AbuseIPDB and AlienVault OTX
AbuseIPDB
AbuseIPDB is a collaborative database of IPs reported by the security community.
What it returns
from src.tools.abuseipdb import abuseipdb_check_ipresult = await abuseipdb_check_ip("185.220.101.34")| Field | Description |
|---|---|
abuseConfidenceScore | Confidence percentage that it is malicious (0-100%) |
totalReports | Total number of reports received |
numDistinctUsers | Number of distinct users who reported it |
lastReportedAt | Last report date |
countryCode | Country of origin |
isp | ISP or provider |
domain | ASN domain |
usageType | Type of use (datacenter, residential, tor, vpn…) |
isPublic | Whether it is a public IP |
isWhitelisted | Whether it is whitelisted |
Abuse score
A high abuseConfidenceScore (>80%) indicates that the IP has been repeatedly reported for malicious behavior:
- 90-100%: Very likely malicious — block it
- 50-89%: Suspicious — investigate further
- 20-49%: Minor activity — monitor
- 0-19%: Clean or rarely reported
Free tier
- 1,000 requests/day
- Check individual IPs or CIDR ranges
- History of the last 30 days in free tier
AlienVault OTX
Open Threat Exchange is a collaborative threat intelligence platform with millions of indicators.
What it returns
from src.tools.alienvault import alienvault_ip_lookupresult = await alienvault_ip_lookup("185.220.101.34")| Field | Description |
|---|---|
pulse_count | Number of threat pulses where it appears |
pulses | List of pulses with name, description and tags |
country_name | Country |
asn | ASN |
reputation | OTX reputation score |
validation | Available validations |
indicator | The IOC queried |
Threat pulses
A “pulse” in OTX is a package of intelligence created by a researcher that groups IOCs related to a specific campaign or threat. Each pulse includes:
- Descriptive name of the threat
- Tags (APT, malware, phishing, ransomware…)
- List of related IOCs
- References and sources
Advantage: Unlimited API
AlienVault OTX offers unlimited access in its free tier — you can query without worrying about rate limits.
Usage for domains
The same function works for domains even though the name suggests IPs:
result = await alienvault_ip_lookup("evil.com")# → returns pulses and domain reputationExample output
[AlienVault OTX] 185.220.101.34 ├─ Pulses: 12 ├─ Pulse 1: "Tor Exit Nodes - November 2025" │ Tags: tor, exit-node, anonymization ├─ Pulse 2: "APT Lazarus Infrastructure" │ Tags: apt, north-korea, lazarus ├─ Country: NL └─ ASN: AS53667