One platform. One API. From real-time reputation checks to CVE monitoring, ransomware intel, and STIX/TAXII feeds.
IPs, domains, URLs, file hashes — refreshed continuously
NVD, CISA KEV, EPSS, GHSA, CERT-FR, OTX, and many more
Globally distributed edge for sub-second responses
Stream API and webhooks for instant propagation
Twelve capabilities, one platform. Available on every paid plan unless noted.
Check any IP, domain, URL, or file hash against 500+ threat feeds in milliseconds.
Monitor your stack for new vulnerabilities with CPE-based perimeters and exploit-likelihood scoring.
Search victim databases, map group TTPs, and track sector-level risk in real time.
LLM-generated narratives with automatic MITRE ATT&CK mapping for any check result.
Server-Sent Events for sub-second threat propagation — no polling, no missed updates.
Watch domains, IPs, and certificates 24/7. Get notified the moment something changes.
Process up to 100 entities per request with bulk APIs designed for SIEM and SOAR pipelines.
Enterprise threat intel standard support — drop into any SOC stack that speaks TAXII.
Evaluate any email address for breach exposure, disposable domains, and DNS hygiene.
Track SSL/TLS certificates across your infrastructure and surface expirations before they bite.
Generated IP and domain blocklists you can drop straight into firewalls and DNS resolvers.
Custom webhooks for threat events, monitor alerts, and quota warnings — wire it to anything.
Register, copy your API key from the dashboard, and run any of these. Free tier works for all of them.
curl -H "X-API-Key: $ISMALICIOUS_KEY" \
"https://api.ismalicious.com/check/reputation?query=8.8.8.8"import os, requests
r = requests.get(
"https://api.ismalicious.com/check/reputation",
params={"query": "8.8.8.8"},
headers={"X-API-Key": os.environ["ISMALICIOUS_KEY"]},
)
print(r.json())import { IsMalicious } from "@ismalicious/sdk-js"
const client = new IsMalicious({ apiKey: process.env.ISMALICIOUS_KEY })
const result = await client.check("8.8.8.8")
console.log(result)Talks to the tools your team already runs. Standards-first via STIX/TAXII, plus typed SDKs and signed webhooks.
Looking for a specific connector? Browse all integrations →
Same API, different jobs. Pick the role-specific guide that matches your work.
Enrich alerts, automate triage, hunt threats with sub-second context.
See guideDrop indicator feeds into Splunk, Elastic, Sentinel, Wazuh, or your own pipeline.
See guideBreach exposure, disposable domains, and DNS hygiene at the gateway.
See guideDrop-in IP and domain blocklists for pfSense, iptables, Palo Alto, AWS, and more.
See guideMulti-tenant threat intel with white-label-ready APIs and bulk pricing.
See guideREST API, typed SDK, OpenAPI spec, and a free tier with API key access.
See guideOn-premise option, custom SLAs, dedicated support, STIX/TAXII feeds.
See guidePivot from a single IOC to full TTP context with AI/MITRE mapping in one call.
See guide| Capability | Free | Basic | Pro |
|---|---|---|---|
| Reputation checks (all entity types) | ✓ | ✓ | ✓ |
| API access | Rate-limited | ✓ | ✓ |
| Monitoring & email alerts | 5 assets | 25 assets | 100 assets |
| CVE Watch | 50 CPEs | ✓ | ✓ |
| Bulk lookups | 10/request | 50/request | 100/request |
| Webhooks | — | — | Up to 10 |
| Stream API (SSE) | — | — | ✓ |
| STIX / TAXII | — | — | ✓ |
| AI threat analysis | — | ✓ | ✓ |
| Ransomware intelligence | ✓ | ✓ | ✓ |
| Email risk analysis | ✓ | ✓ | ✓ |
| Downloadable blocklists | — | ✓ | ✓ |
Need unlimited / on-prem / custom rate limits? See Enterprise →
Hands-on playbooks with copy-paste curl, Python, YARA, and SIEM examples — wired to the same API documented above.
Browse all playbooksQuick answers about features, plans, and integrations.
The Free tier includes 100 reputation checks/month with rate-limited API access (no credit card). You can use the dashboard, generate an API key, monitor up to 5 assets, run reputation lookups for IPs/domains/URLs/hashes, query CVEs (50 CPEs in CVE Watch), and access ransomware intelligence and email risk endpoints. Paid features such as bulk batches up to 100, webhooks, the stream API, and STIX/TAXII require Basic ($49/mo) or Pro ($99/mo).
isMalicious aggregates from 500+ sources including NVD, CISA KEV, EPSS, GHSA, CERT-FR, AlienVault OTX, AbuseIPDB, Shodan, GreyNoise, ThreatFox, URLhaus, Spamhaus, PhishTank, and many community feeds. Reputation results include source counts and per-source attribution so you can verify provenance.
CVE Watch lets you define perimeters of CPE strings (the products and versions you actually run) and then continuously matches new CVEs to those perimeters with EPSS exploit-likelihood scores, CISA KEV flags, vendor advisories, and exploit availability. It is designed for ongoing monitoring rather than ad-hoc lookups; lookups remain available via /api/cve.
Yes. The Pro plan includes a TAXII 2.1 server with discoverable collections of STIX 2.1 objects. It is compatible with OpenCTI, MISP, and most modern SIEMs that speak TAXII. API key authentication only — no broker setup required.
Most sources are ingested continuously and propagated through the stream API and webhooks within seconds. Aggregated reputation snapshots are refreshed multiple times per hour; CVE catalog entries (CVSS, EPSS, KEV flags) are updated as upstream feeds publish.
Send an X-API-Key header (or Authorization: Bearer) on every request. API keys are issued from the dashboard after registration; the Free tier includes API access at a rate-limited 100 requests/month, while Basic and Pro raise the quota and unlock bulk and stream endpoints.
Yes. The official JavaScript/TypeScript SDK (@ismalicious/sdk-js) ships typed methods for reputation checks, monitoring, CVE search, ransomware intel, AI analysis, the SSE stream, reports, webhooks, and TAXII. Other languages are supported via the documented OpenAPI spec.
Yes — the Enterprise plan includes an on-premise deployment option with full feature parity, custom SLAs, and dedicated support. Contact sales for sizing and pricing.
POST a JSON array of mixed IPs, domains, and URLs (up to 10 on Free, 50 on Basic, 100 on Pro per request) to /bulk/check. Each entity is processed in parallel and the response includes per-entity verdicts, source counts, and optional enrichment. For very large lists, pair bulk with the SSE stream to receive progressive results.
Yes. Webhook payloads are HMAC-signed with a per-webhook secret you set in the dashboard, and the platform retries with exponential backoff on 5xx and timeouts. Supported events include threat.detected, monitor.alert, report.created, and usage.warning.
No credit card required. 100 checks/month, every feature you can run on the free plan.