AbuseIPDB
AbuseIPDB is a community-driven project to help system administrators, webmasters, and security analysts check the reputation of IP addresses and report malicious activity. The free APIv2 surface lets developers query a single IP, check a CIDR block, retrieve paginated reports, download a curated blacklist, submit single or bulk abuse reports, and clear their own past reports for an address. AbuseIPDB underpins fail2ban, UFW, Cloudflare WAF, Wazuh, Splunk SOAR, and dozens of other firewall and SIEM integrations across the security community.
1 APIs
3 Capabilities
8 Features
Anti MalwareBlacklistCyber SecurityIP ReputationNetwork SecurityPublic APIsThreat Intelligence
Run Capabilities with Naftiko — Deploy and orchestrate these API capabilities using Naftiko Fleet.
Run with Naftiko
Run Capabilities with Naftiko — Deploy and orchestrate these API capabilities using Naftiko Fleet.
Run with Naftiko
IP Reputation Lookups
Query any IPv4 or IPv6 address for its abuse confidence score, total reports, distinct reporters, and country/ISP metadata.
Community-Sourced Blacklist
Downloadable daily blacklist of high-confidence abusive IPs, with configurable confidence threshold, country filters, IP version, and result limit.
Abuse Reporting
Submit single or bulk abuse reports tagged with one or more standard category IDs (e.g. SSH Brute-Force, DDoS, Web App Attack).
CIDR Block Checking
Score whole subnets in one call via the CHECK-BLOCK endpoint, with subscriber tiers supporting up to /16 networks.
Categorised Abuse Taxonomy
23 standard report categories (DNS Compromise, Open Proxy, Brute-Force, Phishing, etc.) for consistent classification.
Self-Service Report Clearing
Remove your own reports for a given IP via the CLEAR-ADDRESS endpoint if a report was made in error.
Standard Rate-Limit Headers
Every response carries X-RateLimit-Limit / Remaining / Reset and Retry-After, simplifying back-off in clients.
Whitelist Awareness
Responses include an `isWhitelisted` flag so consumers can avoid blocking known-good infrastructure.
SSH / RDP Brute-Force Defence
Auto-block and report SSH/RDP brute-force sources via fail2ban, UFW, or endlessh integrations.
WAF Augmentation
Enrich Cloudflare / Nginx / custom WAF rulesets with the AbuseIPDB blacklist for IP-based pre-filtering.
SIEM / SOC Enrichment
Add AbuseIPDB context to Splunk SOAR, Wazuh, and TheHive alerts for analyst triage.
Bot and Crawler Filtering
Score request source IPs before serving e-commerce or login pages to block known-abusive infrastructure.
Threat Hunting and OSINT
Combine AbuseIPDB with VirusTotal, Shodan, GreyNoise and similar feeds (e.g. malwoverview) during incident response.
Bulk Reporting from Edge Logs
Convert nightly access logs into CSV bulk reports to feed the AbuseIPDB community blacklist.
Fail2Ban
Pre-packaged AbuseIPDB action ships with fail2ban; reports banned offenders directly to AbuseIPDB.
UFW (Uncomplicated Firewall)
Multiple community projects (sefinek/UFW-AbuseIPDB-Reporter, jseutens/ufw-abuseipdb) ingest UFW logs and report or ingest the AbuseIPDB blacklist.
Cloudflare WAF
sefinek/Cloudflare-WAF-To-AbuseIPDB streams Cloudflare WAF events into AbuseIPDB reports.
Splunk SOAR
Official splunk-soar-connectors/abuseipdb connector enriches Splunk SOAR playbooks with AbuseIPDB reputation.
Wazuh
marciuscosta/abuseipdb-wazuh-integration wires AbuseIPDB enrichment into Wazuh with a local cache and multi-key support.
CrowdSec
goremykin/crowdsec-abuseipdb-blocklist converts CrowdSec data into AbuseIPDB blocklists.
Endlessh
elhenro/endlessh-auto-report-abuseipdb auto-reports SSH tarpit visitors to AbuseIPDB.
Nginx
tmiland/abuseipdb-php-nginx-blacklist-create generates an Nginx-ready blocklist file from AbuseIPDB.
Zen Cart
CcMarc/AbuseIPDB plugs AbuseIPDB into the Zen Cart e-commerce platform.
TheHive
AbuseIPDB enrichment is used by SOAR/IR pipelines like malwarekid/SOAR-Flow alongside Wazuh and TheHive.
IPinfo
AbuseIPDB sources its IP geolocation, ISP, usage type, and domain data from IPinfo.
