Domain Risk Score¶
https://api.domaintools.com/v1/risk/?domain=example-bad-domain.xyz
https://api.domaintools.com/v1/risk/evidence/?domain=example-bad-domain.xyz
The /risk endpoint is designed for large-scale enrichment and triage of domain names within custom tools or one of the DomainTools SIEM/TIP integrations and supports a higher query rate than the /risk/evidence endpoint, which is designed for deeper investigation of individual domains.
Domain Risk Score Parameters¶
| Parameters | Description |
|---|---|
domain |
Required. Input domain for which the risk score is desired. Note that if you provide a hostname (e.g. www.domaintools.com) rather than a domain (e.g. domaintools.com) we will attempt to return the risk score for the domain, and the domain we used to lookup the risk score will always be returned in the response. |
Sample Response: Domain Risk Score¶
{
"response": {
"domain": "wstwc.cn",
"risk_score": 99,
"components": [
{
"name": "proximity",
"risk_score": 70
},
{
"name": "threat_profile",
"risk_score": 99
},
{
"name": "threat_profile_phishing",
"risk_score": 99
},
{
"name": "threat_profile_malware",
"risk_score": 95
},
{
"name": "threat_profile_spam",
"risk_score": 0
}
]
}
}
Sample Response: Domain Risk Score Evidence¶
{
"response": {
"domain": "wstwc.cn",
"risk_score": 99,
"components": [
{
"name": "proximity",
"risk_score": 70,
"evidence": [
"registrant"
]
},
{
"name": "threat_profile",
"risk_score": 99,
"threats": [
"phishing",
"malware"
],
"evidence": [
"infrastructure",
"domain name",
"age",
"registration"
]
},
{
"name": "threat_profile_phishing",
"risk_score": 99,
"threats": [
"phishing"
]
},
{
"name": "threat_profile_malware",
"risk_score": 95,
"threats": [
"malware"
]
},
{
"name": "threat_profile_spam",
"risk_score": 0
}
]
}
}
The risk_score returned ranges from 0 (least risk) to 100 (known risk). The reasons array can contain the responses blocklist, dns, realtime, registrant, or zerolist.
Consult the Domain Risk Score documentation for more information on interpreting risk scores.