How to Read a Security Scan Report: A Plain-English Guide

Published: 19 April 2026 10 min read By ScanTotal Security Team
Last reviewed: 4 May 2026 by Kumari Rajapaksha, Founder, ScanTotal

You paste a suspicious link or upload a file, the page returns a wall of panels, numbers, engine names and coloured badges, and somewhere on that page is the answer to the only question you actually care about: is this thing safe or not? Security scan reports are genuinely useful, but they are built for analysts first and worried humans second. This guide unpacks what you are actually looking at on a VirusTotal, urlscan.io or ScanTotal report, and how to translate it into a decision in about a minute.

The short version: no single number on a scan report is the answer. What matters is the pattern across a few different checks, and most of the confusion people run into comes from over-weighting one signal.

Anatomy of a security scan report A mock scan report card showing four labelled regions: the verdict badge, detection count, behavioural indicators, and source citations. ⚠ MALICIOUS DETECTIONS 12 / 70 engines flagged BEHAVIOUR ⚠ Connects to known C2 infrastructure ⚠ Process injection observed Sources: GSB, MITRE ATT&CK, sandbox replay Verdict Top-line answer Detection count Reputation signal Behavioural What it does Sources Audit trail
A scan report combines four parts: a verdict, a detection count from reputation engines, behavioural indicators from sandbox runs, and the sources behind each call. Reading them together is what gives you the answer.

The Three Kinds of Signals a Report Combines

Every modern scan report, whether it comes from VirusTotal, urlscan.io, Hybrid Analysis, or ScanTotal, is really a fusion of three different kinds of checks. Once you know which part of the report is doing which job, the whole page gets much easier to read.

1. Reputation lookups. The file hash or URL is checked against databases of things that have already been seen and labelled. On VirusTotal this is the famous row of antivirus engine names and verdicts. Reputation is fast and extremely accurate for known threats, but it has a blind spot: anything new is unseen, so zero detections does not automatically mean safe.

2. Structural or heuristic analysis. The scanner looks at the shape of the thing itself, a URL with a raw IP address on a non-standard port pointing to a /bins/ directory looks suspicious regardless of whether any database has logged it yet. A file with certain structural red flags behaves the same way. Heuristics fill the time gap while fresh threats haven't made it into the reputation databases.

3. Behavioural or live analysis. The scanner actually executes the file in a sandbox or fetches the URL and watches what happens. Behavioural reports are the richest but also the slowest, because something has to actually run. Hybrid Analysis and urlscan.io are well known for this kind of output; ScanTotal's Active Analysis performs live probing on URLs without running user code.

When you look at a report that shows "0/70 engines detected, but risk score 80/100 and three behavioural red flags," those three signals are not contradicting each other. They are telling you a consistent story: nobody has reported this yet (reputation blind spot), but the shape and behaviour look bad (heuristic + behavioural warning). That is exactly the kind of pattern a fresh malicious URL produces.

Reading the Detection Count (the "X out of 70" Number)

The single most-recognised number on a security report is the detection ratio, something like "3 / 70" or "0 / 72." This is the count of antivirus or URL-reputation engines that flagged the item out of the total that were queried. It is enormously useful, and it is also the single most over-interpreted number in security.

0 detections. Not yet known to be bad. Very common for fresh files or URLs. Do not read this as "confirmed safe." Pair it with heuristic and behavioural signals.

1-2 detections. Often a false positive, especially if the flagging engines are ones with a reputation for aggressive generic rules. Legitimate installers, PowerShell scripts and developer tools trip small numbers of engines regularly. The VirusTotal community tab (the "Comments" and the detailed engine list) is the right place to sanity-check.

3-10 detections. The grey zone. At this point, at least some engines with independent classification pipelines are agreeing, which is meaningful. Look at what the engines are calling it: if several name a specific malware family, treat it seriously.

10+ detections. The community has broadly agreed this is malicious. The higher the number, the more confident the call. Treat the item as hostile and move on.

VirusTotal's own documentation is explicit about this nuance, it is a meta-scanner aggregating many independent engines, and the count is input to judgement, not a final verdict. The official VirusTotal results documentation is worth a read if you want the technical detail.

Reading a URL-Scan Report (urlscan.io Style)

URL-focused reports like urlscan.io package a different set of signals because the target is a live page, not a file. The key panels to look at:

urlscan.io in particular has a very rich public-scan interface with a community feed of recent scans, which is useful context but also written primarily for SOC analysts. The urlscan FAQ explains the result fields in depth.

