I built a free Threat Intelligence API in Python/Flask – ML-based IP reputation scoring

cyberpolak99 — Thu, 12 Mar 2026 15:16:43 +0000

While building Cyber Shield – a honeypot-based intrusion detection system running on my VPS – I realized I needed a way to quickly check if incoming IPs were known threats. Most threat intelligence services require expensive API keys or have very low free limits.

So I extracted my threat intelligence module into a standalone REST API and published it on RapidAPI.

What it does

The Threat Intelligence API aggregates data from multiple sources:

VirusTotal – malware and URL scanner
CERT PL – Polish Computer Emergency Response Team threat feeds
ML anomaly scoring – IsolationForest + RandomForest trained on 5,000 samples

Endpoints

GET /api/check/{ip}     # Check IP reputation
GET /api/threats        # Get curated threat feed
GET /api/threats/stats  # Severity distribution
GET /health             # Uptime check

Example response for `/api/check/45.156.129.135`

{
  "ip": "45.156.129.135",
  "malicious": true,
  "severity": "high",
  "sources": ["CERT_PL", "VirusTotal"],
  "anomaly_score": -0.73,
  "last_seen": "2026-03-11"
}

Tech Stack

Python 3.10 + Flask
SQLite for local threat cache
scikit-learn – IsolationForest, RandomForest, DBSCAN
Deployed on Render.com (free tier with UptimeRobot keepalive)
Published on RapidAPI with free tier

Real-world data from Cyber Shield honeypot

My VPS honeypot has collected:

44,618 anomalies detected by ML models
25,613 blocked IPs from honeypot triggers (Telnet, SMB, HTTP-Proxy scans)
Attack types: port scanners, credential stuffers, botnet nodes

Try it for free

RapidAPI listing (free tier, 10 requests per day, no credit card):
https://rapidapi.com/darro2323/api/threat-intelligence-api1

Feedback and contributions welcome!

DEV Community: cyberpolak99