Product

Hunt is live: query the scan corpus like a threat feed

Our new Hunt page turns the public scan corpus into a searchable hunting ground — pivot across domains, kits and campaigns instead of reading one report at a time.

May 5, 2026 2 min read

Every public scan on Voretix adds a page's worth of ground truth to a growing corpus: domains, redirect chains, technologies, findings, verdicts. Until now you could read that corpus one report at a time. Hunt, rolling out to all accounts this week, lets you query it.

From reports to pivots

Threat hunting is the art of the pivot: you find one bad thing and ask what else shares its fingerprints. Hunt is built around exactly that motion. Start from any observable — a domain fragment, a technology, a finding type, a verdict — and widen out:

  • Find every scan whose redirect chain passed through a domain you are investigating.
  • Sweep for pages running a specific technology or kit structure flagged in past findings.
  • Filter by verdict and risk score to keep only the convictions, or invert it to study what almost got through.
  • Bound everything by time, so a campaign's infrastructure rollout reads like a timeline.

Built on the public corpus

Hunt only searches scans that were submitted as public — the same reports anyone can already open from Search. Private scans stay private, and submitter identity is never part of the index or the results. You hunt the pages, not the people who scanned them.

One suspicious domain is an incident. Forty domains sharing its kit, certificate pattern and redirect infrastructure are a campaign — and campaigns are what Hunt is for.

Where it goes next

This release is the query layer. On the roadmap behind it: saved hunts with change alerts, so a query becomes a standing watch; export hooks for pushing results into your SIEM; and campaign clustering that proposes the pivot for you when new scans match an existing pattern. Free accounts get a monthly allowance of hunt queries; paid plans extend it — see Plans & Pricing.

Open the Hunt page, start from something small — a strange domain from your mail quarantine is perfect — and see where the corpus takes you.

Frequently asked questions

What can I search with Hunt?

Any observable in public scan reports: domain fragments, redirect-chain members, technologies, finding types, verdicts and risk scores — bounded by time windows so campaigns read as timelines.

Are private scans or submitter identities in Hunt results?

No. Hunt only indexes scans submitted as public, and submitter identity or source IP is never searchable or shown in results.

Got a suspicious link in your inbox?
Detonate it in the Voretix sandbox instead of your browser — free, 100 scans a month.
Scan a URL

Keep reading

All posts