VirusTotal API

Aggregates antivirus scan results from 70+ engines for files, URLs, domains, and IP addresses. Provides threat intelligence, behavioral analysis, and community-driven reputation data.

Evaluated Mar 06, 2026 (0d ago) vcurrent

Homepage ↗ Repo ↗ Security virustotal malware threat-intelligence url-scanning file-hash security rest-api mcp-server sdk

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

100

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

API key via x-apikey header (not query param — good practice). Premium keys unlock additional endpoints. No scope granularity — one key has full access. TLS enforced. Official vt-py SDK actively maintained by VirusTotal team. File submissions become public — critical data handling consideration.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

A security agent needs to quickly check whether a file hash, URL, domain, or IP is known-malicious against a broad set of AV engines and threat intelligence sources.

Avoid When

You need to submit confidential files (they become public), or need real-time inline blocking.

Use Cases

• Scanning URLs and files for malware before processing in agent pipelines
• Enriching security incidents with multi-engine threat verdicts
• Lookups of file hashes (MD5/SHA1/SHA256) against known malware database
• Domain and IP reputation checks in email security or web filtering workflows
• Automated triage of suspicious artifacts in SOC automation

Not For

• Real-time endpoint protection (analysis takes time, not inline blocking)
• Submitting private/confidential files (all submissions become publicly visible)
• High-volume automated scanning on free tier (strict rate limits)
• Definitive verdicts — single false positives are common from some AV engines

Interface

REST API

Yes

GraphQL

gRPC

MCP Server

Yes ↗

SDK

Yes

Webhooks

Yes

OpenAPI Spec ↗

Authentication

Methods: api_key

OAuth: No Scopes: No

API key passed via x-apikey header. Free and premium keys use the same header. Premium keys unlock higher rate limits and additional endpoints like file behavior reports.

Pricing

Model: freemium

Free tier: Yes

Requires CC: No

Free tier is useful for development and low-volume workflows. Premium unlocks private scanning, higher rate limits, live hunt, and advanced threat intelligence. Many enterprise features require contacting sales.

Agent Metadata

Pagination

cursor

Idempotent

Full

Retry Guidance

Documented

Known Gotchas

⚠ Free tier 4 req/min limit makes agents extremely slow — throttling is mandatory
⚠ File submissions are PUBLIC — never submit confidential or proprietary files
⚠ Not-found (404) for a file hash does not mean it's clean — just not previously scanned
⚠ Single AV engine detections can be false positives — agents should require multiple detections before flagging
⚠ File analysis takes time — submission returns analysis ID, requires polling for results
⚠ URLs must be base64url-encoded without padding when used in path parameters

Alternatives

{'id': 'shodan-api', 'reason': 'Better for network exposure and service enumeration rather than malware/URL reputation analysis'} {'id': 'abuseipdb-api', 'reason': 'Better for crowdsourced IP abuse reputation with simpler API and lower cost for IP-focused workflows'} {'id': 'hybrid-analysis-api', 'reason': 'Free sandbox analysis with behavioral reports for malware samples without the per-submission public disclosure concern'}

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for VirusTotal API.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.