Unified ThreatIntelligence

Comprehensive threat intelligence database with 500M+ malicious IPs, domains, phishing sites, malware, adware, and tracking domains. Our real-time cybersecurity blocklist API protects against vulnerabilities and cyber threats instantly.

User
User
User
+101,840 generated reports by security analysts
206.168.34.44HIGH RISKLast detected: 2h ago
MAPPED TO T1071, T1566, T1583
Tactics: C&C, Initial Access, Resource Development
50+ providers • Shodan • GreyNoise • + more
AI SUMMARY
"Known C2 infrastructure linked to Emotet campaigns. Active phishing operations detected across 23 domains. High confidence based on 12 threat intelligence sources."
Generated from 12 enrichment sources
REPUTATION ANALYSIS
42 malicious • 8 suspicious • 3 harmless
79% threat detection
Sources: 50+ providers, Shodan, GreyNoise
THREAT INDICATORS
• 12 CVEs detected
• Moscow, Russia 🇷🇺
• SSL expired 45 days ago
• Active in last 6 hours

Trusted by leading organizations

Our platform delivers actionable intelligence that helps organizations stay ahead of cyber threats

HKCERT
Houston University
ICS
Kimoshiro
National Grid
Tehtris
Xfinit
Abstract visualization suggesting precision and verified threat signals

Accuracy Rate: 99.9%

Detection accuracy in identifying malicious IPs and domains thanks to our advanced aggregation engine.

99.9%

Accuracy Rate

Abstract visualization suggesting live streams and continuous monitoring

Real-Time Updates: 24/7

Continuous monitoring and database updates to ensure you always have the latest threat intelligence.

24/7

Real-Time Updates

Abstract visualization suggesting a global threat data mesh

Threat Records: 500M+

250M IPs, 200M domains, 50M hashes, and more malicious entities across the globe.

500M+

Threat Records

Abstract visualization suggesting speed and rapid response

Faster Detection: 80%

Identify threats faster than traditional methods, reducing response time and potential damage.

80%

Faster Detection

Multi-Source Aggregation

Aggregate data from Shodan, GreyNoise, AbuseIPDB, AlienVault OTX, and 50+ more providers. One query, comprehensive results.

Threat IntelData EnrichmentIOC Feeds

AI-Powered Summaries

LLM-generated analysis transforms raw enrichment data into actionable intelligence with context-aware threat summaries.

AI AnalysisContextual IntelGenAI Security

MITRE ATT&CK Mapping

Automatically map IOCs to MITRE ATT&CK techniques based on threat tags and enrichment findings.

MITRE ATT&CKTTPsThreat Modeling

See How It Works

Query any IP or domain through our API and get instant results with enrichment from multiple security sources.

We check if an IP address or domain is malicious or suspicious. You can use our API or use our website to check IPs and domains.

Protect your assets by watching them and getting notified when something malicious or suspicious related to it. Our aggregator engine is getting updated every day.

Use our API to benefits from our research and detection. This is especially useful if you are a security researcher or a SOC analyst.

Integrated Sources

Real-time threat intelligence from 523+ verified industry-leading providers

Antivirus Engines

Active

Shodan

Active

GreyNoise

Active

AbuseIPDB

Active

AlienVault OTX

Active

IsMalicious

Active

URLhaus

Active

Frequently asked questions

If you have anything else you want to ask, reach out to us.

    • What's the data distributed by the API?

      Security score, threat reputation, whois, geolocation, certificates, vulnerabilities, identifiers lists, similar suspicious entities...

    • What's the data retention duration limits?

      All data are refreshed 1 time a day to ensure data accuracy on a daily basis.

    • API Usage Limits & Restrictions

      Website / Dashboard:
      - Anonymous: 1 request per 60 minutes (100/month) — sign in for more
      - Free Account (session): 1 request per minute (100/month)

      API Access:
      - Free API Key: 1 request per 60 minutes (100/month)
      - Basic Plan: 1 requests per minute (2,000/month)
      - Pro Plan: 60 requests per minute (10,000/month)

      Need higher limits? Contact us for custom plans: contact@ismalicious.com

    • Why is the API rate limited?

      The API is rate limited to prevent abuse. If you need a higher rate limit, please contact us at contact@ismalicious.com

    • What about the cancel & refund policy?

      We do not offer refunds for any of our plans. If you have any issues with our service, please contact us at contact@ismalicious.com and we will do our best to assist you.

    • What integrations are available?

      We are currently working on integrations with top cybersecurity companies to provide a seamless experience to our users. Keep an eye on our roadmap to see what's coming next. Currently, we support CORTEX, offer a CLI version of isMalicious for on-premise use, and provide firewall exportable blocklist features.

    • Where is isMalicious based?

      isMalicious is a French company based in Europe.

    • Disclaimer of Responsibility for Usage

      isMalicious provides information and cyber threat scores based on aggregated and analyzed public datasets. However, we disclaim any responsibility for decisions made or actions taken based on this information. Users are encouraged to use this data as a supplement to their own security measures and to exercise their own professional judgment to assess risks and make appropriate decisions. isMalicious does not guarantee the complete absence of threats and cannot be held liable for any damages resulting from the use of our service.

