SafePoint IP Threat Intelligence
SafePoint's IP Threat Intelligence helps you detect and block risky IPs in real-time, powered by a global data network and machine learning.
Key Features
IP Reputation Lookup
Instantly check if an IP is malicious, with threat types and risk levels.Real-Time Scoring
Updated hourly based on attack patterns, behavior, and global threat data.-
Massive Data Coverage
- 200,000+ WAF nodes worldwide
- 50M+ malicious IPs tracked
- 100M+ queries per day
-
Easy Integration
- Fast and reliable REST API
- Exportable malicious IP lists, updated every hour
🚀 Why Use It?
| Feature | Benefit |
|---|---|
| AI-based scoring | High accuracy, low false positives |
| Fast global response | <100ms latency |
| No need to self-manage | Hourly updates, always fresh |
SafePoint Intelligence helps you stop threats before they reach your system.
Ideal for firewalls, WAFs, SIEMs, and custom security workflows.
Tutorial for Using the Intelligence API
Create SafePoint Token
Open SafePoint's Work Center in your browser, click Account and then API-Token-Generate to obtain your User Token
Test Token
Test the Token and verify the availability of the Token application by requesting the User info API from intelligence
curl -k 'https://intelligence.app.safepoint.cloud/api/v1/user/info' \
-H 'Accept: application/json, text/plain, */*' \
-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
If you see the following response data format, it indicates that the Token and related programs are working properly
{
"message": "",
"success": true,
"data": {
"id": "66**********845",
"payment": "Ultimate",
"token": "om**********pe",
"expired_at": 0
}
}
API List
User Payment Info
Request:
curl -k 'https://intelligence.app.safepoint.cloud/api/v1/user/info' \
-H 'Accept: application/json, text/plain, */*' \
-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
Response:
{
"message": "",
"success": true,
"data": {
// User ID
"id": "66**********845",
// User Payment
"payment": "Ultimate",
// User app Token
"token": "om**********pe",
// Current version expiration time, 0 means permanent
"expired_at": 0
}
}
IP Query Data
Request:
curl -k 'https://intelligence.app.safepoint.cloud/api/v1/ip_info?ip=87.26.82.93' \
-H 'Accept: application/json, text/plain, */*' \
-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
Response:
{
"message": "",
"success": true,
"data": {
// IP Address
"ip": "103.195.194.250",
// IP Threat Level: 0-Unknown 1-Safe 2-Suspicious 3-Malicious
"status": 3,
// Historical attack behavior statistics for IP
"behaviors": {
"Backdoor": 3,
"Web Attack": 16,
"SQL Injection": 5,
"XXE Injection": 2,
"CRLF Injection": 2,
"Code Injection": 16,
"Path Traversal": 3,
"Command Injection": 4,
"Template Injection": 1,
"Unauthorized Access": 3,
"Upload Malicious File": 2
},
// IP label list (IDC, residential broadband, etc.)
