API & developer tools

Threat intelligence API you can ship tonight.

One REST surface for IP reputation, domain reputation, URL scanning, file hashes, bulk checks, streaming enrichment, and IOC workflows — documented, versioned, and ready for your SIEM, SOAR, or product backend.

RESTServer-Sent EventsOpenAPI 3TAXII 2.1
GET api.ismalicious.com/check
200 OK~48ms
{
  "query": "example.com",
  "reputation": "suspicious",
  "score": 0.87
}

Illustrative response — fields vary by plan and target type.

Integration

First request in three lines

Base64-encode apiKey:apiSecret as X-API-KEY. Same pattern in every SDK.

# X-API-KEY = base64(apiKey:apiSecret)
curl -G "https://api.ismalicious.com/check" \
  --data-urlencode "query=example.com" \
  --data-urlencode "enrichment=standard" \
  -H "X-API-KEY: $(echo -n 'YOUR_API_KEY:YOUR_API_SECRET' | base64)"

Everything in one surface

Deep dives per topic — or jump straight into the canonical reference.

Single Lookup API

Real-time entity checking and risk scoring with instant results.

Bulk Lookup API

High-throughput batch processing for checking thousands of entities.

Streaming API

SSE progressive checks: /check/stream?query= on api.ismalicious.com.

Webhooks

Event-driven notifications for alerts and monitoring changes.

SDKs & Libraries

Official SDKs for Python, Node.js, Go, and Rust.

API Playground

Interactive testing environment to try the API without code.

New

Rate Limits

Understanding rate limits and optimizing API usage.

Authentication

API key management and authentication methods.

Changelog

Latest API updates, features, and deprecations.

Uptime SLA
99.9%
Production edge
Avg latency
<100ms
Global PoPs
Indicators tracked
0M+
Across all IOC types
Intelligence sources
500+
Aggregated per verdict

Evaluation facts

Clear product boundaries for security teams comparing API-first threat intelligence vendors.

Supported indicators

IP addresses, domains, URLs, file hashes, email reputation, ASN context, and vulnerability references.

Delivery modes

Single lookup, bulk lookup, Server-Sent Events streaming, webhook notifications, SDKs, and OpenAPI import.

Decision fields

Normalized reputation, source attribution, category labels, confidence context, enrichment metadata, and rate-limit headers.

Buyer fit

SOC enrichment, SIEM/SOAR workflows, signup abuse checks, firewall automation, CTI platforms, and developer security products.

Limits and access

Free key with 30 checks/month, documented rate limits, Pro with 10,000 checks/month, and enterprise support for custom feed needs.

Boundaries

isMalicious is a threat intelligence and reputation API; it is not a full malware sandbox or internet-wide asset search engine.

API evaluation guides

Supporting material for buyers comparing threat intelligence APIs, IP/domain reputation APIs, and enrichment pipelines.

Threat intelligence API comparison

Compare API coverage, limits, freshness, and workflow fit before choosing a vendor.

IP reputation checks

How to evaluate IP risk signals without over-blocking legitimate traffic.

Domain reputation scoring

Domain age, infrastructure patterns, phishing signals, and confidence scoring.

IOC enrichment API workflows

Enrichment patterns for SOC queues, incident response, and SIEM/SOAR pipelines.

Cloud IP reputation

How to reason about AWS, Azure, GCP, VPN, proxy, and datacenter IP context.

Vendor alternatives

Detailed comparisons against VirusTotal, AbuseIPDB, Shodan, AlienVault OTX, and others.

What is the isMalicious API?

Programmatic access to our threat intelligence graph: real-time domain, IP, URL, and hash reputation with enrichment designed for security workflows — not a generic WHOIS wrapper.

Getting started

Free tier includes 30 requests per month. Create an account, issue keys from the dashboard, and use official SDKs or curl. The playground and OpenAPI spec help you explore without guesswork.

Built for reliability

Infrastructure aimed at mission-critical use cases: high availability targets, low-latency responses, and clear rate-limit semantics so you can scale integrations confidently.

Docs & support

Endpoints are documented with examples and field explanations. Paid plans include prioritized support channels; status and incidents are communicated on our public status page.

Ready when your pipeline is

30 free requests per month. No card required — upgrade when you outgrow the sandbox.

Create account