    • How do I get support?

      If you need support, please contact us at contact@ismalicious.com

The Most Comprehensive Threat Intelligence Database

500M+ verified malicious IPs, domains, and cyberthreat records from 600+ intelligence sources. Real-time blocklist API designed for modern cybersecurity teams.

🎣

Phishing Database

45M+ phishing domains and credential harvesting sites. Detect fake login pages, brand impersonation, and social engineering attacks in real-time.

Updated hourly
🦠

Malware Intelligence

120M+ malware distribution IPs and domains. Block ransomware, trojans, viruses, and zero-day malware before they infect your systems.

600+ sources
🛡️

IP Blocklist

100M+ malicious IP addresses involved in DDoS attacks, brute force attempts, botnet C2 servers, and network abuse.

Real-time updates
📢

Adware Blocklist

28M+ invasive advertising networks, unwanted software promotions, and aggressive marketing domains that degrade user experience.

Multi-source verified
👁️

Tracking Domain Database

67M+ tracking domains, analytics scripts, and surveillance networks. Protect user privacy and comply with GDPR requirements.

Privacy-focused
🔓

Vulnerability Database

Comprehensive vulnerability intelligence including CVEs, exposed services, weak SSL certificates, and security misconfigurations.

Continuous scanning

Why Our Threat Intelligence Database Stands Out

Multi-Source Validation

Every threat is verified across multiple intelligence sources. Our cross-referencing system eliminates false positives and provides confidence scores for each detection.

Real-Time Blocklist Updates

Unlike static blocklists updated weekly, our database receives hourly updates. New phishing sites, malware domains, and malicious IPs are added within minutes of discovery.

Comprehensive Threat Context

Beyond simple blocklists, get rich threat intelligence including geolocation, ASN data, WHOIS information, SSL certificates, and historical behavior patterns.

Enterprise-Ready API

Sub-100ms response times, 99.9% uptime SLA, and unlimited scalability. Our cybersecurity API integrates seamlessly with firewalls, SIEM systems, and custom applications.

Start Protecting Your Infrastructure Today

Join thousands of security professionals using our threat intelligence database. Free tier available - no credit card required.

Try Free NowExplore Database

Limited FREE API calls • No credit card • Instant access

On-Premise CLI Solution

Enterprise-grade threat intelligence CLI built for maximum performance. Deploy in air-gapped environments, integrate with your CI/CD pipeline, or run automated security checks at scale.

terminal
# Update threat intelligence database from 500+ sources
$ ismalicious update
Database update started.
Fetching source 1 of 500 - 00:01.234s
Fetching source 2 of 500 - 00:00.987s
Fetching source 3 of 500 - 00:01.456s
...
Fetching source 500 of 500 - 00:00.823s
Cleaning false positives...
Fetching legitimate domains lists...
Processing legitimate domains...
Loaded 2,000,000 legitimate domains
Starting domain cleanup...
Removed 1,234 legitimate domains
False positives cleaning completed in 00:15.789s
Database update completed in 05:23.456s

# Check if a domain is malicious with full category details
$ ismalicious get malicious-site.ru
Found entry in domains.json: malicious-site.ru
Categories: malware phishing c2 botnet

# Check an IP address
$ ismalicious get 192.168.1.100
Found entry in ips.json: 192.168.1.100
Categories: tor-exit-node proxy

# Deploy in Docker with persistent data volume
$ docker run -v $(pwd)/data:/app/data ismalicious/cli update
Database update started...

  • Offline Database Operations

    Run threat intelligence checks completely offline with local JSON databases. No internet dependency once synchronized, perfect for air-gapped environments.

    ismalicious get domain.com

  • Multi-Source Aggregation

    Automatically fetches and combines data from 500+ threat intelligence sources. Single command updates your entire local database with the latest threats.

    ismalicious update

  • False Positive Filtering

    Advanced curation using Cloudflare Radar and top-1M domains lists. Removes legitimate domains automatically to ensure zero false positives in your threat database.

    Auto-cleans during update

  • Entity Extraction Engine

    Smart regex-based extraction supporting domains, IPv4, and IPv6 addresses. Handles multiple formats and automatically categorizes entities by threat type.

    Supports all IP/domain formats

  • High-Performance

    Built for maximum speed and efficiency. Optimized network operations with libcurl, parallel processing, and minimal memory footprint.

    Processes millions of entities

  • Cross-Platform Support

    Native binaries for Linux, macOS, and Windows. Docker images available for containerized deployments and seamless CI/CD integration.

    docker run ismalicious/cli

  • Category Classification

    Each threat is tagged with specific categories like malware, phishing, botnet, C2, and more. Enables precise filtering and threat-specific response workflows.

    JSON output with categories

  • License-Based Access

    Enterprise license validation system with online verification. Supports offline grace periods and flexible licensing for team deployments.

    Secured with license.txt

  • Debug & Performance Monitoring

    Built-in benchmarking tools with --debug flag. Track fetch times, processing speeds, and database operations for optimization and troubleshooting.

    ismalicious --debug update
Request Enterprise License