Real-time threat intelligence

Threat IntelAPIfor Security Teams

Check any IP, domain, or CVE against 500M+ threat indicators aggregated from 500+ sources — through a REST API, dashboard, or real-time stream. Free API key, no credit card required.

User
User
User
+109,040 reports
500M+Records
EvidenceSOC
24/7Live
206.168.34.44High risk2h ago
MITRE ATT&CK
T1071 · T1566 · T1583
C&C · Initial Access · Resource Development
AI Summary

Known C2 infrastructure linked to Emotet campaigns. Active phishing operations across 23 domains. High confidence from 12 intel sources.

Reputation Analysis
79%
threat detection rate
42 malicious · 8 suspicious · 3 harmless
12 CVEsdetected
Moscow, RUorigin
SSLexpired 45d
Active< 6h ago
Trusted by security teams worldwide
HKCERT
Houston University
ICS
Kimoshiro
National Grid
Tehtris
Xfinit
By the numbers

523

Source Checks

Configured feeds are reliability-weighted so SOC teams can see why a verdict was produced.

24/7

Real-Time Updates

Continuous monitoring and database refreshes ensure you always have the latest threat intelligence.

500M+

Threat Records

250M IPs, 200M domains, 50M hashes, and more malicious entities tracked across the globe.

80%

Faster Detection

Identify threats faster than traditional methods, reducing response time and potential damage.

Live Data
Updated continuously

What's Happening Right Now

A sample from our live feed. Registered users see the full picture.

Ransomware Activity
Full feed
A.R.Ge.Co
anubisBusiness Services
May 13
NTN Bearing Corporation of America
payoutskingManufacturing
May 13
The Gravity Group
qilinBusiness Services
May 12
Porter Wright
SilentRansomGroupBusiness Services
May 12
Recent CVEs
Full feed
CVE-2026-21637CVSS 7.5
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCall
CVE-2025-11158CVSS 9.1
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restric
CVE-2026-30929CVSS 7.7
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-1
Logged-in users see 500M+ records, full IOC context, and real-time alerts
Get Free Access
Capabilities

What Powers
the Platform

01

Multi-Source Aggregation

Aggregate data from Shodan, GreyNoise, AbuseIPDB, community threat feeds, and 500+ more providers. One query, comprehensive results — no juggling multiple platforms.

Threat IntelData EnrichmentIOC Feeds
02

AI-Powered Analysis

LLM-generated summaries transform raw enrichment data into actionable intelligence with context-aware threat narratives tailored to your environment.

AI AnalysisContextual IntelGenAI Security
03

MITRE ATT&CK Mapping

Automatically map IOCs to MITRE ATT&CK techniques based on threat tags and enrichment findings. Accelerate triage and build structured threat models.

MITRE ATT&CKTTPsThreat Modeling
How it works

See It in Action

terminal
$ curl -H "X-API-Key: $KEY" https://api.ismalicious.com/v1/check/192.168.1.1
Snippet showing IP/domain check response
Data Sources

523+ Verified
Intelligence Sources

Real-time threat intelligence aggregated from industry-leading providers, community feeds, and proprietary detection engines.

Antivirus Engines
Shodan
GreyNoise
AbuseIPDB
Community IOC feeds
IsMalicious
URLhaus
+516More Sources
FAQ

Frequently Asked
Questions

Anything else? Reach out to us.

    • What data does the API return?

      Security score, threat reputation, WHOIS, geolocation, TLS certificates, vulnerabilities, identifier lists, and similar suspicious entities — all from a single query.

    • How often is data refreshed?

      All data is refreshed once per day to ensure daily accuracy across all 500M+ records.

    • API Usage Limits

      Website / Dashboard:
      Anonymous: 1 request / 60 min (100/month)
      Free Account: 1 request / minute (100/month)

      API Access:
      Free API Key: 1 request / 60 min (100/month)
      Basic: 1 requests / min (2,000/month)
      Pro: 60 requests / min (10,000/month)

    • Why is the API rate limited?

      Rate limits prevent abuse and ensure fair access across all users. Need higher throughput? Contact us for custom plans.

    • Cancel & refund policy

      We do not offer refunds for any plans. If you have an issue with our service, reach out and we will do our best to help.

    • What integrations are available?

      We support CORTEX, offer an on-premise CLI for air-gapped environments, and provide exportable firewall blocklists. More integrations with top cybersecurity platforms are in progress.

    • Where is isMalicious based?

      isMalicious is a French company headquartered in Europe, operating under GDPR compliance.

