Every Voretix scan ends the same way: a verdict and a risk score at the top of the report. For a quick "should I click this?" check, that headline is all you need. But the report underneath it is a full forensic record of everything the page did during detonation, and knowing how to read it turns a one-word answer into a story you can defend in a ticket. This is the reading order we use internally.
1. Start with the screenshot
Before any technical detail, ask the simplest question: what is this page pretending to be? The full-page screenshot is captured after scripts run, so it shows what a victim would actually see — not the polite HTML the server first returned. A login form wearing a global brand's clothes is only meaningful once you compare it to the domain that served it, which is exactly the next card.
2. Submitted URL vs. final URL
The overview shows the URL you submitted and the URL the browser ended up on, plus the IP it resolved to. When those two domains have nothing to do with each other, the journey between them matters — open the redirect chain card and read it hop by hop. Each entry records the source, destination, status code and the IP that answered. We wrote a full guide to chain-reading here; the short version is that boring chains are benign and interesting chains are evidence.
3. Findings: three engines, one list
The findings card merges signals from three independent sources:
- Heuristic rules that fire on structural patterns — kit artefacts, cloaking behaviour, suspicious form targets.
- AI analysis, which reads the rendered page the way a person would and reports its own verdict with reasoning.
- Infrastructure signals like a newly registered domain, flagged with its age in days.
The engines are deliberately independent. When all three agree, the verdict is settled; when they disagree, the disagreement itself tells you where to look closer.
4. The certificate card
TLS details are recorded straight from the connection: issuer, subject, the full SAN list, and the validity window. Two habits pay off here. Check when the certificate became valid — a cert that is hours old on a domain that is days old is a campaign being assembled in front of you. And skim the SAN list: kits often park dozens of throwaway hostnames on one certificate, and the neighbours convict each other.
5. Content: links, images, text
The content card splits every link on the page into external and internal, lists the images it displayed, and keeps a sample of the visible text. Cloned pages leak here constantly: footer links pointing back at the genuine brand, image assets loaded from the real site, and broken images where the kit author's copy job missed. A "bank" whose every link exits to a different domain is not a bank.
6. Similar layouts
The similarity card compares this page's structural and visual fingerprints against the rest of the corpus and shows the closest match with its similarity score and verdict. This is the card that turns one scan into context: a page you have never seen before, matching at high similarity a page that was convicted last week, has effectively inherited that conviction.
Read the report in this order — screenshot, URLs, findings, certificate, content, similarity — and you are not checking a link anymore. You are running a five-minute investigation.
When you disagree with the verdict
It happens: heuristics are conservative on purpose, and some legitimate pages behave strangely. The report gives you everything you need to overrule it in either direction — and if the page belongs to a campaign, the Hunt page is where you take the fingerprints you just collected and find its siblings.
Frequently asked questions
How do I check if a URL is malicious without clicking it?
Submit it to a sandbox scanner like Voretix. The URL is opened in an isolated browser that records the redirect chain, certificate, page content and a screenshot, then scores it — the link never touches your device.
What should I look at first in a URL scan report?
Start with the screenshot to see what the page claims to be, then compare the submitted URL with the final URL. A login page for a brand on a domain that brand does not own is the fastest conviction.
Can I rely on the scan verdict alone?
For a quick should-I-click decision, yes. For incident response, read the findings, redirect chain and certificate cards — they are the evidence that survives escalation.