I built a free Threat Intelligence API in Python/Flask – ML-based IP reputation scoring
Published: (March 12, 2026 at 11:16 AM EDT)
2 min read
Source: Dev.to
Source: Dev.to
Overview
While building Cyber Shield – a honeypot‑based intrusion detection system running on my VPS – I needed a quick way to check if incoming IPs were known threats. Most threat‑intelligence services require expensive API keys or have very low free limits, so I extracted my threat‑intelligence module into a standalone REST API and published it on RapidAPI.
The Threat Intelligence API aggregates data from multiple sources:
- VirusTotal – malware and URL scanner
- CERT PL – Polish Computer Emergency Response Team threat feeds
- ML anomaly scoring – IsolationForest + RandomForest trained on 5,000 samples
API Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /api/check/{ip} | Check IP reputation |
GET | /api/threats | Get curated threat feed |
GET | /api/threats/stats | Severity distribution |
GET | /health | Uptime check |
Example: Check an IP
GET /api/check/45.156.129.135 HTTP/1.1
Host: api.example.com{
"ip": "45.156.129.135",
"malicious": true,
"severity": "high",
"sources": ["CERT_PL", "VirusTotal"],
"anomaly_score": -0.73,
"last_seen": "2026-03-11"
}Implementation Details
- Language: Python 3.10
- Framework: Flask
- Database: SQLite (local threat cache)
- Machine Learning: scikit‑learn – IsolationForest, RandomForest, DBSCAN
- Deployment: Render.com (free tier) with UptimeRobot keep‑alive ping
- Publishing: RapidAPI (free tier)
Collected Statistics from the Honeypot
- 44,618 anomalies detected by ML models
- 25,613 blocked IPs from honeypot triggers (Telnet, SMB, HTTP‑Proxy scans)
- Attack types: port scanners, credential stuffers, botnet nodes
RapidAPI Listing
The API is available on RapidAPI with a free tier (10 requests per day, no credit card required):
https://rapidapi.com/darro2323/api/threat-intelligence-api1
Contributions
Feedback and contributions are welcome!