The moment you submit a URL, the pipeline is identical for everyone: an isolated browser detonates the page, records the redirect chain, the requests, the rendered DOM, the certificate and a screenshot, and the analysis engines turn all of that into a report. The choice you make at submission time — public or private — decides only one thing: who can find that report afterwards. It is worth understanding what each option actually means, because both are doing more work than they appear to.
The case for scanning public
A public scan joins the corpus — the shared body of ground truth that powers Search and Hunt. That has two consequences. The obvious one: anyone investigating the same URL later finds your report and gets an instant answer instead of a cold start. The less obvious one: your scan strengthens every similarity match, campaign cluster and hunt query that touches its fingerprints. The layout-matching that convicts a fresh domain works because thousands of public scans gave it something to match against. Public scanning is the herd immunity of this product — every submission makes the next verdict a little sharper.
What public never includes
Public means the page's story is public — never yours. The report shows what the URL did when detonated: its redirect chain, its certificate, its screenshot, its verdict. Who submitted it, from which account, from which IP address — none of that is part of the public report, none of it is searchable, and none of it appears in Hunt results. This is a hard line in how the index is built, not a display setting. You hunt the pages, not the people who scanned them.
A public scan tells the world what a page did. It tells the world nothing about who asked.
When private is the right call
Private scans render the same full report, visible only from your History. Choose private when the URL itself is the secret:
- Capability URLs — password resets, document-share links, unsubscribe and invoice links. The token in the query string is the credential; publishing the URL publishes access.
- Internal addresses — staging hosts, intranet tools, pre-launch product pages that are not yours to disclose.
- Active investigations — when tipping off an operator that their infrastructure is being examined has a cost.
A good habit for suspicious mail: if the lure link visibly carries your email address or a one-time token in its parameters, scan it private. The page still gets detonated and judged — the corpus just does not learn your token.
The default that serves most people
If the URL is something anyone could have received — a phish from a mass campaign, a strange ad redirect, a link from a public post — scan it public. The token-bearing, internal and sensitive cases are the exception, and they are exactly what the private toggle is for. Detonation quality is never the trade-off; visibility is the only thing you are deciding.
Frequently asked questions
Can other people see what I scanned?
Only if you scan public — and even then, only the page itself is public. Your account, email and IP address are never part of public reports, search results or Hunt.
When should I use a private scan?
When the URL embeds a secret: capability links like password resets or document invites, internal or staging hosts, or infrastructure in an active investigation you do not want tipped off.
Why scan public at all?
Public scans join the corpus that powers Search, Hunt and similarity matching — every public report makes the next verdict sharper for everyone, and gives later investigators an instant answer.