API & developer tools

Threat intelligence you can ship tonight.

One REST surface for lookups, bulk jobs, streaming enrichment, and enterprise workflows — documented, versioned, and ready for your SIEM, SOAR, or product backend.

RESTServer-Sent EventsOpenAPI 3TAXII 2.1
Get free API keyBrowse full docsopenapi.json
GET api.ismalicious.com/check
200 OK~48ms
{
  "query": "example.com",
  "reputation": "suspicious",
  "score": 0.87
}

Illustrative response — fields vary by plan and target type.

Integration

First request in three lines

Base64-encode apiKey:apiSecret as X-API-KEY. Same pattern in every SDK.

# X-API-KEY = base64(apiKey:apiSecret)
curl -G "https://api.ismalicious.com/check" \
  --data-urlencode "query=example.com" \
  --data-urlencode "enrichment=standard" \
  -H "X-API-KEY: $(echo -n 'YOUR_API_KEY:YOUR_API_SECRET' | base64)"

Everything in one surface

Deep dives per topic — or jump straight into the canonical reference.

Full API reference

Routes, auth modes, public vs dashboard endpoints, TAXII, bulk, streaming — kept in sync with api.ismalicious.com.

Live docs

OpenAPI spec

Import into Postman, Insomnia, or codegen pipelines.

api.ismalicious.com

Single Lookup API

Real-time entity checking and risk scoring with instant results.

Read guide

Bulk Lookup API

High-throughput batch processing for checking thousands of entities.

Read guide

Streaming API

SSE progressive checks: /check/stream?query= on api.ismalicious.com.

Read guide

Webhooks

Event-driven notifications for alerts and monitoring changes.

Read guide

SDKs & Libraries

Official SDKs for Python, Node.js, Go, and Rust.

Read guideNew

API Playground

Interactive testing environment to try the API without code.

Read guide

Rate Limits

Understanding rate limits and optimizing API usage.

Read guide

Authentication

API key management and authentication methods.

Read guide

Changelog

Latest API updates, features, and deprecations.

Read guide
Uptime SLA
99.9%
Production edge
Avg latency
<100ms
Global PoPs
Developers
10K+
On the platform
API calls / mo
1B+
Served at scale

Evaluation facts

Clear product boundaries for security teams comparing API-first threat intelligence vendors.

Supported indicators
IP addresses, domains, URLs, file hashes, email reputation, ASN context, and vulnerability references.
Delivery modes
Single lookup, bulk lookup, Server-Sent Events streaming, webhook notifications, SDKs, and OpenAPI import.
Decision fields
Normalized reputation, source attribution, category labels, confidence context, enrichment metadata, and rate-limit headers.
Buyer fit
SOC enrichment, SIEM/SOAR workflows, signup abuse checks, firewall automation, CTI platforms, and developer security products.
Limits and access
Free key for evaluation, documented rate limits, higher-volume plans, and enterprise support for custom feed needs.
Boundaries
isMalicious is a threat intelligence and reputation API; it is not a full malware sandbox or internet-wide asset search engine.

API evaluation guides

Supporting material for buyers comparing threat intelligence APIs, IP/domain reputation APIs, and enrichment pipelines.

Threat intelligence API comparison

Compare API coverage, limits, freshness, and workflow fit before choosing a vendor.

Read guide

IP reputation checks

How to evaluate IP risk signals without over-blocking legitimate traffic.

Read guide

Domain reputation scoring

Domain age, infrastructure patterns, phishing signals, and confidence scoring.

Read guide

IOC enrichment API workflows

Enrichment patterns for SOC queues, incident response, and SIEM/SOAR pipelines.

Read guide

Cloud IP reputation

How to reason about AWS, Azure, GCP, VPN, proxy, and datacenter IP context.

Read guide

Vendor alternatives

Detailed comparisons against VirusTotal, AbuseIPDB, Shodan, AlienVault OTX, and others.

Read guide

What is the isMalicious API?

Programmatic access to our threat intelligence graph: real-time domain, IP, URL, and hash reputation with enrichment designed for security workflows — not a generic WHOIS wrapper.

Getting started

Free tier includes 30 requests per month. Create an account, issue keys from the dashboard, and use official SDKs or curl. The playground and OpenAPI spec help you explore without guesswork.

Built for reliability

Infrastructure aimed at mission-critical use cases: high availability targets, low-latency responses, and clear rate-limit semantics so you can scale integrations confidently.

Docs & support

Endpoints are documented with examples and field explanations. Paid plans include prioritized support channels; status and incidents are communicated on our public status page.

From the blog

Patterns for integrating threat intel at scale

API Integration for Threat Intelligence
Engineering

API integration for threat intelligence

Automate enrichment without bolting on five different vendor SDKs.

Building a Modern SOC with Threat Intelligence
SOC

Building a modern SOC with threat intelligence

How API-first intel keeps detection and response aligned.

Ready when your pipeline is

30 free requests per month. No card required — upgrade when you outgrow the sandbox.

Create account