Individual (Free)
1,000 checks/day, 100 block checks, 5 blacklist downloads. Aimed at hobby admins and home labs.
Basic
$25/mo. 10,000 checks/day, 1,000 block checks, 100 bulk reports, customisable blacklist up to 100,000 IPs.
Premium
$99/mo. 50,000 checks/day, 5,000 block checks, 500 bulk reports, customisable blacklist up to 500,000 IPs.
Enterprise
Custom-priced direct data access for ISPs and large security organisations.
aid: abuseipdb
name: AbuseIPDB
description: >-
AbuseIPDB is a community-driven project to help system administrators, webmasters, and security
analysts check the reputation of IP addresses and report malicious activity. The free APIv2
surface lets developers query a single IP, check a CIDR block, retrieve paginated reports,
download a curated blacklist, submit single or bulk abuse reports, and clear their own past
reports for an address. AbuseIPDB underpins fail2ban, UFW, Cloudflare WAF, Wazuh, Splunk SOAR,
and dozens of other firewall and SIEM integrations across the security community.
url: https://docs.abuseipdb.com/
humanURL: https://www.abuseipdb.com/
baseURL: https://api.abuseipdb.com/api/v2/
image: https://www.abuseipdb.com/img/abuseipdb-logo.svg
specificationVersion: '0.20'
type: Index
access: 3rd-Party
created: '2026-05-28'
modified: '2026-05-30'
x-source: public-apis/public-apis
x-category: Anti-Malware
x-tier: 3
x-tier-reason: bulk-registered-from-public-apis
tags:
- Anti Malware
- Blacklist
- Cyber Security
- IP Reputation
- Network Security
- Public APIs
- Threat Intelligence
apis:
- aid: abuseipdb:apiv2
name: AbuseIPDB APIv2
description: >-
AbuseIPDB APIv2 is a REST API that exposes the AbuseIPDB community blacklist, IP report
ingest, IP and CIDR reputation lookups, and self-service report cleanup. Authentication is
via an API key delivered in a `Key:` HTTP header; responses are returned as JSON (or
plaintext for the blacklist). The API is HTTPS only and enforces per-endpoint daily rate
limits that scale by subscription tier.
humanURL: https://docs.abuseipdb.com/
baseURL: https://api.abuseipdb.com/api/v2/
tags:
- Blacklist
- IP Reputation
- REST
- Threat Intelligence
properties:
- type: Documentation
url: https://docs.abuseipdb.com/
- type: APIReference
url: https://docs.abuseipdb.com/#check-endpoint
name: CHECK Endpoint
description: GET /check — look up the abuse data for a single IPv4 or IPv6 address, optionally with verbose recent reports.
- type: APIReference
url: https://docs.abuseipdb.com/#reports-endpoint
name: REPORTS Endpoint
description: GET /reports — retrieve a paginated list of recent reports for a given IP address.
- type: APIReference
url: https://docs.abuseipdb.com/#blacklist-endpoint
name: BLACKLIST Endpoint
description: GET /blacklist — download the AbuseIPDB blacklist, with optional confidence, country, IP version, and limit filters.
- type: APIReference
url: https://docs.abuseipdb.com/#report-endpoint
name: REPORT Endpoint
description: POST /report — submit an abuse report for a single IP address with category IDs, optional comment and timestamp.
- type: APIReference
url: https://docs.abuseipdb.com/#bulk-report-endpoint
name: BULK-REPORT Endpoint
description: POST /bulk-report — submit many IPs in a single CSV multipart upload.
- type: APIReference
url: https://docs.abuseipdb.com/#check-block-endpoint
name: CHECK-BLOCK Endpoint
description: GET /check-block — query abuse data for a CIDR network range (subscriber tiers can query larger ranges up to /16).
- type: APIReference
url: https://docs.abuseipdb.com/#clear-address-endpoint
name: CLEAR-ADDRESS Endpoint
description: DELETE /clear-address — remove your own past reports for a specific IP address.
- type: Authentication
url: https://docs.abuseipdb.com/#authentication
description: API key authentication. Pass the key in the `Key:` HTTP header (recommended) or as a `?key=` query parameter.
- type: RateLimits
url: https://docs.abuseipdb.com/#rate-limit-headers
description: Per-endpoint daily quotas scaled by plan. 429 responses include `Retry-After`, `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `X-RateLimit-Reset` headers.
- type: Errors
url: https://docs.abuseipdb.com/#error-handling
description: JSON API compliant error structure with HTTP status code as the primary error indicator.
