Domain Threat Check
developer/v1/domain/threatChecks a domain against multiple threat intelligence sources in parallel: Quad9 differential resolver check (aggregates ~20 commercial feeds), curated threat feeds (OpenPhish, PhishTank, Phishing Army, FireHOL, Cisco Talos, etc.), a DGA (domain-generation-algorithm) entropy heuristic for zero-day C2 candidates, and optionally Google Web Risk API (malware, social engineering, unwanted software). Returns a unified threat assessment with severity level (none/low/medium/high/critical), per-source detection details, and action-ready recommendations.
What It Does
Runs all threat checks in parallel for fast response: (1) Quad9 differential DNS check (compares filtered 9.9.9.9 vs unfiltered 9.9.9.10 — NXDOMAIN on filtered + resolution on unfiltered = threat-blocked), (2) pre-indexed threat domain feeds for known phishing and malicious domains, (3) DGA n-gram heuristic for randomness-pattern detection, and (4) Google Web Risk API for Google's threat classifications (quota-managed per organization). Calculates a composite threat level using severity-weighted scoring — each source carries a different weight (Google Web Risk: 40, OpenPhish/PhishTank: 25, Quad9: 20, others: 15-20), with older detections downweighted via a recency multiplier. Cumulative severity: 0 = none, 1-20 = low, 21-40 = medium, 41-60 = high, 61+ = critical.
Why It's Useful
Domain threat intelligence is essential for protecting users from phishing, malware, and other online threats. Multi-source checking reduces false negatives — a domain may be flagged by one feed but not yet in another. Integrating threat checks into applications, email gateways, and URL filters helps block malicious domains before they cause harm. The API handles the complexity of querying multiple sources and normalizing results.
Use Cases
URL Filtering
Check URLs submitted by users against threat databases before allowing them through.
Protect users from visiting malicious websites.
Email Link Scanning
Scan links in incoming emails against threat intelligence to detect phishing campaigns.
Block phishing emails before they reach inboxes.
Brand Protection
Monitor for domains impersonating your brand that are flagged as malicious.
Detect and respond to brand abuse campaigns quickly.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check for threatsExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
threat_level | string | Threat level: none, low, medium, high, or critical |
is_malicious | boolean | Whether domain is flagged as malicious |
total_sources_checked | number | Total threat sources checked |
detections | number | Number of threat detections |
detection_details | array | Per-source detection details with source, category, and listed status |
sources_queried | array | List of sources queried (urlhaus, threat_feeds, quad9, google_web_risk) |
sources_failed | array | List of sources that failed (empty when all succeed) |
partial_result | boolean | Whether some sources failed — result may undercount threats |
recommendations | array | Action-ready guidance for the threat level (block, scan endpoints, monitor, etc.). Empty when clean. |
web_risk_quota | object | Google Web Risk API quota status: used, limit, remaining (null if not configured) |
last_updated | string | ISO timestamp of last check |
Code Examples
curl "https://api.edgedns.dev/v1/domain/threat" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/threat?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/threat',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Domain Threat Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Domain Threat Check endpoint live in the playground.