Threat intelligence API Docs Pricing Solutions Resources Contact us

Threat intelligence API docs

Domain Reputation API v2

The v2 API version differs from the v1 only in the output format.

Evaluate a domain's reputation based on numerous security data sources as well as on an instant host's audit procedure. For a given domain name or IPv4 address, collect and evaluate over 120 parameters and calculate the resulting reputation score.

GEThttps://api.threatintelligenceplatform.com/v2/reputation?domainName=threatintelligenceplatform.com&mode=fast&apiKey=YOUR_API_KEY

Input parameters


Parameter
Type
What it means
domainName (required) string The target domain name or IPv4 address.
apiKey (required) string Get your personal API KEY on My subscriptions page.
mode (optional) string

TIP can check the domain specified in two modes:

  • "fast" (default). Only select test codes will run — i.e., 62 WHOIS Domain status, 82 Malware Databases check, 87 SSL certificate validity, and 93 WHOIS Domain check—while other tests and data collectors will be disabled.
  • "full". All tests will be performed, similar to what the TIP GUI displays.

Sample output


{
    "mode": "fast",
    "reputationScore": 88.11,
    "testResults": [
        {
            "test": "WHOIS Domain check",
            "testCode": 93,
            "warnings": [
                {
                    "warningDescription": "Owner details are publicly available",
                    "warningCode": 2009
                }
            ]
        },
        {
            "test": "SSL certificate validity",
            "testCode": 87,
            "warnings": [
                {
                    "warningDescription": "Recently obtained certificate, valid from  2022-05-09 08:32:32",
                    "warningCode": 6001
                }
            ]
        },
        {
            "test": "SSL vulnerabilities",
            "testCode": 88,
            "warnings": [
                {
                    "warningDescription": "HTTP Strict Transport Security not set",
                    "warningCode": 6015
                },
                {
                    "warningDescription": "TLSA record not configured or configured wrong",
                    "warningCode": 6019
                },
                {
                    "warningDescription": "OCSP stapling not configured",
                    "warningCode": 6006
                }
            ]
        }
    ]
}

The data returned


Field
Type
What it means
mode string Selected mode
reputationScore integer Composite safety score based on numerous security data sources. 0 is dangerous, and 100 is safe.
testResults[0].test string

The test name which reduced the final score. See available tests.

testResults[0].testCode integer

Unique numeric test identifier. See available test codes.

testResults[0].warnings object[] The list of warnings detected during the test execution. See available warnings.
testResults[0].warnings[0].warningDescription string Warning description. See available warning descriptions.
testResults[0].warnings[0].warningCode integer Unique numeric warning code. See available warning codes.

Test codes


CSV format: domain-reputation-api-test-codes.csv


Code
Test name
26 Mail servers Reverse IP addresses match
32 Mail servers Real-time blackhole check
61 WHOIS and DNS name servers match
62 WHOIS Domain status
71 Open ports and services
74 Name servers configuration check
75 Name servers response
76 Name servers configuration meets best practices
80 Mail servers configuration check
81 Mail servers response
82 Malware databases check
84 SOA record configuration check
87 SSL certificate validity
88 SSL vulnerabilities
91 Potentially dangerous content
92 Host configuration issues
93 WHOIS Domain check

