Search Domains - VantaPrism API

Check whether any infected machine has saved credentials or cookies for a given domain — the primary entry point for assessing an organization’s exposure to infostealer malware.

Request

POST /v1/domain/search · Required scope: search:domain (all tiers)

Parameter	Type	Required	Default	Description
`domains`	string[]	Yes	—	Domains to search, min 1 item. e.g. `["acme-corp.com"]`
`subdomains`	string[]	No	`[]`	Restrict to specific subdomain labels, e.g. `["mail", "vpn"]`. Takes priority over `include_subdomains` — see Overview
`include_subdomains`	boolean	No	`false`	When `true` and `subdomains` is empty, include all subdomains
`type`	`employees` \| `users` \| `both`	No	`both`	Classification filter — see Overview
`start_date`	string (date-time) \| null	No	—	Inclusive start filter on `inserted_at`. Clamped by your tier’s `query_window_days`
`end_date`	string (date-time) \| null	No	—	Inclusive end filter
`sort_direction`	`asc` \| `desc`	No	`desc`	Must stay constant across pages of the same query
`cursor`	string \| null	No	—	Pagination token from a previous response’s `nextCursor`
`limit`	integer	No	`25`	1–500, clamped to your tier’s `max_rows`

Example request

curl -X POST https://api.vantaprism.me/v1/domain/search \
  -H "api-key: $VANTAPRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "domains": ["acme-corp.com"],
    "type": "employees",
    "limit": 25
  }'

Response

200 OK — array of DomainSearchResult, cursor-paginated.

{
  "data": [
    {
      "stealer_id": "RL-2026-AC91F3",
      "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
      "domain": "acme-corp.com",
      "url": "https://login.microsoftonline.com/common/oauth2",
      "username": "jondoe@*******.com",
      "password": "••••",
      "infection_date": "2026-05-02T14:22:31Z",
      "type": "employee"
    }
  ],
  "nextCursor": null,
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 38.2,
    "tier": "free",
    "masked_fields": ["username", "password"]
  }
}

Field	Description
`stealer_id`	`log_victim_id` of the infected machine that harvested this record
`victim_id`	SHA-256 victim ID — use with Victim Profiles
`domain`	Registrable domain extracted from `url`
`url`	Full URL (no masking applied to this field on this endpoint)
`username`	Masked via `partial_login` on free tier
`password`	Masked to `"••••"` on free tier
`infection_date`	When the log was captured
`type`	`employee` \| `user` — present when classification matched

Pagination

Cursor-paginated — see Pagination. Pass nextCursor back as cursor to get the next page, keeping sort_direction constant.

Errors

Status	`code`	Cause
400	`VALIDATION_ERROR`	`domains` is empty or exceeds limits
400	`INVALID_CURSOR`	Tampered or stale `cursor`
403	`FORBIDDEN_SCOPE`	Key lacks `search:domain`

See Errors for the full catalog.

Tier notes

Free tier masks username and password as shown above.
start_date older than your tier’s query_window_days is silently clamped (90 days on free, 365 on pro, unlimited on ultra).
limit above your tier’s max_rows (25 / 100 / 500) is clamped.

​Request

​Example request

​Response

​Pagination

​Errors

​Tier notes