"labels": [],
// IP geolocation information
"address": {
"ip": "103.195.194.250",
"country": "China",
"province": "Hongkong",
"city": "Hongkong",
"isp": "Power Line (HK) Co., Limited",
"owner": "Power Line (HK) Co., Limited",
"asn": "AS132839",
"lng": "114.184921",
"lat": "22.350617",
"scene": "Hosting",
"radius": "40.0088",
"timezone": "UTC+8"
},
// IP activity history records
"activities": [
{
"ip": "103.195.194.250",
"date": "2025-05-05",
// Daily malicious level
"malicious_level": 0
},
{
"ip": "103.195.194.250",
"date": "2025-05-06",
"malicious_level": 3
}
]
}
}
Historical Malicious Behavior Data
Request:
curl -k 'https://intelligence.app.safepoint.cloud/api/v1/intelligences/list?page=1&per_page=1000&ip=142.93.230.252' \
-H 'Accept: application/json, text/plain, */*' \
-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
Response:
{
// Interface response message
"message": "",
// Whether the request was successful
"success": true,
"data": {
// Total number of records
"total": 821,
// Historical malicious behavior records list
"data": [
{
// Record unique identifier
"id": "01973a2d-fa2c-75b1-b836-80d68d4d6a80",
// IP type
"type": "IPv4",
// Detailed malicious behavior description
"comment": "These IPs are constantly performing port scanning on my honeypot \"honeypot_qingdao_2\".\n\nProtocols: tcp\nAttack times: 738\nPorts: 10000, 10008, 10015, 10023, 10046, 10059, 10082, 101, 1011, 10120, 10175, 10225, 10240-10241, 10247, 10259, 1027, 1028, 1032, 10357, 10628, 1080, 10989, 1099, 10997, 11, 110, 1109, 11112, 11234, 11443, 11551, 1189, 119, 1200, 12000, 12001, 12022, 12088, 12262, 1234, 12346, 12349, 12350, 12351, 12357, 12358, 12360, 12366, 12369, 12607, 12694, 1282, 12852, 1311, 1314, 13228, 13306, 13320, 13322, 1338, 13898, 13975, 14142, 1433, 14443, 1458, 14817, 15042, 1521, 153, 15305, 15443, 15901, 15944, 16041, 16467, 16825, 16966, 16981, 16993, 17102, 1723, 17389, 17554, 17600, 17811, 179, 18050, 18080, 18118, 1828, 18400, 18456, 18574, 18607, 1883, 1909, 19158, 1963, 19895, and more 637 ports\nStarts at: 2025-06-04T08:00:00.000Z\nEnds at: 2025-06-04T09:00:00.000Z",
// Detected malicious behavior types
"behaviors": [
"Port Scanning"
],
// Number of IPs included in this intelligence
"count": "714",
// Record creation timestamp
"created_at": 1749027781,
// Creator information
"creator": {
// Creator name
"name": "Scanning-honeypot",
// Creator avatar
"avatar": "https://safepoint.oss-rg-china-mainland.aliyuncs.com/prod/avatar/943f0ad23af80967207b15b55900cbfb.png"
}
}]
}
}
JA4 Query Data
Request:
curl -k 'https://intelligence.app.safepoint.cloud/api/v1/ja4?ja4=t13d1516h2_8daaf6152771_02713d6af862' \
-H 'Accept: application/json, text/plain, */*' \
-H 'x-safepoint-api-token: <Your_Safepoint_Token>'
Response:
{
"message": "",
"success": true,
"data": {
// JA4 fingerprint suffix
"ja4_fingerprint": "1d37bd780c83_b26ce05bbdd6",
// Detected malicious behaviors
"behaviors": {},
// Detected non-malicious attributes
"labels": [],
// JA4 Threat Level: 0-Unknown 1-Safe 2-Suspicious 3-Malicious
"status": 3,
// JA4 corresponding application list, true for authenticated data, false for non-authenticated data
"application": {
"Chrome ": true,
"Chrome 119.0 ": true,
"Chrome 120.0 ": true,
"Chrome 121.0 ": true,
"Chrome 126.0 Beta ": true,
"Chromium Browser": true
},
// JA4 corresponding underlying application list, true for authenticated data, false for non-authenticated data
"library": {
"golang": false
},
// JA4 corresponding hardware device list, true for authenticated data, false for non-authenticated data
"device": {
"Google Pixel 5": true
},
// JA4 corresponding operating system list, true for authenticated data, false for non-authenticated data
"os": {
"android 13 .0": true
},
// JA4 corresponding User-Agent list, count represents the number of captures
"related_uas": {
"Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)": 10218,
"Mozilla/5.0 Firefox/33.0": 1,
"Mozilla/5.0 X11; Ubuntu; Linux x86_64; rv:126.0 Gecko/20100101 Firefox/126.0": 8,
"curl/7.88.1": 1,
"curl/8.5.0": 7,
"webpage-rs - https://crates.io/crates/webpage": 2
},
// JA4 corresponding IP list
"related_ips": {}
}
}
Top comments (0)