Domain Threat Check
developer/v1/domain/threatChecks a domain against multiple threat intelligence sources in parallel: URLhaus (real-time malware distribution tracking by abuse.ch), curated threat feeds (OpenPhish, Phishing Army, ThreatFox), and optionally Google Web Risk API (malware, social engineering, unwanted software). Returns a unified threat assessment with severity level (none/low/medium/high/critical), per-source detection details, and Google Web Risk quota tracking.
What It Does
Runs all threat checks in parallel for fast response: (1) URLhaus API for active malware distribution URLs, (2) pre-indexed threat domain feeds for known phishing and malicious domains, and (3) Google Web Risk API for Google's threat classifications (quota-managed per organization). Calculates a composite threat level using severity-weighted scoring — each source carries a different weight (Google Web Risk: 40, URLhaus: 30, OpenPhish: 25, Feodo Tracker: 25, others: 15-20). Cumulative severity: 0 = none, 1-20 = low, 21-40 = medium, 41-60 = high, 61+ = critical. Each detection includes the source, threat category, and additional details.
Why It's Useful
Domain threat intelligence is essential for protecting users from phishing, malware, and other online threats. Multi-source checking reduces false negatives — a domain may be flagged by URLhaus for malware distribution but not yet in Google's database, or vice versa. Integrating threat checks into applications, email gateways, and URL filters helps block malicious domains before they cause harm. The API handles the complexity of querying multiple sources and normalizing results.
Use Cases
URL Filtering
Check URLs submitted by users against threat databases before allowing them through.
Protect users from visiting malicious websites.
Email Link Scanning
Scan links in incoming emails against threat intelligence to detect phishing campaigns.
Block phishing emails before they reach inboxes.
Brand Protection
Monitor for domains impersonating your brand that are flagged as malicious.
Detect and respond to brand abuse campaigns quickly.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check for threatsExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
threat_level | string | Threat level: none, low, medium, high, or critical |
is_malicious | boolean | Whether domain is flagged as malicious |
total_sources_checked | number | Total threat sources checked |
detections | number | Number of threat detections |
detection_details | array | Per-source detection details with source, category, and listed status |
sources_queried | array | List of sources queried (urlhaus, threat_feeds, google_web_risk) |
sources_failed | array | List of sources that failed (empty when all succeed) |
partial_result | boolean | Whether some sources failed — result may undercount threats |
web_risk_quota | object | Google Web Risk API quota status: used, limit, remaining (null if not configured) |
last_updated | string | ISO timestamp of last check |
Code Examples
curl "https://api.edgedns.dev/v1/domain/threat" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/threat?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/threat',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Domain Threat Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Domain Threat Check endpoint live in the playground.