Threat intel, decoded.
Research from the scan corpus, field guides for analysts, and news from the team building Voretix.
Inside a Voretix scan report: a card-by-card field guide
The verdict is one word; the evidence is everything underneath it. How to read the screenshot, findings, redirect chain, certificate and similarity cards the way an analyst does — and in which order.
The first 48 hours of a domain
Most phishing domains do their damage before their first blocklist entry exists. Why domain age is one of the strongest single signals in the corpus — and when a brand-new domain is perfectly innocent.
Anatomy of a modern phishing kit
We detonated over 40,000 credential-phishing pages last quarter. Under the hood most of them are the same handful of kits — here is how they are built, and the five tells that give them away.
The same page on a thousand domains: fingerprinting layouts at scale
Campaigns rotate domains daily but redeploy the same page for months. How Voretix fingerprints page structure and screenshots so that one conviction finds all the clones.
The lookalike alphabet: homograph domains in the wild
Your bank is not at xn--pple-43d.com. How internationalised domain names are abused to build URLs that pass a human eye check — and how scanners see through them.
Public or private: what happens to a scan after you hit Enter
Every scan detonates the same way, but where the report lives afterwards is your call. The lifecycle of a submission, what the public corpus is for, and when a private scan is the right choice.
How to read a redirect chain like an analyst
The hop-by-hop story between the link that was clicked and the page that loaded is often the most honest part of a scan report. A field guide to reading it.
Why we detonate every URL: sandbox vs. static analysis
Reputation lookups answer "was this bad yesterday?". Detonation answers "what does this actually do right now?". A tour of the engineering trade-offs behind the Voretix pipeline.
From inbox to pipeline: automating scans with the Voretix API
Manual scanning wins triage; automation wins volume. How to wire Voretix into your alert pipeline with an API key, and the integration patterns we see working in the field.
Short links, long cons: the shortener abuse playbook
URL shorteners are the perfect wrapper for a malicious link: free, reputable, and opaque. What to check before you click through one — and how to unwrap them safely.
Hunt is live: query the scan corpus like a threat feed
Our new Hunt page turns the public scan corpus into a searchable hunting ground — pivot across domains, kits and campaigns instead of reading one report at a time.