Product

From inbox to pipeline: automating scans with the Voretix API

Manual scanning wins triage; automation wins volume. How to wire Voretix into your alert pipeline with an API key, and the integration patterns we see working in the field.

May 20, 2026 3 min read

Pasting a suspicious link into the scan box is the right motion when a person is making a decision about one URL. It is the wrong motion the fiftieth time in a day. The point where scanning becomes valuable at scale is the point where no human is in the loop at all — every quarantined mail, every alert, every user report enriched with a detonation verdict before an analyst ever looks at it. That is what the API is for.

Keys live in your profile

API access is authenticated with keys you create and manage from your profile. Two habits from day one: treat keys like passwords — they authorise scans against your quota, so keep them in a secrets manager, not in a script committed to the repo — and create one key per integration rather than sharing one everywhere. When a key leaks or an integration is retired, you revoke that key and nothing else breaks.

Patterns that work

Across users, automation converges on a few shapes:

  • Quarantine enrichment. The mail gateway holds a message, every URL in it is submitted for scanning, and the verdicts land in the case before the analyst opens it. Triage starts with answers instead of questions.
  • Scan-on-alert. A SOAR playbook or SIEM rule fires on a suspicious URL — from a proxy log, an EDR event, a user report — and the scan report is attached to the incident automatically.
  • User-report hotlines. The "report phishing" button in your mail client feeds a queue; the queue feeds the API; the obvious convictions never reach a human at all.
  • Standing watches. Scheduled jobs re-scan the domains you care about — your brand's lookalike candidates, infrastructure from past incidents — and diff the verdicts over time.
The best scan is the one nobody had to remember to run.

Sizing your quota

Every account, free included, gets 100 scans a month — enough to prototype any of the patterns above. Production volumes are what the paid tiers are for: Plus at 1,500 monthly API scans, Pro at 5,000, and Max at 20,000 for heavy automation, all with higher rate limits so bursts do not throttle; enterprise plans go beyond that with dedicated limits. The full matrix is on Plans & Pricing. A useful rule of thumb when sizing: count the URLs your pipeline sees, not the ones you currently investigate — the entire value of automation is closing that gap.

Automate politely

Two courtesies keep automated scanning clean. First, respect the public/private line: pipelines routinely ingest URLs that carry personal tokens — password resets, document invites — and those should be submitted as private scans so the token never enters the public corpus. Second, dedupe before you submit: if the same lure hits four hundred inboxes, one detonation answers for all of them, and Search will hand the other three hundred and ninety-nine lookups back to you for free.

Frequently asked questions

Does Voretix have an API for scanning URLs?

Yes. Create an API key from your profile and submit URLs programmatically. Every account includes 100 free scans a month, with paid tiers from 1,500 to 20,000 monthly API scans.

How do SOC teams typically integrate a URL scanner?

The most common patterns are mail-gateway quarantine enrichment, SOAR scan-on-alert playbooks, report-phishing button queues, and scheduled re-scans of watched domains.

Should automated scans be public or private?

Private whenever ingested URLs can carry personal tokens, such as password resets or document invites. Mass-campaign lures with no secrets are better scanned public so the corpus learns them.

Got a suspicious link in your inbox?
Detonate it in the Voretix sandbox instead of your browser — free, 100 scans a month.
Scan a URL

Keep reading

All posts