AbuseIPDB
AbuseIPDB is a community-driven project to help system administrators, webmasters, and security analysts check the reputation of IP addresses and report malicious activity. The free APIv2 surface lets developers query a single IP, check a CIDR block, retrieve paginated reports, download a curated blacklist, submit single or bulk abuse reports, and clear their own past reports for an address. AbuseIPDB underpins fail2ban, UFW, Cloudflare WAF, Wazuh, Splunk SOAR, and dozens of other firewall and SIEM integrations across the security community.
APIs
AbuseIPDB APIv2
AbuseIPDB APIv2 is a REST API that exposes the AbuseIPDB community blacklist, IP report ingest, IP and CIDR reputation lookups, and self-service report cleanup. Authentication i...
Collections
AbuseIPDB APIv2
POSTMANAbuseIPDB APIv2
OPENArazzo Workflows
AbuseIPDB Blacklist Triage
Download the community blacklist and enrich its top entry with a full single-IP check.
ARAZZOAbuseIPDB Block Scan And Check
Scan a CIDR network block for reported addresses and deep-check the most abusive host.
ARAZZOAbuseIPDB Bulk Report Then Verify
Upload a CSV of abuse reports in bulk, then spot-check one submitted IP to confirm it landed.
ARAZZOAbuseIPDB Check Then Report
Check an IP's reputation and conditionally file an abuse report based on its confidence score.
ARAZZOAbuseIPDB Clear False Positive
Check an IP and clear your own reports against it when it turns out to be whitelisted or clean.
ARAZZOAbuseIPDB Investigate IP
Check an IP and, when it is abusive, pull its full paginated report history.
ARAZZOAbuseIPDB Report Then Verify
Submit an abuse report for an IP and immediately re-check it to confirm the updated score.
ARAZZOPricing Plans
Rate Limits
FinOps
Abuseipdb Finops
FINOPSFeatures
Query any IPv4 or IPv6 address for its abuse confidence score, total reports, distinct reporters, and country/ISP metadata.
Downloadable daily blacklist of high-confidence abusive IPs, with configurable confidence threshold, country filters, IP version, and result limit.
Submit single or bulk abuse reports tagged with one or more standard category IDs (e.g. SSH Brute-Force, DDoS, Web App Attack).
Score whole subnets in one call via the CHECK-BLOCK endpoint, with subscriber tiers supporting up to /16 networks.
23 standard report categories (DNS Compromise, Open Proxy, Brute-Force, Phishing, etc.) for consistent classification.
Remove your own reports for a given IP via the CLEAR-ADDRESS endpoint if a report was made in error.
Every response carries X-RateLimit-Limit / Remaining / Reset and Retry-After, simplifying back-off in clients.
Responses include an `isWhitelisted` flag so consumers can avoid blocking known-good infrastructure.
Use Cases
Auto-block and report SSH/RDP brute-force sources via fail2ban, UFW, or endlessh integrations.
Enrich Cloudflare / Nginx / custom WAF rulesets with the AbuseIPDB blacklist for IP-based pre-filtering.
Add AbuseIPDB context to Splunk SOAR, Wazuh, and TheHive alerts for analyst triage.
Score request source IPs before serving e-commerce or login pages to block known-abusive infrastructure.
Combine AbuseIPDB with VirusTotal, Shodan, GreyNoise and similar feeds (e.g. malwoverview) during incident response.
Convert nightly access logs into CSV bulk reports to feed the AbuseIPDB community blacklist.
Integrations
Pre-packaged AbuseIPDB action ships with fail2ban; reports banned offenders directly to AbuseIPDB.
Multiple community projects (sefinek/UFW-AbuseIPDB-Reporter, jseutens/ufw-abuseipdb) ingest UFW logs and report or ingest the AbuseIPDB blacklist.
sefinek/Cloudflare-WAF-To-AbuseIPDB streams Cloudflare WAF events into AbuseIPDB reports.
Official splunk-soar-connectors/abuseipdb connector enriches Splunk SOAR playbooks with AbuseIPDB reputation.
marciuscosta/abuseipdb-wazuh-integration wires AbuseIPDB enrichment into Wazuh with a local cache and multi-key support.
goremykin/crowdsec-abuseipdb-blocklist converts CrowdSec data into AbuseIPDB blocklists.
elhenro/endlessh-auto-report-abuseipdb auto-reports SSH tarpit visitors to AbuseIPDB.
tmiland/abuseipdb-php-nginx-blacklist-create generates an Nginx-ready blocklist file from AbuseIPDB.
CcMarc/AbuseIPDB plugs AbuseIPDB into the Zen Cart e-commerce platform.
AbuseIPDB enrichment is used by SOAR/IR pipelines like malwarekid/SOAR-Flow alongside Wazuh and TheHive.
AbuseIPDB sources its IP geolocation, ISP, usage type, and domain data from IPinfo.
Solutions
1,000 checks/day, 100 block checks, 5 blacklist downloads. Aimed at hobby admins and home labs.
$25/mo. 10,000 checks/day, 1,000 block checks, 100 bulk reports, customisable blacklist up to 100,000 IPs.
$99/mo. 50,000 checks/day, 5,000 block checks, 500 bulk reports, customisable blacklist up to 500,000 IPs.
Custom-priced direct data access for ISPs and large security organisations.