AbuseIPDB website screenshot

AbuseIPDB

AbuseIPDB is a community-driven project to help system administrators, webmasters, and security analysts check the reputation of IP addresses and report malicious activity. The free APIv2 surface lets developers query a single IP, check a CIDR block, retrieve paginated reports, download a curated blacklist, submit single or bulk abuse reports, and clear their own past reports for an address. AbuseIPDB underpins fail2ban, UFW, Cloudflare WAF, Wazuh, Splunk SOAR, and dozens of other firewall and SIEM integrations across the security community.

1 APIs 8 Features
Anti MalwareBlacklistCyber SecurityIP ReputationNetwork SecurityPublic APIsThreat Intelligence

APIs

AbuseIPDB APIv2

AbuseIPDB APIv2 is a REST API that exposes the AbuseIPDB community blacklist, IP report ingest, IP and CIDR reputation lookups, and self-service report cleanup. Authentication i...

Collections

AbuseIPDB APIv2

POSTMAN

Arazzo Workflows

AbuseIPDB Blacklist Triage

Download the community blacklist and enrich its top entry with a full single-IP check.

ARAZZO

AbuseIPDB Block Scan And Check

Scan a CIDR network block for reported addresses and deep-check the most abusive host.

ARAZZO

AbuseIPDB Bulk Report Then Verify

Upload a CSV of abuse reports in bulk, then spot-check one submitted IP to confirm it landed.

ARAZZO

AbuseIPDB Check Then Report

Check an IP's reputation and conditionally file an abuse report based on its confidence score.

ARAZZO

AbuseIPDB Clear False Positive

Check an IP and clear your own reports against it when it turns out to be whitelisted or clean.

ARAZZO

AbuseIPDB Investigate IP

Check an IP and, when it is abusive, pull its full paginated report history.

ARAZZO

AbuseIPDB Report Then Verify

Submit an abuse report for an IP and immediately re-check it to confirm the updated score.

ARAZZO

Pricing Plans

Abuseipdb Plans Pricing

4 plans

PLANS

Rate Limits

Abuseipdb Rate Limits

25 limits

RATE LIMITS

FinOps

Features

IP Reputation Lookups

Query any IPv4 or IPv6 address for its abuse confidence score, total reports, distinct reporters, and country/ISP metadata.

Community-Sourced Blacklist

Downloadable daily blacklist of high-confidence abusive IPs, with configurable confidence threshold, country filters, IP version, and result limit.

Abuse Reporting

Submit single or bulk abuse reports tagged with one or more standard category IDs (e.g. SSH Brute-Force, DDoS, Web App Attack).

CIDR Block Checking

Score whole subnets in one call via the CHECK-BLOCK endpoint, with subscriber tiers supporting up to /16 networks.

Categorised Abuse Taxonomy

23 standard report categories (DNS Compromise, Open Proxy, Brute-Force, Phishing, etc.) for consistent classification.

Self-Service Report Clearing

Remove your own reports for a given IP via the CLEAR-ADDRESS endpoint if a report was made in error.

Standard Rate-Limit Headers

Every response carries X-RateLimit-Limit / Remaining / Reset and Retry-After, simplifying back-off in clients.

Whitelist Awareness

Responses include an `isWhitelisted` flag so consumers can avoid blocking known-good infrastructure.

Use Cases

SSH / RDP Brute-Force Defence

Auto-block and report SSH/RDP brute-force sources via fail2ban, UFW, or endlessh integrations.

WAF Augmentation

Enrich Cloudflare / Nginx / custom WAF rulesets with the AbuseIPDB blacklist for IP-based pre-filtering.

SIEM / SOC Enrichment

Add AbuseIPDB context to Splunk SOAR, Wazuh, and TheHive alerts for analyst triage.

Bot and Crawler Filtering

Score request source IPs before serving e-commerce or login pages to block known-abusive infrastructure.

Threat Hunting and OSINT

Combine AbuseIPDB with VirusTotal, Shodan, GreyNoise and similar feeds (e.g. malwoverview) during incident response.