- type: CodeExamples
url: https://docs.abuseipdb.com/#api-clients
description: Code samples in cURL, Python (requests), PHP (Guzzle), C# (RestSharp), and VBScript.
- type: OpenAPI
url: openapi/abuseipdb-apiv2-openapi.yml
- type: JSONSchema
url: json-schema/abuseipdb-check-response-schema.json
- type: JSONSchema
url: json-schema/abuseipdb-report-schema.json
- type: JSONSchema
url: json-schema/abuseipdb-blacklist-entry-schema.json
- type: JSONStructure
url: json-structure/abuseipdb-check-response-structure.json
- type: JSONStructure
url: json-structure/abuseipdb-report-structure.json
- type: JSONStructure
url: json-structure/abuseipdb-blacklist-entry-structure.json
- type: JSONLD
url: json-ld/abuseipdb-context.jsonld
- type: Example
url: examples/abuseipdb-check-example.json
- type: Example
url: examples/abuseipdb-report-example.json
- type: Example
url: examples/abuseipdb-blacklist-example.json
- type: Example
url: examples/abuseipdb-check-block-example.json
- type: Example
url: examples/abuseipdb-reports-example.json
- type: Example
url: examples/abuseipdb-bulk-report-example.json
- type: NaftikoCapability
url: capabilities/ip-reputation-lookup.yaml
- type: NaftikoCapability
url: capabilities/abuse-reporting.yaml
- type: NaftikoCapability
url: capabilities/blacklist-management.yaml
common:
- type: Website
url: https://www.abuseipdb.com/
- type: Documentation
url: https://docs.abuseipdb.com/
- type: SignUp
url: https://www.abuseipdb.com/register
- type: Login
url: https://www.abuseipdb.com/login
- type: DeveloperPortal
url: https://www.abuseipdb.com/account/api
name: API Key Dashboard
description: Account-level UI for issuing, rotating, and revoking AbuseIPDB API keys.
- type: Pricing
url: https://www.abuseipdb.com/pricing
description: >-
Four tiers — Individual (free, 1,000 checks/day), Basic ($25/mo or $228/yr, 10,000 checks/day),
Premium ($99/mo or $1,068/yr, 50,000 checks/day), and Enterprise (custom direct-data access).
- type: Plans
url: plans/abuseipdb-plans-pricing.yml
- type: RateLimits
url: rate-limits/abuseipdb-rate-limits.yml
- type: SpectralRules
url: rules/abuseipdb-rules.yml
- type: Vocabulary
url: vocabulary/abuseipdb-vocabulary.yml
- type: FinOps
url: finops/abuseipdb-finops.yml
- type: Plans
url: https://www.abuseipdb.com/account/plans
name: Account Plans
- type: Blog
url: https://www.abuseipdb.com/blog
- type: FAQ
url: https://www.abuseipdb.com/faq.html
- type: Support
url: https://www.abuseipdb.com/contact
- type: Contact
url: https://www.abuseipdb.com/contact
- type: TermsOfService
url: https://www.abuseipdb.com/terms-of-service
- type: PrivacyPolicy
url: https://www.abuseipdb.com/privacy-policy
- type: GitHubOrganization
url: https://github.com/AbuseIPDB
description: Official AbuseIPDB org. Hosts `laravel` (Laravel AbuseIPDB middleware package) and `ip-lib` (forked PHP IPv4/IPv6 range library).
- type: SDK
url: https://github.com/AbuseIPDB/laravel
name: AbuseIPDB Laravel Package
description: Official Laravel middleware that scores incoming requests against AbuseIPDB.
- type: SDK
url: https://github.com/nickurt/laravel-abuseipdb
name: laravel-abuseipdb (community)
description: Community Laravel 11.x/12.x/13.x plugin for AbuseIPDB.
- type: SDK
url: https://github.com/falegk/abuseipdb-rb
name: abuseipdb-rb (Ruby gem)
description: Community Ruby client gem for the AbuseIPDB API.
- type: SDK
url: https://github.com/meatyite/python-abuseipdb
name: python-abuseipdb
description: Object-oriented Python wrapper for AbuseIPDB v2 API.
- type: SDK
url: https://github.com/streanger/abuseipdb-wrapper
name: abuseipdb-wrapper (Python)
description: Python wrapper for the AbuseIPDB API.
- type: CLI
url: https://github.com/kristuff/abuseipdb-cli
name: abuseipdb-cli
description: CLI tool to check, report, and download the AbuseIPDB blacklist from the command line.
- type: Integrations
data:
- name: Fail2Ban
description: Pre-packaged AbuseIPDB action ships with fail2ban; reports banned offenders directly to AbuseIPDB.
