How does susQR calculate risk scores?

susQR assigns a risk score from 0–100 based on multiple threat signals: VirusTotal results from 90+ security vendors, URLhaus malware database matches, redirect chain analysis, domain reputation, typosquatting detection, and protocol security. Each factor adds or removes points, and the final score determines the risk level (low, medium, high, or critical).

What does each risk level mean?

Low risk (0–14): No security issues found. Medium risk (15–39): Some unusual signals detected, proceed with caution. High risk (40–69): Multiple threat indicators, avoid visiting. Critical risk (70–100): Confirmed threats from multiple sources, do not visit.

Can a safe site get a high risk score?

Rarely. susQR combines multiple independent threat signals to minimize false positives. A legitimate site would need to trigger several risk factors simultaneously (unusual domain, redirects, flagged by security vendors) to receive a high score. If you believe a result is incorrect, you can report it.

How susQR Risk Scoring Works

Transparent methodology — see exactly how we assess QR code safety

Last updated: March 2026 · By the susQR security team

Every QR code scanned through susQR receives a risk score from 0 to 100. This score is calculated by combining multiple independent threat signals — not a single check, but a layered analysis that reduces false positives while catching real threats.

We believe security tools should be transparent. Here's exactly how each factor contributes to the score you see on your results page.

Risk levels

Low
0–14 points

Medium
15–39 points

High
40–69 points

Critical
70–100 points

Threat signals we check

1. VirusTotal multi-vendor scanning

We submit each URL to VirusTotal, which checks it against 90+ security vendors including Google Safe Browsing, Kaspersky, Sophos, BitDefender, and more. If any vendor flags the URL as malicious or suspicious, points are added proportionally.

+25 points per vendor flagging as malicious
+15 points per vendor flagging as suspicious
−10 points if widely scanned and clean (lowers score for well-known safe sites)

2. URLhaus threat intelligence

We query the URLhaus database maintained by abuse.ch, which tracks URLs distributing malware. If a URL appears in URLhaus, it's a strong indicator of active threats.

+40 points if the URL is listed in URLhaus

3. Snort IDS threat detection

URLs are checked against Snort intrusion detection rules that identify known malware, exploits, trojans, command-and-control servers, and other network-level threats.

+30 points if Snort rules detect known threat signatures

4. Redirect chain analysis

We follow every redirect in the URL chain and analyze each hop. Legitimate sites may redirect once (e.g., HTTP → HTTPS), but phishing sites often use multiple redirects to obscure the final destination.

+3 points per redirect hop (1+ hops)
+15 points for excessive redirects (4+ hops)
Each hop is individually analyzed for threats and security flags

5. Domain analysis

We analyze the domain itself for risk indicators:

Punycode / internationalized domains (+20 points) — domains using non-ASCII characters to impersonate legitimate sites (e.g., "аpple.com" using Cyrillic 'а')
IP address URLs (+15 points) — legitimate businesses rarely use raw IP addresses
HTTP without encryption (+10 points) — no SSL/TLS protection
Suspicious TLDs (+10 points) — domain extensions commonly used for abuse (.tk, .ml, .xyz, etc.)
Deep subdomains (+8 points) — 3+ levels of subdomains, often used in phishing
Typosquatting detection (+20 points) — domains that closely resemble popular brands (e.g., "g00gle.com", "paypa1.com")

6. URL content analysis

Suspicious keywords (+10 points) — URLs containing words like "login", "verify", "secure", "update-password" in unusual contexts
URL shorteners (+5 points) — services like bit.ly, t.co that obscure the real destination

7. Clean scan bonus

If the URL passes all checks cleanly — no vendor flags, no threats detected, no suspicious indicators — the score is reduced, reflecting the low risk.

−10 points for a clean scan across all vendors

Why "Why this score?" matters

Every scan result on susQR now shows a detailed breakdown of which factors contributed to the risk score. We don't just give you a number — we explain exactly why, so you can make an informed decision about whether to visit a link.

Methodology references

VirusTotal URL Scanner — aggregates results from 90+ security vendors
URLhaus by abuse.ch — malware URL intelligence feed
Snort IDS — open-source intrusion detection system
Punycode detection based on RFC 3492 internationalized domain name encoding

Try the Scanner What Is Quishing?