PLATFORM: Self-serve · $0 – $99/mo
ENDPOINTS: 24 · REST · v1
SOURCES: 11 threat-intel feeds
LATENCY: 312 ms · p50

THREAT INTEL · PHISHING · EXPOSURE

Threat intel, phishing triage, and exposure scans in one API.

DFIR Lab aggregates up to 11 threat-intel sources per IOC, automates phishing-email triage, and maps your external attack surface — from a single self-serve API. No sales call, no annual contract, 100 free credits every month.

Create free account (100 credits)Try /ioc-check in your browser

$ curl /v1/enrichment/lookup

bash

→ HTTP 200 · 312 ms

{
  "ioc": "45.155.205.x",
  "verdict": "malicious",
  "score": 87,
  "sources": 11,
  "tags": ["c2", "bruteforce"],
  "...": "truncated for display"
}

Live: 312 ms median · 11 sources aggregated

SOURCESper IP lookup

ENDPOINTSREST · v1

FREE CREDITSevery month, no card

UPTIME% over 30 days

THE PRODUCT

Three endpoints do most of the work.

Most analyst workflows reduce to phishing triage, IOC enrichment, or attack-surface review. The platform ships a self-serve REST API for each — shown here with real requests and the response shape you'll actually get.

Shared across endpoints

Bearer-token auth, one key per environment.
JSON in, JSON out — batch-friendly where it matters.
Metered in credits, not in seats or events.

POST /v1/phishing/analyze

# 1 credit · returns verdict, risk_score, spf/dkim/dmarc, indicators
curl -X POST https://api.dfir-lab.ch/v1/phishing/analyze \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"raw_email":"'"$(base64 -i suspicious.eml)"'"}'

These are real endpoints — copy the curl, replace the key, run it.

→ HTTP 200 · example responseapplication/json

{
  "verdict": "malicious",
  "risk_score": 0.92,
  "auth": { "spf": "fail", "dkim": "fail", "dmarc": "fail" },
  "indicators": 3
}

CAPABILITIES

Four pillars, one API key.

Every capability is self-serve, batch-friendly, and metered in credits. Combine them in your SOAR, n8n, or a Python cron — the platform doesn't care.

IOC ENRICHMENT

Eleven sources, one normalized response.

A single /v1/enrichment/lookup call aggregates up to 11 threat-intel sources per IP (8 per domain/URL, 6 per hash) and returns a normalized verdict you can branch on. Batch up to 50 IOCs at 3 credits each — built for incident-speed triage.

Sources

virustotalabuseipdbgreynoiseshodanurlscan+6 more

Coverage by indicator typesources

Domain

URL

Hash

3 CR / IOCBatch up to 50

See the use case

PHISHING TRIAGE

Parse an .eml, get a verdict.

Deterministic SPF/DKIM/DMARC checks and extracted indicators in one call. Add an AI rationale when you want human-readable reasoning on the borderline ones.

1–10 CRDeterministic · AI optional

See workflow

ATTACK SURFACE

What the internet can see of you.

One domain in, full exposure map out: subdomains, services, TLS findings, severity counts. Scheduled per-client for MSSPs.

10 CRPer scan · schedulable

See MSSP use case

AI TRIAGE & DETECTION

Claude-powered summaries, threat-actor profiles, detection-rule drafts.

Feed enrichment JSON + MITRE TTPs into /v1/ai/triage, /ai/threat-profile, or /ai/detect to get an analyst-grade write-up or a Sigma/YARA/KQL draft. Opt-in — deterministic endpoints are the default.

See engineer's use case

TRIAGE

10CR

THREAT-PROFILE

20CR

DETECT

15CR

EXPLORE

Twelve use cases, eight comparisons — pick your entry point.

The catalog pages are long-form. These are the most-requested entries; click through for the full list.

USE CASES

COMPARE

Stack against what your team knows.

See all 8

DFIR VS

VirusTotal

AbuseIPDB

TheHive

ROWS

FAQ

ROWS10FAQ6

RESEARCH

Fresh from the lab.

Deep-dive field notes on threats, tools, and the workflow — long enough to matter, short enough to read on a train.

Apr 19, 2026

DFIR Investigation Steps: From Alert to Report

11 min

Apr 16, 2026

External Attack Surface Scanner API: Map Your Domain's Exposure in One Call

10 min

Apr 15, 2026

VirusTotal API Alternative: Cheaper Multi-Source IOC Enrichment for Security Teams

9 min

Dispatches archive

Runs alongside

TheHiveWazuhSplunkn8nTinesShuffleElasticMISP

See integration use cases →

PRICING

Three tiers cover most teams.

Transparent, self-serve, metered in credits. No sales call. Full pricing lives on the platform — this is the short version.

FREE FOREVER100 CR / MO

Free

$0 / month

100 API credits every month
Every public tool (/ioc-check, /phishing-check, /file-analyzer)
1 API key · 1 user
No credit card

Create free account →

STARTER500 CR / MO

Starter

$29 / month

500 API credits every month
Every endpoint (IOC, phishing, exposure, AI triage)
5 API keys · 10 team members
Priority email support

Start on Starter →

PROFESSIONAL2,500 CR / MO

Professional

$99 / month

2,500 API credits every month
Unlimited API keys · unlimited team members
Priority support · AI endpoints
Everything in Starter, higher volume

Upgrade to Professional →

Academic $9/mo · Enterprise custom. All tiers self-serve.

