Threat Scoring Methodology
How isMalicious aggregates signals from 17+ threat intelligence sources, weights them by source reliability, and produces a single confidence-scored verdict for every IP address, domain, and URL in our database.
500M+
Threat Records
17+
Intelligence Sources
< 1 hour
Data Refresh
99.9%
API Uptime SLA
How the Scoring Pipeline Works
Multi-Source Ingestion
For every lookup, isMalicious queries 17+ live threat intelligence feeds in parallel. Each source returns a binary flag (malicious / clean) and optional metadata such as threat category, first-seen date, and confidence.
Source Reliability Weighting
Not all sources are equal. Each source carries a reliability weight between 0 and 1 based on historical accuracy and false-positive rates. VirusTotal and Google Safe Browsing sit at 0.95; community-reported sources like StopForumSpam sit at 0.70. A flag from a high-reliability source contributes proportionally more to the final score.
Cross-Provider Correlation
Our cross-correlator checks for agreement across distinct provider categories — blocklists, multi-engine scanners, and abuse databases. Agreement across categories carries 12% additional weight because independent detection classes are less likely to share false positives.
Confidence Score Calculation
Six factors are combined into a 0–100 confidence score using fixed weights (see table below). A verdict is marked "malicious" when score ≥ 50 and at least one source flags it. Scores below 30 with a malicious flag are floor-boosted to 35 to avoid misleading low-confidence verdicts.
Enrichment & Context
Each result is enriched with geolocation, ASN, WHOIS registration data, domain age, TLS certificate history, and DNS history. For CVEs, we layer on CVSS v3, EPSS scores from FIRST.org, CISA KEV status, SSVC exploitation classification, CERT-FR advisories, MSRC bulletins, and Exploit-DB references.
Confidence Score Factors
| Factor | Weight | Description |
|---|---|---|
| Source Agreement | 33% | How many independent sources flag the same indicator |
| Source Quality | 22% | Reliability score of the flagging sources (0–1 per source) |
| VirusTotal Consensus | 18% | Agreement ratio across all VirusTotal engines |
| Cross-Provider Agreement | 12% | Confirmation across provider categories (blocklist vs scanner vs abuse) |
| Data Completeness | 10% | Whether all expected enrichment fields are populated |
| Data Freshness | 5% | How recently the threat signal was observed |
Intelligence Sources
Sources are queried in parallel and reliability-weighted. Scores are derived from historical accuracy measurement, not self-reported.
| Source | Category | Reliability |
|---|---|---|
| VirusTotal | Multi-engine scanner | 0.95/ 1.00 |
| Google Safe Browsing | Phishing & malware | 0.95/ 1.00 |
| PhishTank | Phishing | 0.90/ 1.00 |
| OpenPhish | Phishing | 0.90/ 1.00 |
| URLhaus (abuse.ch) | Malware distribution | 0.90/ 1.00 |
| Abuse.ch | C2 & malware | 0.90/ 1.00 |
| Spamhaus | Spam & abuse | 0.85/ 1.00 |
| SURBL | Spam URL blocklist | 0.85/ 1.00 |
| Feodo Tracker | Banking trojan C2 | 0.85/ 1.00 |
| AlienVault OTX | Threat intelligence | 0.80/ 1.00 |
| Malware Domains | Malware hosting | 0.80/ 1.00 |
| Tor Project | Anonymization network | 0.80/ 1.00 |
| Malware Domain List | Malware hosting | 0.75/ 1.00 |
| Blocklist.de | Brute-force & abuse | 0.75/ 1.00 |
| ThreatCrowd | Threat intelligence | 0.75/ 1.00 |
| AbuseIPDB | IP abuse reporting | 0.70/ 1.00 |
| StopForumSpam | Forum spam | 0.70/ 1.00 |
Data Freshness
Threat intelligence feeds are ingested on a continuous schedule. Most blocklists and abuse feeds refresh every 15–60 minutes. Scanner-based sources (VirusTotal, Google Safe Browsing) are queried on-demand per lookup request with Redis caching (TTL: 1 hour for clean, 15 minutes for malicious).
CVE data is synchronized from NVD, CISA KEV, OpenCVE, CERT-FR, MSRC, GitHub Security Advisories, and FIRST EPSS every 6 hours. EPSS scores are updated daily from FIRST.org.
Ransomware victim data is ingested continuously from monitored leak sites. New victims typically appear within 1–4 hours of publication.
False Positive Handling
False positives are minimized through source quality gating and cross-provider disagreement detection. When our scanner consensus and blocklist sources disagree significantly, we surface a source disagreement signal in the API response rather than forcing a binary verdict.
Major CDN ranges (Cloudflare, Fastly, AWS, Azure, Google Cloud) are tracked separately to avoid flagging shared infrastructure. Domain age, registrar, and certificate transparency data help distinguish newly registered malicious domains from legitimate ones.
Users can report false positives via the Report endpoint. Confirmed false positives are reviewed within 24 hours and propagated to our blocklist suppression layer.
Access the full threat intelligence API
Every score, signal, and source breakdown is available via the isMalicious API — including raw source votes, reliability weights, and cross-correlation signals.