There are two philosophies for deciding whether a URL is dangerous. The first looks the URL up: blocklists, reputation feeds, domain age, certificate history. The second opens it — in a real browser, in an isolated environment — and watches what happens. Voretix does both, but the sandbox is the spine of the product, and this post is about why.
The problem with asking the past
Static reputation is fast and cheap, and for the long tail of known-bad infrastructure it is exactly right. Its weakness is arithmetic: the median phishing campaign in our corpus goes from domain registration to first victim in under 48 hours, and the median blocklist entry lags first-seen by longer than the campaign lives. A reputation-only scanner is a historian. Attackers only need it to be wrong for a day.
What detonation sees
When a scan launches, a hardened headless browser visits the URL from our infrastructure and records everything the page does:
- The full redirect chain, including meta-refresh and JavaScript hops that never appear in HTTP headers.
- Every request the page makes — scripts, frames, beacons — and which origins they touch.
- The rendered DOM after script execution, not the polite HTML the server first returns.
- Where forms actually post, which is routinely a different origin from the page itself on credential-theft pages.
- A full-page screenshot, because "does this claim to be a login page for a brand that does not own this domain" is a question you can only ask of pixels.
The cat-and-mouse part
Of course, attackers know sandboxes exist. Kits fingerprint automation: they probe navigator.webdriver, canvas entropy, timezone/locale mismatches, and mouse movement before deciding which page to serve. Our answer is an arms race we accept openly — the detonation environment is continuously tuned to look like a person's browser, egress rotates so our ranges cannot be trivially blocklisted, and crucially, the evasion attempt is itself a signal. A page that behaves differently for a suspected bot has told you almost everything you need to know.
We do not need the page to cooperate. We need it to make a choice — and every choice is evidence.
Why not sandbox-only, then?
Because verdicts need context. Detonation tells you what the page did in the sixty seconds we watched it; the static layer tells you the domain was registered on Tuesday, the certificate is four hours old, and the same kit structure appeared on ninety other hosts this month. The score you see in a report is those two philosophies agreeing with each other — and the findings list is where you watch them argue.
Frequently asked questions
What does it mean to detonate a URL?
To open it in an isolated, instrumented browser and record everything it does — redirects, requests, script behaviour, form targets and the rendered result — instead of just looking the URL up in a reputation database.
Is it safe to scan a malicious URL?
Yes — the page runs in Voretix sandbox infrastructure, not on your machine. Your device never touches the URL, and your IP address never appears in the attacker analytics.
Why combine sandboxing with static analysis?
Detonation shows what the page did during the visit; static signals add context like domain age, certificate history and kit structure seen on other hosts. The verdict is both layers agreeing.