Domain Threat Check: a beginner's guide
Check domain against malware and phishing databases
Threat intelligence feeds: how the security community shares "this domain is bad"
Threat intelligence feeds are continuously-updated lists of domains, IP addresses, URLs, and file hashes that the security community has collectively identified as malicious. Some feeds are run by big commercial providers like Recorded Future, Mandiant, and CrowdStrike. Some are run by open communities like URLhaus, ThreatFox, and PhishTank. Some are run by individual security researchers and shared openly. Together they form a kind of decentralized neighborhood watch for the internet — when one organization discovers a phishing site, a malware download URL, or a botnet command-and-control server, the indicator gets published into a feed and the rest of the community can start blocking it within minutes.
You should care because **most malicious domains are known to somebody by the time they reach your users** — but only if you actually check the feeds. The classic story is the user who clicks a link in a phishing email and lands on a fake login page. The fake page was registered yesterday, used in an attack today, and reported to a public threat feed within hours. By the time the user clicks, three or four major feeds already know about it. The difference between a successful attack and a blocked one is whether your security tools were checking those feeds in real time.
The five things every threat intelligence check looks at:
Public blocklists. Known-bad domain feeds from organizations like Spamhaus, SURBL, abuse.ch, and the Anti-Phishing Working Group.
Reputation scores. Composite scores from commercial feeds that combine many signals into a single number.
First-seen and last-seen timestamps. A domain that was first observed yesterday is much more suspicious than one that has been around for years.
Associated indicators. Other domains, IPs, or hashes connected to the same threat actor or campaign.
Categorization. Phishing, malware delivery, command-and-control, scam, adult content, or simply unrated.
Three questions a threat-intelligence check answers:
Is this domain or URL on any public threat feed right now?
Has it been associated with any known phishing campaigns or malware families?
Is this a brand-new domain that should trigger extra scrutiny in my fraud rules?
The cost of skipping threat intelligence is the small but persistent risk of letting your users walk into known traps. The fix is to integrate threat-intel checks into the places where decisions are made — signup forms, payment flows, link previews in messaging apps, email gateways. None of this is exotic technology; it is the security baseline for any consumer-facing application in 2025.
The Domain Threat Check endpoint, in plain language
In one sentence: Check domain against malware and phishing databases
Checks a domain against multiple threat intelligence sources in parallel: URLhaus (real-time malware distribution tracking by abuse.ch), curated threat feeds (OpenPhish, Phishing Army, ThreatFox), and optionally Google Web Risk API (Application Programming Interface) (malware, social engineering, unwanted software). Returns a unified threat assessment with severity level (none/low/medium/high/critical), per-source detection details, and Google Web Risk quota tracking.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Runs all threat checks in parallel for fast response: (1) URLhaus API (Application Programming Interface) for active malware distribution URLs, (2) pre-indexed threat domain feeds for known phishing and malicious domains, and (3) Google Web Risk API for Google's threat classifications (quota-managed per organization). Calculates a composite threat level using severity-weighted scoring — each source carries a different weight (Google Web Risk: 40, URLhaus: 30, OpenPhish: 25, Feodo Tracker: 25, others: 15-20). Cumulative severity: 0 = none, 1-20 = low, 21-40 = medium, 41-60 = high, 61+ = critical. Each detection includes the source, threat category, and additional details.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Domain Threat Check tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Domain threat intelligence is essential for protecting users from phishing, malware, and other online threats. Multi-source checking reduces false negatives — a domain may be flagged by URLhaus for malware distribution but not yet in Google's database, or vice versa. Integrating threat checks into applications, email gateways, and URL (web address) filters helps block malicious domains before they cause harm. The API (Application Programming Interface) handles the complexity of querying multiple sources and normalizing results.
Picture this in real life. Imagine a security engineer. Here's the situation they're walking into: Check URLs submitted by users against threat databases before allowing them through. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Domain Threat Check tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Domain Threat Check tool is built for you:
Is this domain or IP address known for fraud, phishing, or abuse?
Should my signup form, payment flow, or comment system trust this visitor?
Is someone out there registering lookalike domains targeting my brand?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Trust and safety teams, fraud analysts, brand-protection managers, security operations engineers, and product teams running open signup flows. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you find out a domain or IP was malicious only after it has already cost you money or trust. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/domain/threat`.
When would I actually use this?
If you're still on the fence about whether the Domain Threat Check tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a security engineer, a email security, and a brand manager — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: URL Filtering
Imagine you're a security engineer. Check URLs submitted by users against threat databases before allowing them through.
Why it matters: Protect users from visiting malicious websites.
Story 2: Email Link Scanning
Imagine you're an email security. Scan links in incoming emails against threat intelligence to detect phishing campaigns.
Why it matters: Block phishing emails before they reach inboxes.
Story 3: Brand Protection
Imagine you're a brand manager. Monitor for domains impersonating your brand that are flagged as malicious.
Why it matters: Detect and respond to brand abuse campaigns quickly.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Domain Threat Check tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Inside a signup form, payment flow, or comment system, to score risk in real time.
When investigating a customer complaint about a suspicious link or message.
On a recurring schedule, to monitor lookalike domains targeting your brand.
During incident response, to enrich an alert with reputation context.
If you can see yourself in even one of those bullets, the Domain Threat Check tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Domain Threat Check tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Domain Threat Check tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/threat?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to check for threats | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
threat_level | string | Threat level: none, low, medium, high, or critical |
is_malicious | boolean | Whether domain is flagged as malicious |
total_sources_checked | number | Total threat sources checked |
detections | number | Number of threat detections |
detection_details | array | Per-source detection details with source, category, and listed status |
sources_queried | array | List of sources queried (urlhaus, threat_feeds, google_web_risk) |
sources_failed | array | List of sources that failed (empty when all succeed) |
partial_result | boolean | Whether some sources failed — result may undercount threats |
web_risk_quota | object | Google Web Risk API (Application Programming Interface) quota status: used, limit, remaining (null if not configured) |
last_updated | string | ISO timestamp of last check |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
URL (web address) — The full address of a page, like https://example.com/about.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.