Reading a File-Scan Report (Hashes, Sandboxes and Behaviours)

File reports are even denser because a single binary can be analysed from many angles. The three sections worth scanning first:

Hash and file-type header. The SHA-256 and SHA-1 hashes are the file's unique digital fingerprint. The file-type detection (PE executable, Office macro document, Mach-O, ISO, LNK) tells you what the file really is, not just what its extension claims. Any mismatch between extension and real type is a red flag, a invoice.pdf that is actually a Windows executable is a classic malware disguise.

Behavioural / sandbox report. This is the crown jewel of tools like Hybrid Analysis. When the file is executed in a controlled environment, the sandbox records what it does: files dropped, registry keys written, network connections opened, processes spawned. A sandbox report that shows an "invoice" file opening PowerShell and reaching out to a foreign IP is unambiguous, regardless of whether any AV engine has seen that particular sample yet.

Rules and IoCs. YARA rule matches, MITRE ATT&CK technique tags, and indicators of compromise (IoCs). These connect your sample to broader threat research. If your file matches a YARA rule named malware_family_info_stealer, that is a very specific and serious signal, it means a researcher has seen enough samples of this exact family to write a signature.

Want a simpler front door?
ScanTotal combines Google Safe Browsing, heuristic URL analysis and live probing into a single plain-English verdict, ideal for a first check before opening VirusTotal or urlscan.io for deeper digging.
Run a Free Scan

Reading a ScanTotal Report

ScanTotal reports are deliberately shorter and written in the style that most home and small-business users need: a single overall verdict at the top, followed by the evidence that led to it. The structure mirrors the three-signal model above:

For the deeper story on how the three engines combine and what each one is good at, we published a companion piece: The Three Layers of URL Safety, Reputation, Heuristics, and Live Probing.

Common Misreadings to Avoid

Two specific mistakes account for most of the confusion people have when they read a scan report.

Treating "0 detections" as a clean bill of health. A new malicious file can sit at 0/70 for hours or even days before the detection community catches up. Reputation is necessary but not sufficient. If you are scanning something because you already suspect it, the suspicion itself is a signal, look at the heuristic and behavioural sections before you relax.

Treating "1/70 detection" as proof of malware. Single detections by aggressive engines on otherwise clean files are genuinely common, especially for niche installers, developer tools, game mods and older legitimate software. Before you call a single detection malware, check which engine flagged it, whether the detection name is a specific family (e.g. Trojan.Win32.FamilyX) or a generic heuristic (e.g. Heur.Suspicious.Gen), and whether the community tab has analyst comments supporting or disputing the call.

A Quick Reading Workflow

If you scan something and are not sure how to read the result, this takes about a minute:

  1. Start with the headline verdict. Big red banner, high detection count, or explicit "phishing detected"? Trust it and move on.
  2. If it is borderline, look at the detection ratio. 0 means unknown, not safe. 1-2 means investigate. 3+ means probably real.
  3. Look at the structural indicators. If the URL has a raw IP, odd port or malware-named path, the heuristic panel will say so plainly. Weight these heavily for unknown URLs.
  4. Check the behavioural panel if there is one. Sandbox actions and live-probe findings are the last line of defence when reputation is silent.
  5. Cross-check on a second scanner if the stakes are high, money, credentials, or a business-critical file. VirusTotal for files, urlscan.io for URLs, ScanTotal for a consolidated consumer-friendly read.

The best scan reports in the industry, VirusTotal, urlscan.io, Hybrid Analysis, are extraordinarily valuable resources and ones we rely on ourselves. They are written for professionals, which is right for their audience, and it is why a friendlier first-pass layer is useful on top. Read them as evidence boards rather than yes/no oracles, and a lot of the mystery goes away.

Security Tools VirusTotal urlscan.io Threat Intel How-To

Want a plain-English first-pass scan?

Paste any URL, file or text into ScanTotal for a friendly verdict in seconds, free and private.

Open Scanner

Sources & Further Reading

Related Articles

Browser Security Warnings Explained
What "Deceptive site ahead" and certificate errors really mean.
What 30 Days of Scans Revealed
Our first transparency report, 730 scans, 9 threats, in full.
The Three Layers of URL Safety
Reputation, heuristics and live probing, how the three signal types combine.
How to Check If a Link Is Safe
The practical workflow for vetting a suspicious URL.
Is This File Safe?
Checking a download for malware before you open it.
What Is Threat Intelligence?
The ecosystem behind the databases scanners look things up in.