0M+
Threat Records
Malicious IPs, domains, URLs, and file hashes tracked across the globe — refreshed continuously.
Check any IP, domain, URL, file hash, or CVE against 500M+ threat indicators aggregated from 500+ sources — through a REST API, dashboard, or real-time stream. Free API key, no credit card required.
Known C2 infrastructure linked to Emotet campaigns. Active phishing operations across 23 domains. High confidence from 12 intel sources.
0M+
Threat Records
Malicious IPs, domains, URLs, and file hashes tracked across the globe — refreshed continuously.
531
Intelligence Sources
Configured feeds are reliability-weighted so SOC teams can see why a verdict was produced.
0M+
New Threats (24h)
Indicators indexed in the last day. Continuous monitoring means you always query the latest intelligence.
0%
Multi-Source Validated
Share of records confirmed by two or more independent sources, cutting false positives before they reach you.
A sample from our live feed. Registered users see the full picture.
Every check fans out across 500+ intelligence sources, correlates the evidence, and returns one explainable verdict — in a single API call.
Aggregate Shodan, GreyNoise, AbuseIPDB, community feeds, and 500+ more providers. Every verdict shows which sources agreed, how reliable they are, and why the score was produced — evidence a SOC can act on.
WHOIS, DNS history, SSL certificates, ASN, geolocation, abuse contacts, and tech stack — resolved in one pass so analysts stop juggling five tabs.
LLM summaries turn raw enrichment into a threat narrative with recommended next steps, tailored to the indicator in front of you.
IOCs map automatically to ATT&CK techniques from threat tags and findings — triage faster with structured threat models.
A REST API designed for developers: reputation, sources, categories, and history in a single JSON response. SDKs, OpenAPI spec, and copy-paste examples included.
Watch critical IPs and domains 24/7. Get notified the moment a watched asset turns suspicious or its threat status changes.
Thousands of indicators per request over the bulk API, or progressive results streamed over SSE for long-running lookups.
Firewall-ready blocklists by threat family, refreshed continuously and exportable straight into your perimeter.
Fuzzy matching surfaces look-alike domains and related infrastructure, exposing coordinated campaigns behind a single IOC.

Anonymous checks show the verdict. A free account unlocks the analysis, the history, and the API behind it — in under a minute.
Unlock the AI summary on every report — a narrative verdict with recommended next steps.
30 checks per month through the REST API, straight from your dashboard. No credit card.
Every check you run is saved. Revisit, compare, and share reports with your team.
Watch the assets you care about and get notified when their threat status changes.
Take verdicts with you — PDF exports for stakeholders, upgrade paths to STIX, CSV, and JSON.
No credit card required · 30 free checks/month · Free API key
Real-time threat intelligence aggregated from industry-leading providers, community feeds, and proprietary detection engines.






Twelve free lookups, no account needed. Every tool runs against the same 500M+ indicator dataset as the API.
Fire real requests against the live API from your browser — no key, no setup, instant JSON.
Reputation, geolocation, and abuse history for any IPv4/IPv6.
Threat verdicts and enrichment for any domain.
Scan links for phishing, malware, and redirects.
MD5, SHA-1, SHA-256 against malware corpora.
Registration records with risk signals parsed out.
Historical resolutions to trace infrastructure.
Spot newly-registered domains — a top phishing signal.
Every domain hosted behind an IP address.
Map the attack surface of any domain.
Ownership and reputation of network blocks.
Paste a list of indicators, triage them in one pass.
IPs, domains, hashes, URLs aggregated continuously
NVD, CISA KEV, EPSS, GHSA, CERT-FR, OTX, and more
Stream API and webhooks for sub-second propagation
isMalicious blocked over 50M malicious requests in the first month alone. The accuracy is impressive with zero false positives.
Sarah Chen
Head of Security
TechCorp Global · USA · Technology
We identified and prevented a sophisticated phishing campaign within hours of deployment. This is proactive security at its finest.
Marcus Weber
Chief Information Security Officer
FinanceSecure · Germany · Financial Services
The real-time threat intelligence helped us block approximately 95% of malicious bot traffic, significantly improving our server performance.
Priya Sharma
Security Engineer
CloudHost Pro · India · Cloud Hosting
Get started with basic threat intelligence. Perfect for individuals and small projects.
Ideal for professionals and small businesses requiring more robust protection.
Comprehensive solution for organizations with advanced security needs. Custom limits and maximum protection.
