Peer into the Abyss.
Know every IP's true intent.
A top-tier IP threat intelligence API. Abuse scoring, blocklists, darknet mentions, JA3 fingerprints, behavioral analysis, predictive ML — all in one call. 30+ endpoints. Sub-50ms warm cache.
Free tier: 50 anonymous scans per month. No signup required.
One API. Every angle of attack.
Most IP reputation APIs give you a yes/no answer. Abyss gives you the forensic depth security teams actually need.
Calibrated Risk Scoring
A weighted scoring model combines 10+ blocklist feeds, darknet mentions, honeypot interactions, and behavioral analysis into a single 0–100 risk score with confidence intervals.
Blocklist Aggregation
Real-time lookup across Spamhaus, Feodo Tracker, Emerging Threats, blocklist.de, and more — with hit categorization and source attribution for every match.
Predictive ML Analysis
A trained model predicts the probability of future malicious behavior based on burst patterns, threat actor correlation, and historical trajectory.
Darknet Intelligence
Continuously crawled darknet forums surface mentions of the IP — context, post date, reliability rating, and source attribution.
JA3 + TLS Fingerprinting
Capture and correlate TLS handshake fingerprints against known malware families. Identify C2 infrastructure even when ports and banners change.
Behavioral Fingerprinting
Detect burst patterns, off-hours activity, periodic beaconing, and weekend ratios — the behavioral signals that distinguish a real user from a botnet node.
Threat Actor Attribution
Link IPs to known threat actors (APT29, FIN7, Lazarus, etc.) with confidence scores and MITRE ATT&CK technique mappings.
STIX 2.1 Compliant
Export intelligence as STIX 2.1 bundles with deterministic UUIDv5 IDs — drop straight into your TIP, SIEM, or threat intelligence platform.
Bulk + Async Scan
Synchronous bulk for up to 25 IPs, or async jobs for up to 1000. Poll the job endpoint, get results back, build it into your SOC pipeline.
The full endpoint catalog.
Every endpoint below is live in production. All responses are JSON, cached at the edge, and documented in the OpenAPI spec.
/v1/ip/{ip}Full IP reputation report (30+ data fields)
/v1/ip/{ip}/summaryFast scoring only
/v1/ip/{ip}/blocklist-checkBlocklist hit detection across 10+ feeds
/v1/ip/{ip}/darkweb-checkDarknet forum mentions
/v1/ip/{ip}/tor-checkTor exit node verification
/v1/ip/{ip}/asn-contextASN owner, hosting type, ISP intel
/v1/ip/{ip}/threat-actorsThreat actor association + MITRE ATT&CK
/v1/ip/{ip}/behavioralBurst patterns, periodicity, beaconing
/v1/ip/{ip}/predictiveML-based future malicious probability
/v1/ip/{ip}/ja3TLS fingerprint + malware correlation
/v1/ip/{ip}/infrastructureInfrastructure graph mapping
/v1/ip/{ip}/otxAlienVault OTX pulse correlation
/v1/ip/{ip}/tls-fingerprintDetailed TLS handshake analysis
/v1/ip/{ip}/footprintsHistorical footprint aggregation
/v1/ip/{ip}/timelineRisk score over time series
/v1/ip/{ip}/csvCSV export of risk timeline
/v1/ip/bulkSynchronous bulk scan (up to 25 IPs)
/v1/ip/bulk/asyncAsync bulk scan (up to 1000 IPs)
/v1/ip/history/{ip}Historical scan history
/v1/ip/watch/{ip}Webhook subscriptions on IP changes
/v1/domain/{domain}Domain-to-IP intelligence with live DNS
/v1/intel/feedSTIX 2.1 compliant intel feed
/v1/intel/summaryIntel feed summary statistics
/v1/threatintel/catalogThreat intel catalog
/v1/threatintel/malware/{name}Malware family lookup
/v1/feedbackCommunity IP verdict submission
/health, /health/readyService health probes
/version, /metricsVersion + Prometheus metrics
Start scanning in under a second.
No credit card, no signup. Just type an IP and see what the abyss already knows about it.