Evidence over vibes.

Colophon

Start reading the API.

Solo-maintained. Open about sources, honest about limits. Pull the curl, ship an integration, send feedback.

Create free account About the founder

Three endpoints do most of the work.

Shared across endpoints

Bearer-token auth, one key per environment.
JSON in, JSON out — batch-friendly where it matters.
Metered in credits, not in seats or events.

POST /v1/phishing/analyze

# 1 credit · returns verdict, risk_score, spf/dkim/dmarc, indicators
curl -X POST https://api.dfir-lab.ch/v1/phishing/analyze \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"raw_email":"'"$(base64 -i suspicious.eml)"'"}'

These are real endpoints — copy the curl, replace the key, run it.

→ HTTP 200 · example responseapplication/json

{
  "verdict": "malicious",
  "risk_score": 0.92,
  "auth": { "spf": "fail", "dkim": "fail", "dmarc": "fail" },
  "indicators": 3
}

Four pillars, one API key.

Every capability is self-serve, batch-friendly, and metered in credits. Combine them in your SOAR, n8n, or a Python cron — the platform doesn't care.

IOC ENRICHMENT

Eleven sources, one normalized response.

Sources

virustotalabuseipdbgreynoiseshodanurlscan+6 more

Coverage by indicator typesources

Domain

URL

Hash

3 CR / IOCBatch up to 50

See the use case

PHISHING TRIAGE

Parse an .eml, get a verdict.

Deterministic SPF/DKIM/DMARC checks and extracted indicators in one call. Add an AI rationale when you want human-readable reasoning on the borderline ones.

1–10 CRDeterministic · AI optional

See workflow

ATTACK SURFACE

What the internet can see of you.

One domain in, full exposure map out: subdomains, services, TLS findings, severity counts. Scheduled per-client for MSSPs.

10 CRPer scan · schedulable

See MSSP use case

AI TRIAGE & DETECTION

Claude-powered summaries, threat-actor profiles, detection-rule drafts.

See engineer's use case

TRIAGE

10CR

THREAT-PROFILE

20CR

DETECT

15CR

Three tiers cover most teams.

Transparent, self-serve, metered in credits. No sales call. Full pricing lives on the platform — this is the short version.

FREE FOREVER100 CR / MO

Free

$0 / month

100 API credits every month
Every public tool (/ioc-check, /phishing-check, /file-analyzer)
1 API key · 1 user
No credit card

Create free account →

STARTER500 CR / MO

Starter

$29 / month

500 API credits every month
Every endpoint (IOC, phishing, exposure, AI triage)
5 API keys · 10 team members
Priority email support

Start on Starter →

PROFESSIONAL2,500 CR / MO

Professional

$99 / month

2,500 API credits every month
Unlimited API keys · unlimited team members
Priority support · AI endpoints
Everything in Starter, higher volume

Upgrade to Professional →

Academic $9/mo · Enterprise custom. All tiers self-serve.

Threat intel, phishing triage, and exposure scans in one API.

Three endpoints do most of the work.

Four pillars, one API key.

Eleven sources, one normalized response.

Parse an .eml, get a verdict.

What the internet can see of you.

Claude-powered summaries, threat-actor profiles, detection-rule drafts.

Twelve use cases, eight comparisons — pick your entry point.

Workflows by persona.

Automated Phishing Triage for SOC Teams

IOC Enrichment for Incident Response

Continuous Exposure Monitoring for MSSPs

Stack against what your team knows.

VirusTotal

AbuseIPDB

TheHive

Fresh from the lab.

DFIR Investigation Steps: From Alert to Report

External Attack Surface Scanner API: Map Your Domain's Exposure in One Call

VirusTotal API Alternative: Cheaper Multi-Source IOC Enrichment for Security Teams

Three tiers cover most teams.

Free

Starter

Professional

Start reading the API.

Threat intel, phishing triage, and exposure scans in one API.

Three endpoints do most of the work.

Four pillars, one API key.

Eleven sources, one normalized response.

Parse an .eml, get a verdict.

What the internet can see of you.

Claude-powered summaries, threat-actor profiles, detection-rule drafts.

Twelve use cases, eight comparisons — pick your entry point.

Workflows by persona.

Automated Phishing Triage for SOC Teams

IOC Enrichment for Incident Response

Continuous Exposure Monitoring for MSSPs

Stack against what your team knows.

VirusTotal

AbuseIPDB

TheHive

Fresh from the lab.

DFIR Investigation Steps: From Alert to Report

External Attack Surface Scanner API: Map Your Domain's Exposure in One Call

VirusTotal API Alternative: Cheaper Multi-Source IOC Enrichment for Security Teams

Three tiers cover most teams.

Free

Starter

Professional

Start reading the API.