Domain Risk Score API¶

https://api.domaintools.com/v1/risk/

The /v1/risk/ endpoint returns a domain's overall risk score and component scores. It is designed for large-scale enrichment and triage within custom tools or DomainTools SIEM/TIP integrations, and supports a higher query rate than the Risk Score Evidence API.

For detailed evidence behind a domain's risk score, use the Risk Score Evidence API (/v1/risk/evidence/).

Example domain

The examples on this page use example.com. To test with high-risk domains, use Iris Investigate or the Domain Hotlist feed to find currently active domains with elevated risk scores.

Parameters¶

Parameter	Description
`domain`	Required. The domain to query. If you provide a hostname (for example, `www.domaintools.com`) rather than a domain (for example, `domaintools.com`), the API attempts to return the risk score for the domain. The response always includes the domain used for the lookup.

Sample response¶

The following sample is illustrative. Actual responses vary by domain — see Response structure for details.

{
    "response": {
        "domain": "example.com",
        "risk_score": 95,
        "components": [
            {
                "name": "proximity",
                "risk_score": 63
            },
            {
                "name": "threat_profile",
                "risk_score": 95
            },
            {
                "name": "threat_profile_phishing",
                "risk_score": 3
            },
            {
                "name": "threat_profile_malware",
                "risk_score": 3
            },
            {
                "name": "threat_profile_spam",
                "risk_score": 95
            }
        ]
    }
}

Response fields¶

Field	Type	Description
`domain`	string	The apex domain queried.
`risk_score`	integer	Overall risk score, `0`–`100`. The highest of all component scores.
`components`	array	Risk components contributing to the overall score. Each object contains a `name` and `risk_score`.

Response structure¶

The components array varies depending on the domain's risk state:

Domain state	Components returned
Zero-listed (score `0`)	`zerolist` only
Low risk, no threat profile	`proximity` only
Active risk	All five: `proximity`, `threat_profile`, `threat_profile_phishing`, `threat_profile_malware`, `threat_profile_spam`

Component names¶

`name` value	Description
`proximity`	Risk based on proximity to known threats or suspicious infrastructure.
`threat_profile`	Aggregate risk score from machine learning models.
`threat_profile_malware`	ML classifier for malware-related domains.
`threat_profile_phishing`	ML classifier for phishing-related domains.
`threat_profile_spam`	ML classifier for spam-related domains.
`zerolist`	Domain is on a known-good list. Score is always `0`.

More information¶

Consult the Domain Risk Score documentation for more information on interpreting risk scores and understanding score components.