IoC Lookup

Real-time threat intelligence for file hashes, IPv4 addresses, domains, and URLs — 70+ vendor verdicts in a single call.

API Overview

IoC Lookup is a real-time threat intelligence API that answers a simple question: "Is this indicator dangerous?"

Send any of four indicator types — a file hash (MD5 / SHA-1 / SHA-256), a URL, an IPv4 address, or a domain — and get a structured risk overview that helps you understand the indicator faster.

• Vendor-level insight: Compare verdicts from 70+ security engines including BitDefender, Sophos, Forcepoint, Cisco, ESET, Kaspersky, Fortinet, McAfee, and more.
• Reputation summary: Quickly assess whether an indicator is trusted, suspicious, or malicious.
• Detection breakdown: Review malicious, suspicious, harmless, and undetected counts for faster decision-making.
• Indicator-specific context: Get relevant enrichment data depending on the indicator type, such as domain, IP, URL, or file-related intelligence.

Response Highlights

An IoC Lookup response can include security vendor analysis, detection statistics, reputation data, categories, threat names, URL metadata, redirects, response codes, outgoing links, trackers, DNS records, WHOIS data, certificate details, sandbox verdicts, contacted domains/IPs, and file intelligence depending on the indicator type.

What can you do with this API?

• 🔎 Look up URLs, domains, IPs, and hashes
• 🛡️ Check vendor-level security analysis
• 📊 Review malicious, suspicious, harmless, and undetected counts
• 🌐 Inspect URL redirects, metadata, response codes, and trackers
• 🧩 Analyze domain data such as DNS, WHOIS, certificates, and reputation
• 📁 Investigate hashes with file metadata, threat labels, and sandbox results

Response model

Every successful request returns:

{
  "is_success": true,
  "response_code": 200,
  "message": "Success",
  "data": { /* indicator-specific payload */ }
}

When an indicator can't be processed (e.g. a malformed value), the call still returns HTTP 200 with is_success: false and the underlying response_code in the body — inspect is_success rather than relying on the HTTP status alone.

Use cases

GET /url

Look up a URL — phishing, defacement, content classification, vendor verdicts. Pro tip: pass the full URL including scheme. Query strings and fragments are accepted but normalised internally.

GET /hash

Look up a file by MD5 / SHA-1 / SHA-256. Returns file metadata, signing info, behavioural tags, and 70+ vendor verdicts.

GET /ip

Look up an IPv4 address — reputation, ASN / network ownership, country, vendor verdicts. IPv6 is not currently supported.

GET /domain

Look up a domain — reputation, WHOIS, DNS records, popularity ranks (Alexa, Cisco Umbrella, Cloudflare Radar, Majestic), content categories, JARM fingerprint.

Need something custom or need support?

Looking for a different response format, a bulk lookup option, a custom integration, or help with setup? Send us a DM and we'll be happy to support you and help you find the best setup for your use case.