While building Cyber Shield – a honeypot-based intrusion detection system running on my VPS – I realized I needed a way to quickly check if incoming IPs were known threats. Most threat intelligence services require expensive API keys or have very low free limits.
So I extracted my threat intelligence module into a standalone REST API and published it on RapidAPI.
What it does
The Threat Intelligence API aggregates data from multiple sources:
- VirusTotal – malware and URL scanner
- CERT PL – Polish Computer Emergency Response Team threat feeds
- ML anomaly scoring – IsolationForest + RandomForest trained on 5,000 samples
Endpoints
GET /api/check/{ip} # Check IP reputation
GET /api/threats # Get curated threat feed
GET /api/threats/stats # Severity distribution
GET /health # Uptime check
Example response for /api/check/45.156.129.135
{
"ip": "45.156.129.135",
"malicious": true,
"severity": "high",
"sources": ["CERT_PL", "VirusTotal"],
"anomaly_score": -0.73,
"last_seen": "2026-03-11"
}
Tech Stack
- Python 3.10 + Flask
- SQLite for local threat cache
- scikit-learn – IsolationForest, RandomForest, DBSCAN
- Deployed on Render.com (free tier with UptimeRobot keepalive)
- Published on RapidAPI with free tier
Real-world data from Cyber Shield honeypot
My VPS honeypot has collected:
- 44,618 anomalies detected by ML models
- 25,613 blocked IPs from honeypot triggers (Telnet, SMB, HTTP-Proxy scans)
- Attack types: port scanners, credential stuffers, botnet nodes
Try it for free
RapidAPI listing (free tier, 10 requests per day, no credit card):
https://rapidapi.com/darro2323/api/threat-intelligence-api1
Feedback and contributions welcome!
Top comments (0)