Infection Analysis - VantaPrism API

Get an AI-generated, analyst-ready explanation of how victims of a given stealer family were most likely infected — VantaPrism inspects browser history around each victim’s infection timestamp and returns a heuristic best-guess for the infection vector (the download or page most likely responsible), with supporting reasoning and a narrative summary suitable for dropping straight into an incident report.

Request

POST /v1/search/infection-analysis · Required scope: infection-analysis (ultra tier only) · Not paginated

Parameter	Type	Required	Default	Description
`stealer`	string	Yes	—	Stealer family name, e.g. `"RedLine"`, `"Raccoon"`, `"Vidar"`, `"LummaC2"`

This endpoint is counted as an aggregation request against your tier’s agg_per_min limit — see Rate Limits & Tiers.

Example request

curl -X POST https://api.vantaprism.me/v1/search/infection-analysis \
  -H "api-key: $VANTAPRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "stealer": "LummaC2" }'

Response

200 OK — a single InfectionAnalysisResult object. nextCursor is not present — this endpoint is not paginated.

{
  "data": {
    "likely_infection_url": "https://cracked-software-download.example/setup.exe",
    "infection_reasoning": "87% of analyzed LummaC2 victims visited this URL within 10 minutes prior to the first credential-stealing process execution, consistent with a trojanized installer.",
    "infection_flow": [
      { "visited_at": "2026-05-02T14:10:11Z", "url": "https://www.google.com/search?q=adobe+photoshop+crack", "title": "adobe photoshop crack - Google Search" },
      { "visited_at": "2026-05-02T14:11:48Z", "url": "https://cracked-software-download.example/photoshop", "title": "Download Adobe Photoshop 2026 Cracked" },
      { "visited_at": "2026-05-02T14:12:55Z", "url": "https://cracked-software-download.example/setup.exe", "title": null }
    ],
    "analyst_summary": "Victims infected with LummaC2 in this dataset show a consistent pattern: a search for cracked/pirated software leads to a third-party download site serving a trojanized installer. The malware executes within minutes of download, immediately followed by credential and browser-data exfiltration. Recommend blocking the identified domain and auditing endpoints for the same installer hash."
  },
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 1840.2,
    "tier": "ultra",
    "masked_fields": []
  }
}

Field	Description
`likely_infection_url`	URL heuristically identified as the infection vector, or `null` if no consistent pattern was found
`infection_reasoning`	Human-readable explanation of why this URL was flagged
`infection_flow`	Ordered sequence of browser-history events leading to the likely infection point
`analyst_summary`	Narrative summary suitable for an incident report

No fields are masked on this endpoint — it returns aggregate/analytical output rather than per-victim identifiers.

Not paginated

This endpoint always returns a single object. cursor/limit/sort_direction do not apply.

Errors

Status	`code`	Cause
400	`VALIDATION_ERROR`	`stealer` is missing
403	`FORBIDDEN_SCOPE`	Key lacks `infection-analysis` (free and pro tiers)
429	`RATE_LIMIT_EXCEEDED`	Exceeded your tier’s `agg_per_min`

See Errors for the full catalog.

Tier notes

infection-analysis is part of ALL_SCOPES but only granted to the ultra tier — free and pro keys receive 403 FORBIDDEN_SCOPE regardless of the stealer value supplied. This endpoint can take noticeably longer than standard search endpoints (often 1–2 seconds) because it invokes the underlying AI model.

​Request

​Example request

​Response

​Not paginated

​Errors

​Tier notes