Warning codes


CSV format: domain-reputation-api-warning-codes.csv


Code Warning
1001 Name servers with private IPs found.
1002 Some name servers don’t respond.
1003 Some name servers allow recursive queries.
1004 Some name servers don’t provide A record for target domain name.
1005 Some name servers are listed by authoritative servers but not by parent ones.
1006 Some name servers are not listed by authoritative name servers.
1007 Name servers with invalid domain names found.
1008 NS records with CNAME found.
1009 Glue is required but not provided. No IPv4/IPv6 glue found on some authoritative or parent name servers.
1010 NS records are different on different name servers.
1011 Name servers not allowing TCP connections to be found.
1012 Domain’s name servers number doesn’t meet recommendations. It’s recommended to have 2-7 name servers.
1013 Some name servers are located on a single ASN.
1014 Some name servers are located in the same network.
1015 Versions are exposed for some name servers.
1016 Name servers without A records found. Those servers are not reachable via IPv4.
1017 Name servers without AAAA record found. Those servers are not reachable via IPv6.
1018 SOA serial number is valid but not following general convention.
1019 SOA expire interval doesn’t meet recommended range. It should be [604800 .. 1209600].
1020 SOA minimum TTL doesn’t meet recommended range. It should be [3600 .. 86400].
1022 Some name servers have different serial numbers.
1023 SOA refresh interval doesn’t meet recommended range. It should be [1200 .. 43200].
1024 SOA retry interval doesn’t meet recommended range. It should be [120 .. 7200].
1025 SOA zone's administrative contact email is not set.
1026 Unable to fetch domain's NS records.
2001 Recently registered domain.
2002 Domain name’s registration expired.
2003 Domain name’s registration expires soon.
2004 Domain name’s WHOIS status isn’t safe.
2005 Domain name is registered in a free zone.
2006 Domain’s name servers not found in the WHOIS record.
2007 WHOIS record's Name Servers don't match ones returned by the parent NS.
2008 Domain is registered in a country considered to be offshore.
2009 Domain name’s owner details are publicly available.
3001 Directory listing is allowed on website.
3002 IFrames found on the website.
3003 Links to .apk files found on the website.
3004 Links to .exe files found on the website.
3005 Opened .git directory in the document root found.
3006 There are open ports on the target server.
3007 Redirects found on website.
3008 Scripts opening new windows found.
4001 Target domain name or URL listed on some malware blocklists.
4002 Target domain name or URL listed on some phishing blocklists.
4003 Target domain name or URL listed on some spam blocklists.
4004 Target domain name or URL listed on some reputation blocklists.
4005 Target domain name or URL listed on some denial of service attack data blocklists.
5000 Some mail servers' domain names received through Reverse DNS are resolving to different IP addresses than the ones provided in the initial A records. Emails sent from servers configured this way may be rejected.
5001 Some mail servers are found with real-time blocklist check.
5002 Can't connect to some mail servers.
5003 For some mail servers, greeting response doesn't contain the mail server's domain name.
5004 Some mail servers don't allow setting postmaster@%host% as recipient.
5005 Some mail servers don't allow setting abuse@%host% as recipient.
5006 A records are not configured for some mail servers.
5007 AAAA records are not configured for some mail servers.
5008 CNAME in MX records found.
5009 Some MX records contain invalid domain names.
5010 Private IPs usage in MX records detected.
5011 IP addresses found in MX records.
5012 Non-identical MX records on name servers found.
5013 Some MX records defined more than once.
5014 Some mail servers use the same IPv4 address.
5015 SPF record is not configured.
5016 DMARC record is not configured.
5017 Non-identical SPF/DMARC records on name servers found.
5018 Google mail servers are configured with a wrong TTL.
5019 Google mail servers are configured with an incorrect Top server.
5020 The following mail servers use the same IPv6 address.
6023 No SSL certificates found.
6001 Recently obtained SSL certificate detected.
6002 SSL certificate is not valid yet.
6003 SSL certificate expires soon.
6004 SSL certificate expired.
6005 CRL check failed.
6006 OCSP check failed.
6007 Target hostname isn’t present in SSL certificate.
6008 SSL certificate is self-signed.
6009 TLSv1.2 not supported but should be.
6010 SSLv2 is supported but shouldn’t be.
6011 SSLv3 is supported but shouldn’t be.
6012 Suboptimal cipher suites supported.
6013 SSL compression enabled on server.
6014 HPKP headers set.
6015 HTTP Strict Transport Security not set.
6017 Heartbleed vulnerability detected.
6018 TLS_FALLBACK_SCSV not supported.
6019 TLSA record not set.
6020 TLSA record configured incorrectly.
6021 OCSP stapling not configured.
6022 Public key listed on Debian’s blocklist.
Have questions?

We work hard to improve our services for you. As part of that, we welcome your feedback, questions and suggestions. Please let us know your thoughts and feelings, and any way in which you think we can improve our product.

For a quick response, please select the request type that best suits your needs.

Or shoot us an email to

Threat Intelligence Platform uses cookies to provide you with the best user experience on our website. They also help us understand how our site is being used. Find out more here. By continuing to use our site you consent to the use of cookies.