    • Disclaimer of responsibility

      isMalicious provides threat scores based on aggregated public datasets. We do not accept liability for decisions made from this data. Use it as a supplement to your own security measures and professional judgment.

    • How do I get support?

      Email us at contact@ismalicious.com. We respond within one business day.
Database

500M+ Threat Records
Across Every Category

The most comprehensive threat intelligence database, continuously refreshed from 600+ verified sources.

01

Phishing Database

45M+ phishing domains and credential harvesting sites. Detect fake login pages, brand impersonation, and social engineering attacks in real-time.

Updated hourly
02

Malware Intelligence

120M+ malware distribution IPs and domains. Block ransomware, trojans, viruses, and zero-day malware before they infect your systems.

600+ sources
03

IP Blocklist

100M+ malicious IP addresses involved in DDoS attacks, brute force attempts, botnet C2 servers, and network abuse.

Real-time updates
04

Adware Blocklist

28M+ invasive advertising networks, unwanted software promotions, and aggressive marketing domains that degrade user experience.

Multi-source verified
05

Tracking Domain Database

67M+ tracking domains, analytics scripts, and surveillance networks. Protect user privacy and comply with GDPR requirements.

Privacy-focused
06

Vulnerability Database

Comprehensive vulnerability intelligence including CVEs, exposed services, weak SSL certificates, and security misconfigurations.

Continuous scanning

Multi-Source Validation

Every threat is verified across multiple intelligence sources. Our cross-referencing system eliminates false positives and provides confidence scores for each detection.

Real-Time Blocklist Updates

Unlike static blocklists updated weekly, our database receives hourly updates. New phishing sites, malware domains, and malicious IPs are added within minutes of discovery.

Comprehensive Threat Context

Beyond simple blocklists, get rich threat intelligence including geolocation, ASN data, WHOIS information, SSL certificates, and historical behavior patterns.

Enterprise-Ready API

Sub-100ms response times, 99.9% uptime SLA, and unlimited scalability. Our cybersecurity API integrates seamlessly with firewalls, SIEM systems, and custom applications.

Start Protecting Your Infrastructure
Today — Free Tier Available

Try Free NowExplore Database
Enterprise

On-Premise
CLI Solution

Enterprise-grade threat intelligence CLI built for maximum performance. Deploy in air-gapped environments, integrate with your CI/CD pipeline, or run automated security checks at scale.

Request Enterprise License
terminal — ismalicious cli
# Update threat intelligence database from 500+ sources
$ ismalicious update
Database update started.
Fetching source 1 of 500 - 00:01.234s
Fetching source 2 of 500 - 00:00.987s
...
Fetching source 500 of 500 - 00:00.823s
Cleaning false positives...
Loaded 2,000,000 legitimate domains
Removed 1,234 false positives
Database update completed in 05:23.456s

# Check a domain
$ ismalicious get malicious-site.ru
Found entry: malicious-site.ru
Categories: malware phishing c2 botnet

# Docker deployment
$ docker run -v $(pwd)/data:/app/data ismalicious/cli update
01

Offline Database Operations

Run threat intelligence checks completely offline with local JSON databases. No internet dependency once synchronized — perfect for air-gapped environments.

ismalicious get domain.com
02

Multi-Source Aggregation

Automatically fetches and combines data from 500+ threat intelligence sources. A single command updates your entire local database with the latest threats.

ismalicious update
03

False Positive Filtering

Advanced curation using Cloudflare Radar and top-1M domain lists. Removes legitimate domains automatically to ensure zero false positives in your threat database.

Auto-cleans during update
04

Entity Extraction Engine

Smart regex-based extraction supporting domains, IPv4, and IPv6 addresses. Handles multiple formats and categorizes entities by threat type automatically.

Supports all IP/domain formats
05

High Performance

Built for maximum speed and efficiency. Optimized with parallel processing and minimal memory footprint — processes millions of entities in minutes.

Processes millions of entities
06

Cross-Platform Support

Native binaries for Linux, macOS, and Windows. Docker images available for containerized deployments and seamless CI/CD pipeline integration.

docker run ismalicious/cli
07

Category Classification

Each threat tagged with specific categories: malware, phishing, botnet, C2, and more. Enables precise filtering and threat-specific response workflows.

JSON output with categories
08

License-Based Access

Enterprise license validation with online verification and offline grace periods. Flexible licensing for team and air-gapped deployments.

Secured with license.txt
09

Debug & Benchmarking

Built-in performance monitoring with --debug flag. Track fetch times, processing speeds, and database operations for optimization and troubleshooting.

ismalicious --debug update