Bulk Reporting from Edge Logs

Convert nightly access logs into CSV bulk reports to feed the AbuseIPDB community blacklist.

Integrations

Fail2Ban

Pre-packaged AbuseIPDB action ships with fail2ban; reports banned offenders directly to AbuseIPDB.

UFW (Uncomplicated Firewall)

Multiple community projects (sefinek/UFW-AbuseIPDB-Reporter, jseutens/ufw-abuseipdb) ingest UFW logs and report or ingest the AbuseIPDB blacklist.

Cloudflare WAF

sefinek/Cloudflare-WAF-To-AbuseIPDB streams Cloudflare WAF events into AbuseIPDB reports.

Splunk SOAR

Official splunk-soar-connectors/abuseipdb connector enriches Splunk SOAR playbooks with AbuseIPDB reputation.

Wazuh

marciuscosta/abuseipdb-wazuh-integration wires AbuseIPDB enrichment into Wazuh with a local cache and multi-key support.

CrowdSec

goremykin/crowdsec-abuseipdb-blocklist converts CrowdSec data into AbuseIPDB blocklists.

Endlessh

elhenro/endlessh-auto-report-abuseipdb auto-reports SSH tarpit visitors to AbuseIPDB.

Nginx

tmiland/abuseipdb-php-nginx-blacklist-create generates an Nginx-ready blocklist file from AbuseIPDB.

Zen Cart

CcMarc/AbuseIPDB plugs AbuseIPDB into the Zen Cart e-commerce platform.

TheHive

AbuseIPDB enrichment is used by SOAR/IR pipelines like malwarekid/SOAR-Flow alongside Wazuh and TheHive.

IPinfo

AbuseIPDB sources its IP geolocation, ISP, usage type, and domain data from IPinfo.

Solutions

Individual (Free)

1,000 checks/day, 100 block checks, 5 blacklist downloads. Aimed at hobby admins and home labs.

Basic

$25/mo. 10,000 checks/day, 1,000 block checks, 100 bulk reports, customisable blacklist up to 100,000 IPs.

Premium

$99/mo. 50,000 checks/day, 5,000 block checks, 500 bulk reports, customisable blacklist up to 500,000 IPs.

Enterprise

Custom-priced direct data access for ISPs and large security organisations.

Semantic Vocabularies

Abuseipdb Context

0 classes · 34 properties

JSON-LD

API Governance Rules

AbuseIPDB API Rules

25 rules · 10 errors 14 warnings 1 info

SPECTRAL

JSON Structure

Abuseipdb Blacklist Entry Structure

4 properties

JSON STRUCTURE

Abuseipdb Check Response Structure

15 properties

JSON STRUCTURE

Abuseipdb Report Structure

7 properties

JSON STRUCTURE

Example Payloads

Abuseipdb Blacklist Example

2 fields

EXAMPLE

Abuseipdb Check Example

2 fields

EXAMPLE

Abuseipdb Report Example

2 fields

EXAMPLE

Abuseipdb Reports Example

2 fields

EXAMPLE

Resources

🔗
PostmanWorkspace
PostmanWorkspace
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Website
Website
🔗
Documentation
Documentation
📝
Signup
Signup
🔗
Login
Login
🌐
DeveloperPortal
DeveloperPortal
💰
Pricing
Pricing
🔗
Plans
Plans
🔗
RateLimits
RateLimits
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary
🔗
FinOps
FinOps
🔗
Plans
Plans
📰
Blog
Blog
💬
FAQ
FAQ
💬
Support
Support
🔗
Contact
Contact
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
👥
GitHubOrganization
GitHubOrganization
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
🔗
CLI
CLI

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: AbuseIPDB APIv2
  version: 2.0.0
request:
  auth:
    type: apikey
    key: Key
    value: '{{Key}}'
    placement: header
items:
- info:
    name: Reputation
    type: folder
  items:
  - info:
      name: Check an IP Address
      type: http
    http:
      method: GET
      url: https://api.abuseipdb.com/api/v2/check
      params:
      - name: ipAddress
        value: ''
        type: query
        description: The IPv4 or IPv6 address to check.
      - name: maxAgeInDays
        value: ''
        type: query
        description: Restrict reports considered to those within the last N days (1-365, default 30).
      - name: verbose
        value: ''
        type: query
        description: When present, include the most recent reports in the response.
    docs: 'Returns the current abuse data for a single IPv4 or IPv6 address,

      including the abuse confidence score, country, ISP, usage type, and

      (when `verbose` is set) the most recent reports.

