docs / threat-intel

Threat Intelligence API

base /threat-intel/v15 endpoints

post/threat-intel/v1/url_check1 credit

Is a URL malicious? Checks the URLHaus malware-URL feed + OpenPhish phishing feed (exact + variants) + its host across ThreatFox/URLHaus-hosts/Feodo/SSLBL + risk flags → verdict.

Parameter		Allowed / range	Description
url	required	—	The full URL to check (http/https). Matched against the URLHaus malware-URL feed AND the OpenPhish phishing feed (exact + http/https + trailing-slash variants), plus its host against every host/IOC feed.

Try in playground →

post/threat-intel/v1/domain_reputation1 credit

Domain reputation: URLHaus host listing + active malware URLs + OpenPhish phishing + ThreatFox domain IOCs + urlscan scan-history count + risk flags → consolidated verdict.

Parameter		Allowed / range	Description
domain	required	—	Domain/host to check (a bare host like example.com; a full URL or leading www. is accepted and normalized). Checked against URLHaus hosts, ThreatFox domain IOCs, and urlscan scan history.

Try in playground →

post/threat-intel/v1/ip_reputation1 credit

IP abuse signals: Feodo botnet-C2 + SSLBL botnet-C2 + ThreatFox IP IOCs + URLHaus IP-hosted malware + Spamhaus DROP hijacked-netblock → verdict + score (all keyless).

Parameter		Allowed / range	Description
ip	required	—	IPv4/IPv6 address to check against Feodo botnet-C2, SSLBL botnet-C2, ThreatFox IP IOCs, URLHaus IP-hosted malware, and Spamhaus DROP hijacked netblocks (all keyless open feeds).

Try in playground →

post/threat-intel/v1/scan_lookup1 credit

urlscan.io public scan history + per-scan verdict for a domain/IP (server, IP, country, TLS age, page title, malicious-flag). Open source — no key.

Parameter		Allowed / range	Description
domain	required	—	Domain (or a URL — its host is used) to pull urlscan.io public scan history + per-scan verdict for. Use search_field to switch the query axis.
search_field = domain	optional	domain · page · ip	Which urlscan axis to query. 'domain' (default) is broadest; 'page' is the landing domain only; 'ip' searches by contacted IP.
limit = 20	optional	1–100	Max scan-history records to return (1-100, default 20). Clamped to 100.

Try in playground →

post/threat-intel/v1/batch1 credit

Check up to 20 mixed indicators (URL/domain/IP, auto-routed) in one call.

Parameter		Allowed / range	Description
targets	required	—	List of indicators to check in one call (max 20); each may be a URL, domain, or IP — the type is auto-detected and routed to the right feeds.

Try in playground →

Example request · url_check

curl -X POST https://api.reefapi.com/threat-intel/v1/url_check \
  -H "x-api-key: $REEF_KEY" \
  -H "content-type: application/json" \
  -d '{"url":"https://github.com/"}'

Response shape

{
  "ok": true,
  "data": { /* the result */ },
  "meta": {
    "latency_ms": 240,
    "record_count": 12,
    "completeness_pct": 100
  },
  "error": null
}