Advanced Search - VantaPrism API

Combine multiple filters — domains, emails, IPs, PC names, stealer family, and country — with AND logic in a single query. Use this for narrowly scoped investigative questions like “RedLine infections in Germany involving acme-corp.com” that would otherwise require multiple separate searches and manual intersection.

Request

POST /v1/search/advanced · Required scope: search:advanced (pro and ultra tiers) At least one of domains, emails, ips, pc_names, stealer_family, or country is required. All provided filters are AND-combined.

Parameter	Type	Required	Default	Description
`domains`	string[]	No*	`[]`	Registrable domains to filter by
`emails`	string[]	No*	`[]`	Email addresses to filter by
`ips`	string[]	No*	`[]`	IPv4 addresses to filter by
`pc_names`	string[]	No*	`[]`	Computer names to filter by
`stealer_family`	string \| null	No*	—	Stealer family name, e.g. `"RedLine"`, `"LummaC2"`
`country`	string \| null	No*	—	ISO 3166-1 alpha-2 country code, e.g. `"US"`, `"DE"`
`start_date`	string (date-time) \| null	No	—	Inclusive start filter, clamped by `query_window_days`
`end_date`	string (date-time) \| null	No	—	Inclusive end filter
`sort_direction`	`asc` \| `desc`	No	`desc`	Must stay constant across pages
`cursor`	string \| null	No	—	Pagination token
`limit`	integer	No	`25`	1–500, clamped to your tier’s `max_rows`

* At least one of domains, emails, ips, pc_names, stealer_family, or country must be provided.

Example request

curl -X POST https://api.vantaprism.me/v1/search/advanced \
  -H "api-key: $VANTAPRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "domains": ["acme-corp.com"], "stealer_family": "RedLine", "country": "DE", "limit": 25 }'

Response

200 OK — array of AdvancedSearchResult, cursor-paginated.

{
  "data": [
    {
      "stealer_id": "RL-2026-AC91F3",
      "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
      "username": "j.doe@acme-corp.com",
      "password": "Tr0ub4dor&3",
      "domain": "acme-corp.com",
      "url": "https://login.microsoftonline.com/common/oauth2/authorize",
      "infection_date": "2026-05-02T14:22:31Z"
    }
  ],
  "nextCursor": null,
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 44.3,
    "tier": "pro",
    "masked_fields": []
  }
}

Field	Description
`stealer_id`	`log_victim_id` of the infected machine
`victim_id`	SHA-256 victim ID — use with Victim Profiles
`username`	Account identifier from the stolen credential record
`password`	Plaintext stolen password
`domain`	Registrable domain extracted from `url`
`url`	Login URL from the stolen credential record
`infection_date`	When the log was captured

Pagination

Cursor-paginated — see Pagination.

Errors

Status	`code`	Cause
400	`VALIDATION_ERROR`	None of `domains`/`emails`/`ips`/`pc_names`/`stealer_family`/`country` provided
400	`INVALID_CURSOR`	Tampered or stale `cursor`
403	`FORBIDDEN_SCOPE`	Key lacks `search:advanced` (free tier)

See Errors for the full catalog.

Tier notes

This endpoint requires search:advanced, which is not included on the free tier — a free-tier key receives 403 FORBIDDEN_SCOPE. Both pro and ultra tiers receive username, password, and url unmasked — the free-tier masking rules in Data Masking for these fields never apply here, since free tier cannot call this endpoint at all.

​Request

​Example request

​Response

​Pagination

​Errors

​Tier notes