IOC Search Tools – Threat and Risk Information

CyberGordon quickly provides you threat and risk information about observables like IP address or web domain. This great tool is created by Marc-Henry Geay (contact page).

30+ fast engines – CyberGordon submits your observables to multiple sources (engines) to ensure good coverage in few seconds.

IDNameObservable typesInformation retrieved
1IPinfo.io
Website
IPV4, IPV6GeoIP (City, Country), hostname (PTR/rDNS), Organization (AS Number, AS Name)
Risk assessment: false
2AbuseIPDB
Website
IPV4, IPV6Overall risk score (%), number of reports with dictint reporter number and the last report date
Risk assessment: true
Remark: data limited to the last 180 days
3VirusTotal
Website
FQDN, MD5, SHA1, SHA256Anti-virus analysis results with malicious and suspicious score ratios, reputation, votes (Safe, Dangerous). For files: filetype, corresponding hashes. Around November 26, 2022, VirusTotal decreased the monthly quota of our API key and added a rather strict daily quota. IPv4 removed temporarily.
Risk assessment: true
4urlscan.io
Website
IPV4, IPV6, FQDN, URL, SHA256Total number of scan, presence in phishing/threat feeds and the top 5 domains reported in scans
Risk assessment: true
Remark: Except first metric, limited to the last 100 scans data
5Google Safe Browsing (GSB)
Website
FQDN, URLPresence on GSB database and threat type list
Risk assessment: true
6Hybrid Analysis
Website
MD5, SHA1, SHA256Final verdict, threat score /100, anti-virus positive detection percentage, corresponding hashs
Risk assessment: true
7Google DNS
Website
FQDN, IPV4Live DNS lookups of A, NS and MX records for FQDN trough Google DNS. For IPV4, PTR record
Risk assessment: false
Remark: DNS lookup could be considered as an active request to the observable. DNS records may differ depending of geographic position
8Wayback Internet Archive
Website
FQDN, URLLast snapshot date
Risk assessment: false
9MalShare
Website
MD5, SHA1, SHA256Sample match and corresponding hashes
Risk assessment: true
10Fortiguard Web Filter (disabled)
Website
IPV4, FQDNWeb clasification (category). Disabled on July 2023.
Risk assessment: true
11DShield / ISC
Website
IPV4, IPV6Match against honeypots : community report count and last date
Risk assessment: true
12AlienVault OTX
Website
IIPV4, IPV6Reputation score, activities and check in pulse (feed)
Risk assessment: true
13BinaryEdge (disabled)
Website
IPV4Opened and exposed port with service/OS fingerprinting. Engine disabled: the free quota is no longer adapted to the demand
Risk assessment: false
14EmailRep
Website
EMAILMail address and domain reputation, data leak and DNS configuration
Risk assessment: true
Remark: Important lack of availability
15crt.sh
Website
FQDNPublic certificate plublished on Certificate Transparency logs with up to 8 valid (not expired) certificates details : DNS names, dates, issuer
Risk assessment: false
Remark: search stopped if more than 200 results
16Whois XML API (disabled)
Website
FQDNWhois records : TLD, registrar (name and IANA ID), registrant (name, Country), dates, status. Due of subscription changes, this engine has been disabled on March, 9th 2022 ; please use [E31] RDAP engine.
Risk assessment: false
Remark: due of Whois data structure inconsistency, some results may be missing
17Pulsedive
Website
IPV4, IPV6, FQDN, URLRisk, last activity date, threat/feed lists, opened services
Risk assessment: true
18Malware Bazar
Website
MD5, SHA1, SHA256Sample match, last seen, signature, tags, delivery method and corresponding hashes
Risk assessment: false
19ThreatMiner
Website
IPV4, FQDN, MD5, SHA1, SHA256Match count of passive DNS, URI, sub-domain, certificate, IP/domain…
Risk assessment: false
Remark: a match is not necessary suspicious
20PhishTank
Website
URLMatch in phishing database and, if applicable, the verification date
Risk assessment: true
21Twitter (disabled)
Website
IPV4, IPV6, FQDN, MD5, SHA1, SHA256Match in tweet over the past week. Disabled on July 2023 (API restricted).
Risk assessment: true
Remark: for now, max 100 tweets and search up to 7 days
22ViewDNS Spam Blacklist
Website
IPV4Match in spam blacklist.
Risk assessment: true
Remark: slow API, sometimes timeout
23Offline Feeds
Website
IPV4Match in multiple offline feeds downloaded and updated every hour by CyberGordon, mainly from FireHOL repository. Feeds: FireHOL Level 1, FireHOL Level 3 (last 30 days), AlienVault IP reputation database, TOR exit nodes (last 30 days), EmergingThreats compromised hosts, CyberCrime – C2, DynDNS.org – Ponmocup malware botnet, BotScout (last 1 day), DigitalSide (last 7 days), IPsum (3+ blocklists), Rescure – Malicious IP, Feodo Tracker – Botnet C2 (last 30 days), Duggy Tuxy – EU Botnets/Zombies/Scanners.
Risk assessment: true
24BlackList DE
Website
IPV4Match in blacklist with number of attack and report from the beginning.
Risk assessment: true
Remark: Sometimes slow (whole data requested)
25Auth0 Signals (disabled)
Website
IPV4Match in blacklists. Auth0 announced deprecation of Signals, disabled on February 8, 2021.
Risk assessment: true
26MetaDefender
Website
IPV4, IPV6, FQDN, URL, MD5, SHA1, SHA256For hashs: anti-virus analysis results, reputation and votes (Safe, Dangerous). For others types their reputations on multiple sources.
Risk assessment: true
27Disposable Email Domains
Website
FQDNMatch in disposable email domains database.
Risk assessment: true
28CryptoScamDB (disabled)
Website
IPV4, FQDNMatch in cryptocurrency scams database. Disabled on July 2023 (not responding).
Risk assessment: true
29Stop Forum Spam
Website
IPV4, IPV6, EMAILMatch in forum/blog abusers database.
Risk assessment: true
30PhishingReel (disabled)
Website
IPV4, FQDNMatch in phishing kits database – only last 7 days entries. The service is no longer available
Risk assessment: true
31RDAP
Website
FQDNHomemade RDAP client (replacment of WHOIS). Domain records: registrar (name, IANA ID, email abuse), registrant (name), DNSSEC activation, registration/expiration dates, nameservers, status. CyberGordon uses a daily-updated offline-copy of the Bootstrap Registry List from IANA repository.
Risk assessment: false
32IBM X-Force
Website
IPV6, FQDN, URL, MD5, SHA1, SHA256Match on IBM Threat Intel database with current risk ; include history risk for IPV4/FQDN/URL. IPv4 removed temporarily.
Risk assessment: true
Remark: High rate of remote API timeout
33GreyNoise
Website
IPV4Match on GreyNoise Threat Intel database with last reporting date, classification, scanning the Internet and the actor name (RIOT project).
Risk assessment: true
Remark: Use the GreyNoise Community API
34IPdata.co
Website
IPV4, IPV6Geolocation data, Network data and Threat Intelligence (security risks and blocklists)
Risk assessment: true
35Redirect Checker
Website
URLIdentify for you the target web page of a shortened URL with IP address and HTTP status code.
Risk assessment: false

ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.

# Enter search queries, use Commas or New Lines.
# Queries = IP, URL, DOMAIN, HASH (MD5, SHA256, SHA1)
# If the IOC is not found, no results are displayed.