Check any IP, domain, hash, or URL instantly.
Free IOC reputation lookup across 14+ threat intelligence sources. Check any IP, domain, URL, hash, or email for malicious activity — aggregated verdict, source-by-source breakdown, shareable results.
Public results are stored to generate shareable links. Want private analysis? See below.
Public results on this page are stored as shareable URLs and visible to anyone with the link. Sign up for the DFIR Platform and every enrichment stays inside your organization's private sandbox — never indexed, never shared, with full raw source data, batch mode, and API access.
An aggregated reputation lookup for any indicator of compromise. The tool fans out in parallel to 14+ threat intelligence sources, normalizes their verdicts, and returns a composite risk score.
IPv4/IPv6 scoring across AbuseIPDB, GreyNoise, Shodan, OTX. Detects scanners, botnets, Tor, known C2.
Category, registration age, typosquat signals, phishing history across VirusTotal, OTX, URLScan.
Live URL scan via URLScan, CheckPhish, VirusTotal. Flags phishing kits, credential harvesters, malware distribution.
MD5, SHA-1, SHA-256, SHA-512 lookups against VirusTotal, Hybrid Analysis. Returns AV family, first-seen, detection ratio.
The composite score (0–100) is the mean of per-source scores that returned a hit. The verdict band is thresholded:
IP, domain, URL, hash, or email. The type is auto-detected from the value — no need to pick a category.
14+ threat intel providers are queried in parallel. Failures and timeouts are handled gracefully — no single provider blocks the response.
Composite score 0–100, clean/suspicious/malicious verdict, per-source breakdown. Every result gets a permanent shareable URL.
Need programmatic access? Use our API for automated IOC enrichment.
View API DocumentationEvery check fans out to 14+ providers across AV aggregators, IP reputation, phishing detection, and passive DNS — in a single request.
60+ AV engines aggregated. IP/domain/URL/hash verdicts, detection ratios, relationships.
Crowdsourced abuse confidence score. SSH brute force, spam, scanning reports.
Internet-wide scan data. Open ports, banners, services for any IP.
Host and certificate scan data. Historical exposure snapshots.
Background internet noise classification. Separates mass scanners from targeted probes.
Open threat exchange pulses. Known campaigns, IOCs shared by the community.
Live URL sandboxing. Screenshot, DOM tree, effective URL, verdict.
Phishing-focused URL classification. Zero-day phishing kits and credential harvesters.
File detonation sandbox. MITRE mapping, YARA matches, behavioral indicators.
Unified TI platform. Aggregated risk, threats, related indicators.
Historical DNS resolutions and domain telemetry for pivoting.
Spur, IPQualityScore, and others — the full set grows over time. Paid API tier unlocks raw per-source data.
An indicator of compromise (IOC) is a forensic artifact observed on a network or host that, with high confidence, indicates malicious activity: an IP address contacting a C2 server, a domain hosting a phishing kit, a file hash matching a known malware family. Reputation lookups cross-reference that artifact against threat intelligence databases to convert a raw value into an actionable verdict — the first step of nearly every SOC triage workflow.
Scoring spans abuse history, scanner classification, open-port exposure, and country enrichment. Useful for triaging firewall hits, suspicious logins, outbound beacons.
Category, registration age, passive DNS history, and known-bad flags. Newly registered domains with no history are a classic phishing signal.
Live URL sandboxing. The request is rendered in a safe browser, screenshot is compared against brand databases, and the effective URL (after redirects) is verdicted.
MD5 / SHA-1 / SHA-256 / SHA-512. Returns AV family, first-seen, detection ratio, sandbox reports, and YARA matches. The safest way to check suspected malware — no sample needed.
Single-source lookups have blind spots. A fresh phishing domain may not yet be flagged by any AV aggregator, but URLScan will already have a rendered screenshot and brand-detection verdict. An IP running active bruteforce shows up on AbuseIPDB within hours; the same IP only appears on VirusTotal days later when telemetry propagates. Aggregating reduces time-to-detection and keeps false negatives manageable.
Every result includes a defanged representation of the input — for example 185[.]220[.]101[.]45 or evil[.]com. Defanging prevents accidental clicks when IOCs are pasted into chat, tickets, or PDF reports, and keeps email security gateways from rewriting the indicator. Always defang when sharing externally. Learn more about threat intelligence · IP reputation →
Results on this page are stored so you can send a link to a teammate. That also means the URL is publicly reachable. For ongoing investigations where the IOC itself is sensitive — a victim's IP, an internal phishing target, an attribution hypothesis — use the DFIR Platform instead. Enrichment there happens inside your organization's sandbox, results are never indexed or shared, and you get the raw per-source data that the free tier strips.
An indicator of compromise is a forensic artifact — an IP, domain, URL, hash, or email — that, observed on a network or host, indicates malicious activity. Reputation checks convert raw IOCs into verdicts by cross-referencing threat intelligence databases.
IPv4 and IPv6 addresses, domains, URLs (with scheme), file hashes (MD5 / SHA-1 / SHA-256 / SHA-512), and email addresses. The input type is auto-detected — just paste the value.
Yes. The public checker is free with a 10-checks-per-hour rate limit per IP, no account required. The paid API tier on the DFIR Platform adds raw per-source data, batch mode, webhooks, and removes the rate limit.
The composite score aggregates 14+ threat intel sources, which reduces single-source blind spots. That said, no reputation tool is infallible — always treat a 'malicious' verdict as a strong lead to investigate, not a final conclusion, and a 'clean' verdict as 'not currently flagged', not 'definitively safe'.
10 checks per hour per IP address. The limit resets on a rolling hour window. If you need higher throughput, the DFIR Platform's paid API tier has per-second rate limits measured in the hundreds.
VirusTotal, AbuseIPDB, Shodan, Censys, GreyNoise, AlienVault OTX, URLScan.io, CheckPhish, Hybrid Analysis, Pulsedive, and several more. Each provider contributes a normalized score and summary to the aggregated verdict.
Public results are stored to make share URLs work. If you need sensitive IOCs to stay inside your organization — victim IPs, internal phishing targets, attribution research — sign up for the DFIR Platform, where every enrichment runs in a private org sandbox and is never indexed.
Triage the asset: block the IOC at the perimeter, check logs for prior activity, identify exposed hosts, and pivot on related indicators (domain → resolving IPs, IP → other domains on that host, hash → same-family samples). This tool returns tags to help pivot — the full workflow is in the DFIR Platform.
Paste email headers to check for phishing, spoofing, and authentication failures.
Full WHOIS, DNS, SPF / DMARC / BIMI, TLS, and CT log analysis with A+ to F grading.
Scan any domain for open ports, SSL issues, DNS misconfigurations, and attack surface.
The DFIR Platform gives you API access, batch enrichment, webhooks, full raw source data, and a private org sandbox — results never leave your workspace. Free tier includes 300 credits to get started.