptions

Reason strings