What is VantaPrism?
Infostealer malware (RedLine, Raccoon, Lumma, Vidar, and dozens of other families) silently exfiltrates everything saved in a victim’s browser and operating system the moment a machine is compromised: saved logins, session cookies, autofill data, payment cards, crypto wallets, FTP credentials, command history, and more. That stolen data is packaged into “logs” and traded on criminal marketplaces and Telegram channels — often within hours of the infection. VantaPrism continuously ingests, normalizes, and de-duplicates these logs into a single searchable dataset. The Customer API gives you programmatic access to that dataset so you can answer questions like:- “Has any employee at
acme-corp.comhad their corporate credentials stolen by an infostealer?” - “Is this end-user’s email address associated with a compromised device, and what else was exposed on that device?”
- “What is
203.0.113.42’s exposure history — is this IP associated with infected machines?” - “Which of our vendors/subdomains/subsidiaries show up in recent stealer logs?”
Why this matters
- Time-sensitivity. Stolen credentials are usable the moment they’re harvested — often long before a breach is publicly disclosed or even detected by the victim organization. Early visibility shortens the window an attacker has to act on valid credentials.
- Beyond password reuse. A stealer log doesn’t just give an attacker a password — it gives them the exact saved session cookies, autofill identity data, and device fingerprint for that account, which can bypass MFA entirely (session-cookie replay) in ways a leaked password alone cannot.
- Direct, not inferred. Because the data comes directly from compromised endpoints rather than from breach-database aggregation, matches represent a confirmed device-level compromise — not a probabilistic password-reuse guess.
What a “victim” record looks like
Every infected machine becomes one victim record (see Data Model for the full schema), uniquely identified by avictim_id (a SHA-256 hash) and a log_victim_id (the identifier from the
original log). Attached to that victim record are zero or more rows in each
of the following categories:
| Category | What it contains |
|---|---|
| Credentials | Saved login/password pairs per URL |
| Cookies | Browser session cookies (with expiry) |
| Autofill | Saved form data (names, addresses, phone numbers) |
| Cards | Saved payment card details |
| Wallets | Crypto wallet files, seed phrases, addresses |
| FTP | Saved FTP server credentials |
| Keychain | macOS Keychain entries |
| Commands | Shell command history |
| History | Browser visit history |
| Files | Other files exfiltrated from the machine (“file grabber”) |
Where to go next
- New to the API? Start with the Quickstart — your first authenticated request in under five minutes.
- Setting up a key? Read Authentication.
- Building a production integration? Read Rate Limits & Tiers, Pagination, and Response Envelope.
- Curious how sensitive fields are protected? Read Data Masking & Privacy — this is core to how VantaPrism handles PII responsibly, on every tier.
- Full endpoint reference: see the API Reference tab.