      '
  - info:
      name: Check a CIDR Network Block
      type: http
    http:
      method: GET
      url: https://api.abuseipdb.com/api/v2/check-block
      params:
      - name: network
        value: ''
        type: query
        description: A CIDR network range (e.g. `192.0.2.0/24`).
      - name: maxAgeInDays
        value: ''
        type: query
        description: Restrict to reports within the last N days (1-365, default 30).
    docs: 'Returns the abuse data for a CIDR network range. Free accounts may query

      ranges up to /24; subscriber tiers can query up to /16.

      '
- info:
    name: Reports
    type: folder
  items:
  - info:
      name: List Reports for an IP Address
      type: http
    http:
      method: GET
      url: https://api.abuseipdb.com/api/v2/reports
      params:
      - name: ipAddress
        value: ''
        type: query
        description: The IPv4 or IPv6 address whose reports should be returned.
      - name: maxAgeInDays
        value: ''
        type: query
        description: Restrict to reports within the last N days (1-365, default 30).
      - name: page
        value: ''
        type: query
        description: Page number to return (1-based).
      - name: perPage
        value: ''
        type: query
        description: Number of reports per page.
    docs: Returns a paginated list of recent reports for a given IP address.
  - info:
      name: Report an Abusive IP Address
      type: http
    http:
      method: POST
      url: https://api.abuseipdb.com/api/v2/report
      body:
        type: form-urlencoded
        data: []
    docs: 'Submit a new abuse report for an IP address with one or more category

      IDs, an optional comment, and an optional ISO 8601 timestamp.

      '
  - info:
      name: Bulk Report Abusive IP Addresses
      type: http
    http:
      method: POST
      url: https://api.abuseipdb.com/api/v2/bulk-report
      body:
        type: multipart-form
        data:
        - name: csv
          type: text
          value: ''
    docs: Submit many abuse reports at once via a CSV multipart upload.
- info:
    name: Blacklist
    type: folder
  items:
  - info:
      name: Download the AbuseIPDB Blacklist
      type: http
    http:
      method: GET
      url: https://api.abuseipdb.com/api/v2/blacklist
      params:
      - name: confidenceMinimum
        value: ''
        type: query
        description: Minimum confidence score (25-100, default 100; subscriber feature below 100).
      - name: limit
        value: ''
        type: query
        description: Maximum number of entries to return (varies by plan, up to 500,000).
      - name: onlyCountries
        value: ''
        type: query
        description: Comma-separated ISO 3166-1 alpha-2 country codes to include (subscriber feature).
      - name: exceptCountries
        value: ''
        type: query
        description: Comma-separated ISO 3166-1 alpha-2 country codes to exclude (subscriber feature).
      - name: ipVersion
        value: ''
        type: query
        description: Restrict to a specific IP version (4 or 6).
      - name: plaintext
        value: ''
        type: query
        description: When present, return one IP per line as text/plain instead of JSON.
    docs: 'Returns the AbuseIPDB blacklist. Free accounts receive up to 10,000

      entries; subscriber tiers can customise the confidence floor, country

      filters, IP version, and maximum result count.

      '
- info:
    name: Management
    type: folder
  items:
  - info:
      name: Clear Your Reports for an IP Address
      type: http
    http:
      method: DELETE
      url: https://api.abuseipdb.com/api/v2/clear-address
      params:
      - name: ipAddress
        value: ''
        type: query
        description: The IPv4 or IPv6 address whose reports (filed by your account) should be cleared.
    docs: Remove all of your own past reports for the given IP address.
bundled: true