6 Free Threat Intelligence APIs You Can Use Right Now (No Budget Needed)

#security #python #api #devops

Security tools are expensive. Threat intel platforms charge $10K+/year.

But these 6 free APIs give you 80% of what you need — for $0.

1. URLhaus — Malware URL Database

Run by abuse.ch. Tracks URLs distributing malware.

import requests

def check_url(url):
    resp = requests.post('https://urlhaus-api.abuse.ch/v1/url/',
                         data={'url': url})
    data = resp.json()
    if data['query_status'] == 'no_results':
        return {'status': 'clean'}
    return {
        'status': 'malicious',
        'threat': data.get('threat'),
        'tags': data.get('tags', []),
        'date_added': data.get('date_added')
    }

result = check_url('https://example.com')
print(f"Status: {result['status']}")

Free, unlimited, no key.

2. ThreatFox — Indicators of Compromise (IOCs)

Also by abuse.ch. Search for known malicious IPs, domains, hashes.

def search_ioc(ioc_type, value):
    """Search IOCs: ip:port, domain, md5, sha256"""
    resp = requests.post('https://threatfox-api.abuse.ch/api/v1/',
                         json={'query': 'search_ioc', 'search_term': value})
    data = resp.json()
    if data.get('data'):
        for ioc in data['data'][:3]:
            print(f"  Threat: {ioc.get('threat_type')} | Malware: {ioc.get('malware')}")
            print(f"  Confidence: {ioc.get('confidence_level')}%")
    else:
        print(f"  {value}: not found in ThreatFox")

search_ioc('domain', 'evil-domain.com')

3. MalwareBazaar — Malware Samples

Search malware samples by hash, signature, or tag.

def lookup_hash(sha256):
    resp = requests.post('https://mb-api.abuse.ch/api/v1/',
                         data={'query': 'get_info', 'hash': sha256})
    data = resp.json()
    if data.get('data'):
        sample = data['data'][0]
        print(f"Malware: {sample.get('signature')}")
        print(f"Type: {sample.get('file_type')} | Size: {sample.get('file_size')}")
        print(f"First seen: {sample.get('first_seen')}")
        print(f"Tags: {sample.get('tags')}")
    else:
        print("Not found")

4. Shodan InternetDB — Quick IP Recon

One API call = open ports + known vulns + hostnames.

def recon_ip(ip):
    data = requests.get(f'https://internetdb.shodan.io/{ip}').json()
    print(f"IP: {ip}")
    print(f"Open ports: {data.get('ports', [])}")
    print(f"CVEs: {data.get('vulns', [])}")
    print(f"Hostnames: {data.get('hostnames', [])}")
    print(f"Tags: {data.get('tags', [])}")

recon_ip('8.8.8.8')

No key. Perfect for quick triage.

5. AbuseIPDB — IP Reputation

Community-driven database of abusive IPs. Free: 1000 checks/day.

ABUSE_KEY = 'your_free_key'  # Register at abuseipdb.com

def check_ip_abuse(ip):
    resp = requests.get('https://api.abuseipdb.com/api/v2/check',
        headers={'Key': ABUSE_KEY, 'Accept': 'application/json'},
        params={'ipAddress': ip, 'maxAgeInDays': 90})
    data = resp.json()['data']
    print(f"IP: {ip}")
    print(f"Abuse score: {data['abuseConfidenceScore']}%")
    print(f"Reports: {data['totalReports']}")
    print(f"Country: {data['countryCode']}")
    print(f"ISP: {data['isp']}")

6. OSV.dev — Dependency Vulnerabilities

Google's vulnerability DB for open source packages.

def scan_package(ecosystem, package, version):
    resp = requests.post('https://api.osv.dev/v1/query', json={
        'package': {'name': package, 'ecosystem': ecosystem},
        'version': version
    })
    vulns = resp.json().get('vulns', [])
    if vulns:
        print(f"⚠️ {package}=={version}: {len(vulns)} vulnerabilities")
        for v in vulns[:3]:
            print(f"  [{v['id']}] {v.get('summary', '')[:70]}")
    else:
        print(f"✅ {package}=={version}: clean")

scan_package('PyPI', 'requests', '2.25.0')
scan_package('npm', 'lodash', '4.17.19')

Build Your Own SOC Dashboard

Combine all 6 into a single check:

def threat_check(target):
    """Run all checks on a target"""
    if target.startswith('http'):
        print("=== URL Check ===")
        print(check_url(target))

    if '.' in target and not target.startswith('http'):
        print("=== IP Recon ===")
        recon_ip(target)

threat_check('https://suspicious-site.com')
threat_check('203.0.113.1')