The most comprehensive threat intelligence database, continuously refreshed from 500+ verified sources.
45M+ phishing domains and credential harvesting sites. Detect fake login pages, brand impersonation, and social engineering attacks in real-time.
120M+ malware distribution IPs and domains. Block ransomware, trojans, viruses, and zero-day malware before they infect your systems.
100M+ malicious IP addresses involved in DDoS attacks, brute force attempts, botnet C2 servers, and network abuse.
28M+ invasive advertising networks, unwanted software promotions, and aggressive marketing domains that degrade user experience.
67M+ tracking domains, analytics scripts, and surveillance networks. Protect user privacy and comply with GDPR requirements.
Comprehensive vulnerability intelligence including CVEs, exposed services, weak SSL certificates, and security misconfigurations.
Every threat is verified across multiple intelligence sources. Our cross-referencing system eliminates false positives and provides confidence scores for each detection.
Unlike static blocklists updated weekly, our database receives hourly updates. New phishing sites, malware domains, and malicious IPs are added within minutes of discovery.
Beyond simple blocklists, get rich threat intelligence including geolocation, ASN data, WHOIS information, SSL certificates, and historical behavior patterns.
Sub-100ms response times, 99.9% uptime SLA, and unlimited scalability. Our cybersecurity API integrates seamlessly with firewalls, SIEM systems, and custom applications.
Enterprise-grade threat intelligence CLI built for maximum performance. Deploy in air-gapped environments, integrate with your CI/CD pipeline, or run automated security checks at scale.
# Update threat intelligence database from 500+ sources
$ ismalicious update
Database update started.
Fetching source 1 of 500 - 00:01.234s
Fetching source 2 of 500 - 00:00.987s
...
Fetching source 500 of 500 - 00:00.823s
Cleaning false positives...
Loaded 2,000,000 legitimate domains
Removed 1,234 false positives
Database update completed in 05:23.456s
# Check a domain
$ ismalicious get malicious-site.ru
Found entry: malicious-site.ru
Categories: malware phishing c2 botnet
# Docker deployment
$ docker run -v $(pwd)/data:/app/data ismalicious/cli updateRun threat intelligence checks completely offline with local JSON databases. No internet dependency once synchronized — perfect for air-gapped environments.
ismalicious get domain.comAutomatically fetches and combines data from 500+ threat intelligence sources. A single command updates your entire local database with the latest threats.
ismalicious updateAdvanced curation using Cloudflare Radar and top-1M domain lists. Removes legitimate domains automatically to ensure zero false positives in your threat database.
Auto-cleans during updateSmart regex-based extraction supporting domains, IPv4, and IPv6 addresses. Handles multiple formats and categorizes entities by threat type automatically.
Supports all IP/domain formatsBuilt for maximum speed and efficiency. Optimized with parallel processing and minimal memory footprint — processes millions of entities in minutes.
Processes millions of entitiesNative binaries for Linux, macOS, and Windows. Docker images available for containerized deployments and seamless CI/CD pipeline integration.
docker run ismalicious/cliEach threat tagged with specific categories: malware, phishing, botnet, C2, and more. Enables precise filtering and threat-specific response workflows.
JSON output with categoriesEnterprise license validation with online verification and offline grace periods. Flexible licensing for team and air-gapped deployments.
Secured with license.txtBuilt-in performance monitoring with --debug flag. Track fetch times, processing speeds, and database operations for optimization and troubleshooting.
ismalicious --debug updateShinyHunters-style SSO vishing shows how fake login domains, MFA enrollment abuse, and SaaS access can become data theft. Domain monitoring gives defenders early warning.
Mobile phishing keeps gaining operational relevance. Security teams need URL scanning, domain reputation checks, DNS pivots, and employee reporting workflows built for SMS and chat.
Dutch intelligence warnings about Chinese cyber capability reinforce a practical defense priority: monitor edge devices, VPNs, routers, DNS history, and certificate reuse.
Verizon DBIR reporting highlights vulnerability exploitation as a top breach path. CVE Watch, KEV, EPSS, and exposure context help teams patch what attackers actually use.
Shadow AI has become a governance and data leakage issue. Security teams need discovery, DNS visibility, sanctioned app controls, and domain monitoring around AI tool usage.
Anthropic mapped AI-enabled cyber activity to MITRE ATT&CK and found gaps around autonomous orchestration. SOC teams need AI summaries tied to evidence, not unsupported verdicts.