Skip to main content
The analyze endpoint lets you scan either new or existing indicators on-demand to gather fresh threat intelligence for investigation and triage.

Workflow

Scanning follows a simple queue-based process that enriches indicators with threat intelligence data:
  1. Submit an indicator value for scanning. Add an indicator value to Pulsedive’s processing queue and receive a queue ID.
  2. Poll for results. Use the queue ID to check progress.
  3. Review results. Retrieve enriched threat intelligence data when scanning completes.

Scan Types

Choose between passive or active scanning:
  • Passive scans: Collect data without directly interacting with the indicator. These may include WHOIS, DNS, or other metadata lookups.
  • Active scans: Generate limited network activity, such as lightweight port scans and HTTP requests to the indicator’s domain with a web browser. These scans are more comprehensive but also more “noisy”.
Passive scanning used to be called “analyzing” while active scanning was “probing”. You may notice remnants of this language in some requests.
All scans are executed from hardened, rotating proxies located across several countries to improve reliability and security.

Storage Behavior

By default, this endpoint performs the same enrichment and risk scoring as submitting through the UI, but without saving the data. To save the indicator to Pulsedive’s database, add submit=1 to your request. This stores the indicator and makes it searchable in future queries. If you scan an indicator that already exists in the database (with or without submit=1), Pulsedive updates its information with fresh scan results.
For bulk scanning or uploading multiple indicators, use the Pulsedive UI’s Analyze page.

Rate Limits and Logging

Only the initial API request that adds an indicator to the queue counts toward your rate limit. Requests to check for results are not counted against your limit. Avoid excessive polling to prevent unnecessary load on the platform. We recommend polling every 500 ms.