- name: UFW (Uncomplicated Firewall)
description: Multiple community projects (sefinek/UFW-AbuseIPDB-Reporter, jseutens/ufw-abuseipdb) ingest UFW logs and report or ingest the AbuseIPDB blacklist.
- name: Cloudflare WAF
description: sefinek/Cloudflare-WAF-To-AbuseIPDB streams Cloudflare WAF events into AbuseIPDB reports.
- name: Splunk SOAR
description: Official splunk-soar-connectors/abuseipdb connector enriches Splunk SOAR playbooks with AbuseIPDB reputation.
- name: Wazuh
description: marciuscosta/abuseipdb-wazuh-integration wires AbuseIPDB enrichment into Wazuh with a local cache and multi-key support.
- name: CrowdSec
description: goremykin/crowdsec-abuseipdb-blocklist converts CrowdSec data into AbuseIPDB blocklists.
- name: Endlessh
description: elhenro/endlessh-auto-report-abuseipdb auto-reports SSH tarpit visitors to AbuseIPDB.
- name: Nginx
description: tmiland/abuseipdb-php-nginx-blacklist-create generates an Nginx-ready blocklist file from AbuseIPDB.
- name: Zen Cart
description: CcMarc/AbuseIPDB plugs AbuseIPDB into the Zen Cart e-commerce platform.
- name: TheHive
description: AbuseIPDB enrichment is used by SOAR/IR pipelines like malwarekid/SOAR-Flow alongside Wazuh and TheHive.
- name: IPinfo
description: AbuseIPDB sources its IP geolocation, ISP, usage type, and domain data from IPinfo.
- type: Features
data:
- name: IP Reputation Lookups
description: Query any IPv4 or IPv6 address for its abuse confidence score, total reports, distinct reporters, and country/ISP metadata.
- name: Community-Sourced Blacklist
description: Downloadable daily blacklist of high-confidence abusive IPs, with configurable confidence threshold, country filters, IP version, and result limit.
- name: Abuse Reporting
description: Submit single or bulk abuse reports tagged with one or more standard category IDs (e.g. SSH Brute-Force, DDoS, Web App Attack).
- name: CIDR Block Checking
description: Score whole subnets in one call via the CHECK-BLOCK endpoint, with subscriber tiers supporting up to /16 networks.
- name: Categorised Abuse Taxonomy
description: 23 standard report categories (DNS Compromise, Open Proxy, Brute-Force, Phishing, etc.) for consistent classification.
- name: Self-Service Report Clearing
description: Remove your own reports for a given IP via the CLEAR-ADDRESS endpoint if a report was made in error.
- name: Standard Rate-Limit Headers
description: Every response carries X-RateLimit-Limit / Remaining / Reset and Retry-After, simplifying back-off in clients.
- name: Whitelist Awareness
description: Responses include an `isWhitelisted` flag so consumers can avoid blocking known-good infrastructure.
- type: UseCases
data:
- name: SSH / RDP Brute-Force Defence
description: Auto-block and report SSH/RDP brute-force sources via fail2ban, UFW, or endlessh integrations.
- name: WAF Augmentation
description: Enrich Cloudflare / Nginx / custom WAF rulesets with the AbuseIPDB blacklist for IP-based pre-filtering.
- name: SIEM / SOC Enrichment
description: Add AbuseIPDB context to Splunk SOAR, Wazuh, and TheHive alerts for analyst triage.
- name: Bot and Crawler Filtering
description: Score request source IPs before serving e-commerce or login pages to block known-abusive infrastructure.
- name: Threat Hunting and OSINT
description: Combine AbuseIPDB with VirusTotal, Shodan, GreyNoise and similar feeds (e.g. malwoverview) during incident response.
- name: Bulk Reporting from Edge Logs
description: Convert nightly access logs into CSV bulk reports to feed the AbuseIPDB community blacklist.
- type: Solutions
data:
- name: Individual (Free)
description: 1,000 checks/day, 100 block checks, 5 blacklist downloads. Aimed at hobby admins and home labs.
- name: Basic
description: $25/mo. 10,000 checks/day, 1,000 block checks, 100 bulk reports, customisable blacklist up to 100,000 IPs.
- name: Premium
description: $99/mo. 50,000 checks/day, 5,000 block checks, 500 bulk reports, customisable blacklist up to 500,000 IPs.
- name: Enterprise
description: Custom-priced direct data access for ISPs and large security organisations.
maintainers:
- FN: Kin Lane
email: [email protected]