VirusTotal API v3 Overview

🚧

Commonly missed

Looking for more API quota and additional threat context?
Contact us to learn more about our offerings for professionals and try out the VT ENTERPRISE Threat Intelligence Suite.

Looking for your VirusTotal API key?
Jump to your personal API key view while signed in to VirusTotal. By the way, you might want to use it in conjunction with VirusTotal's browser extension to automatically contextualize IoCs on interfaces of your choice.

Do you want to integrate into Splunk, Palo Alto Cortex XSOAR or other technologies?
Enrich your security events, automatically triage alerts and boost detection confidence leveraging our ubiquitous integrations in 3rd-party platforms such as Splunk SOAR, Splunk SIEM, XSOAR, Crowdstrike, Chronicle SOAR and others (see more).

API version 3 is now the default and encouraged way to programmatically interact with VirusTotal. It greatly improves API version 2, which, for the time being, will not be deprecated. This new API was designed with ease of use and uniformity in mind and it is inspired in the http://jsonapi.org/ specification.

This API follows the REST principles and has predictable, resource-oriented URLs. It uses JSON for requests and responses, including errors.

While older API endpoints are still available and will not be deprecated, we encourage you to migrate your workloads to this new version. It exposes far richer data in terms of: IoC relationships, sandbox dynamic analysis information, static information for files, YARA Livehunt & Retrohunt management, crowdsourced detection details, etc.

Most popular API endpoints

  • Upload a file for scanning: analysis your file with 70+ antivirus products, 10+ dynamic analysis sandboxes and a myriad of other security tools to produce a threat score and relevant context to understand it.
  • Get a file report by hash: given a {md5, sha1, sha256} hash, retrieves the pertinent analysis report including threat reputation and context produced by 70+ antivirus products, 10+ dynamic analysis sandboxes and a myriad of other security tools and datasets.
  • Scan URL: analysis your URL with 70+ antivirus products/blocklists and a myriad of other security tools to produce a threat score and relevant context to understand it.
  • Get a URL analysis report: given a URL, retrieves the pertinent analysis report including threat reputation and context produced by 70+ antivirus products/blocklists and a myriad of other security tools and datasets.
  • Get a domain report: given a domain, retrieves the pertinent analysis report including threat reputation and context produced by 70+ antivirus products/blocklists and a myriad of other security tools and datasets.
  • Get an IP address report: given an IP address, retrieves the pertinent analysis report including threat reputation and context produced by 70+ antivirus products/blocklists and a myriad of other security tools and datasets.