Skip to main content

Overview

An asset scan is a single security check ChainPatrol performs on an asset (like a URL, social profile, app listing, crypto address, or email) at a specific moment in time.

What It Captures

  • What We Saw - Visual and content snapshot
  • Extra Context - Enrichment data collected
  • Risk Conclusion - Risk assessment and scores

Why It Matters

Asset scans are the building blocks ChainPatrol uses to understand threats over time, update asset status, support reviews and takedowns, and power reporting and analytics.

Key Characteristics

Tied to Specific Asset

Every asset scan belongs to exactly one asset and, through that asset, to an organization and optionally a brand. 
Organization
  └── Brand (optional)
      └── Asset
          └── Asset Scan

Time-Bound Snapshot

Each scan has a timestamp and stands on its own. Later scans might see different content, liveness status, risk indicators, and infrastructure. This allows ChainPatrol to track how threats evolve over time.

Status Tracking

A scan has a simple status reflecting where it is in the checking process:
  1. Pending - Scan queued but not yet started
  2. In Progress - Actively collecting data and running checks
  3. Completed - Scan finished successfully with results
  4. Failed - Scan encountered errors and couldn’t complete

Contents

Inputs: What we were asked to scan (URL, address, profile) and related context (organization, brand, detection source). Outputs: Enrichments (extra data we fetched), labels (risk tags), liveness status, and overall risk score for that point in time.

What Lives Inside a Scan

Enrichments (Extra Context)

Structured information gathered during the scan: Web Content & Metadata - Page HTML and text content, title, description, keywords, meta tags and structured data, screenshots and visual captures, form fields and input elements. Links Discovered - Outbound links from the page, redirect chains, external resources loaded, related infrastructure. Technical Details - DNS records and resolution, TLS/SSL certificate information, IP addresses and hosting, server headers and responses, network infrastructure. Platform-Specific Details - Social profile attributes (followers, posts, bio), app store listing information (ratings, reviews, permissions), blockchain data (contract code, transactions), email validation results. Each enrichment knows where it came from (e.g., “page content”, “network”, or an external scanner) and whether it succeeded or failed.

Labels (Findings)

Human-readable tags with scores that categorize risk:
  • Brand Impersonation - Visual or textual mimicry of your brand
  • General Phishing - Credential harvesting or scam patterns
  • Provider Blocked - Suspended or blocked by hosting provider
  • Wallet Drainer - Malicious wallet connection code
  • Parked Domain - Domain reserved but not in use
  • Typosquatting - Domain closely resembling legitimate one
These labels are used to group risk into categories like general phishing, brand impersonation, or wallet-related risk.

Scores and Liveness

A scan tracks two key metrics: Risk Score - A numerical score (typically 0-1) representing the overall risk level at that point in time. Calculated from label scores, rule evaluations, confidence levels, and historical patterns. Liveness Status - Indicates whether the asset is currently accessible:
  • ALIVE - Asset is accessible and active
  • DEAD - Asset is inaccessible or removed
  • UNKNOWN - Status cannot be determined
Reasons tracked include DNS failed, parked domain detected, suspended by provider, 404 not found, and connection timeout.

How Asset Scans Relate to Other Concepts

Asset - The asset is the “thing” (URL, profile, listing, address); scans are the history of what we have seen about that thing. One asset has many scans over time, and scans build a timeline of the asset’s behavior. The most recent scan is typically used for current status. Threats / Detections - Threat records (detections) use scan labels and scores as key inputs to decide whether something should be treated as an active threat for your organization. Reviews - When your team reviews a reported asset, they see the most relevant scan results including screenshots, labels and scores, enrichment data, and historical scan timeline to understand why it was flagged and whether it should be allowed, blocked, or escalated. Blocklist, Allowlist, Watchlist - Repeated scan results help decide status: Blocked (assets that consistently look malicious), Allowed (assets that can be treated as safe), and Watchlisted (assets that are sensitive or change frequently). Takedowns - For assets that need to be taken down, scan data provides evidence including screenshots showing malicious content, metadata and technical details, liveness history, and timeline of activity to support outreach to hosting providers, registrars, and platforms. Relationships Between Assets - When scans find links and redirects, they can be connected together to show clusters of related pages or infrastructure, helping identify broader campaigns, map attacker infrastructure, understand threat networks, and coordinate takedowns.

Examples

Example 1: Suspicious Login Page

A new login page is found in search results. ChainPatrol scans the page, sees it closely imitates your brand, detects wallet connection requests, and assigns strong phishing and brand-impersonation labels. The scan feeds into a threat record for your organization and appears in your triage queue with high-priority review recommended. High-confidence scans like this often trigger automatic blocking.

Example 2: Official Site Staying Healthy

Your official website is added as an asset and monitored. Regular scans (daily or weekly) show the asset is alive and consistent, does not trigger risky labels, and maintains a stable risk score near zero. It remains allowed and serves as a “known good” reference used for comparison against suspicious assets.

Example 3: Impersonating Social Profile

A social profile claiming to be one of your employees is discovered. The profile is scanned for attributes, shows overlapping branding, detects suspicious outreach behavior, and increases impersonation scores. The scan supports team decision-making, provides evidence for escalation, and forms the basis for pursuing takedown with documented proof of impersonation.

What Asset Scans Are Not

  • Not a Human Report - Asset scans are system-generated. Reports are created by users or external systems raising issues.
  • Not a Case - A scan can be clean or suspicious. A threat or incident record is created only when risk crosses thresholds or a human escalates it.
  • Not a Configuration - Scans use your rules, thresholds, and service settings, but they are not where you configure behavior. They are the evidence those settings produce.

Key Takeaways

  • One asset, many scans creates a timeline: Scanning the same URL multiple times shows how threats evolve, when they go live, and when takedowns succeed
  • Selective enrichment balances speed and depth: Basic scans are fast, but when risk signals appear, deeper analysis triggers automatically to gather decisive evidence
  • Liveness tracking enables automated workflows: Knowing when assets change from ALIVE to DEAD lets watchlist monitoring confirm takedown success without manual checking
  • Relationship extraction reveals campaigns: Links and redirects discovered during scans help trace entire threat networks instead of treating each malicious site as isolated