Threat intel, decoded.

Research from the scan corpus, field guides for analysts, and news from the team building Voretix.

Latest Guides

Inside a Voretix scan report: a card-by-card field guide

The verdict is one word; the evidence is everything underneath it. How to read the screenshot, findings, redirect chain, certificate and similarity cards the way an analyst does — and in which order.

Threat Research

The first 48 hours of a domain

Most phishing domains do their damage before their first blocklist entry exists. Why domain age is one of the strongest single signals in the corpus — and when a brand-new domain is perfectly innocent.

Threat Research

Anatomy of a modern phishing kit

We detonated over 40,000 credential-phishing pages last quarter. Under the hood most of them are the same handful of kits — here is how they are built, and the five tells that give them away.

Engineering

The same page on a thousand domains: fingerprinting layouts at scale

Campaigns rotate domains daily but redeploy the same page for months. How Voretix fingerprints page structure and screenshots so that one conviction finds all the clones.

Threat Research

The lookalike alphabet: homograph domains in the wild

Your bank is not at xn--pple-43d.com. How internationalised domain names are abused to build URLs that pass a human eye check — and how scanners see through them.

Product

Public or private: what happens to a scan after you hit Enter

Every scan detonates the same way, but where the report lives afterwards is your call. The lifecycle of a submission, what the public corpus is for, and when a private scan is the right choice.

Guides

How to read a redirect chain like an analyst

The hop-by-hop story between the link that was clicked and the page that loaded is often the most honest part of a scan report. A field guide to reading it.

Engineering

Why we detonate every URL: sandbox vs. static analysis

Reputation lookups answer "was this bad yesterday?". Detonation answers "what does this actually do right now?". A tour of the engineering trade-offs behind the Voretix pipeline.

Product

From inbox to pipeline: automating scans with the Voretix API

Manual scanning wins triage; automation wins volume. How to wire Voretix into your alert pipeline with an API key, and the integration patterns we see working in the field.

Guides

Short links, long cons: the shortener abuse playbook

URL shorteners are the perfect wrapper for a malicious link: free, reputable, and opaque. What to check before you click through one — and how to unwrap them safely.

Product

Hunt is live: query the scan corpus like a threat feed

Our new Hunt page turns the public scan corpus into a searchable hunting ground — pivot across domains, kits and campaigns instead of reading one report at a time.