Domain Risk Score Evidence API¶
The /v1/risk/evidence/ endpoint provides the reasons behind a domain's risk score, categorized by evidence type. Use this endpoint for deeper investigation of individual domains.
For high-volume enrichment and triage, use the Domain Risk Score API (/v1/risk/), which supports a higher query rate.
Example domain
The examples on this page use example.com. To test with high-risk domains, use Iris Investigate or the Domain Hotlist feed to find currently active domains with elevated risk scores.
Parameters¶
| Parameter | Description |
|---|---|
domain |
Required. The domain to query. If you provide a hostname (for example, www.domaintools.com) rather than a domain (for example, domaintools.com), the API attempts to return the risk score for the domain. The response always includes the domain used for the lookup. |
Sample response¶
The following sample is illustrative. Actual responses vary by domain — see Response structure for details.
{
"response": {
"domain": "example.com",
"risk_score": 95,
"components": [
{
"name": "proximity",
"risk_score": 63,
"evidence": [
"registrant"
]
},
{
"name": "threat_profile",
"risk_score": 95,
"threats": [
"spam"
],
"evidence": [
"name server",
"registrant",
"registrar"
]
},
{
"name": "threat_profile_phishing",
"risk_score": 3
},
{
"name": "threat_profile_malware",
"risk_score": 3
},
{
"name": "threat_profile_spam",
"risk_score": 95,
"threats": [
"spam"
]
}
]
}
}
Response fields¶
Top-level fields¶
| Field | Type | Description |
|---|---|---|
domain |
string | The apex domain queried. |
risk_score |
integer | Overall risk score, 0–100. |
components |
array | Risk components contributing to the overall score. Each component includes an evidence array explaining the score. |
Response structure¶
The components array varies depending on the domain's risk state:
| Domain state | Components returned |
|---|---|
Zero-listed (score 0) |
zerolist only |
| Low risk, no threat profile | proximity only |
| Active risk | All five: proximity, threat_profile, threat_profile_phishing, threat_profile_malware, threat_profile_spam |
Component objects¶
Each object in the components array contains the following fields:
| Field | Type | Description |
|---|---|---|
name |
string | Component identifier. See Component types. |
risk_score |
integer | Risk score for this component, 0–100. |
evidence |
array of strings | Evidence types supporting the score. Present on proximity and threat_profile when evidence is available. See Evidence types. |
threats |
array of strings | Threat categories detected. Present on threat_profile and its sub-classifiers when threats are detected. Possible values: phishing, malware, spam. |
Component types¶
| Component | name value |
Description |
|---|---|---|
| Proximity | proximity |
Risk based on proximity to known threats or suspicious infrastructure. |
| Threat Profile | threat_profile |
Aggregate risk score from machine learning models. |
| Threat Profile: Malware | threat_profile_malware |
ML classifier for malware-related domains. |
| Threat Profile: Phishing | threat_profile_phishing |
ML classifier for phishing-related domains. |
| Threat Profile: Spam | threat_profile_spam |
ML classifier for spam-related domains. |
| Zero-listed | zerolist |
Domain is on a known-good list. Score is always 0. |
Evidence types¶
The evidence array contains strings identifying the factors behind a component's score. Observed values include:
| Evidence value | Description |
|---|---|
age |
Domain age characteristics. |
domain name |
Lexical properties of the domain name. |
infrastructure |
Hosting or DNS infrastructure signals. |
ip address |
IP address associations. |
name server |
Name server associations. |
registrant |
Registrant information or patterns. |
registrar |
Registrar associations. |
registration |
Registration characteristics. |
More information¶
Consult the Domain Risk Score documentation for more information on interpreting risk scores and understanding score components.