Hazard report
Introduction
The Hazard Report API provides a consolidated, machine-readable assessment of IP address risk, combining reactive signals (evidence of past malicious behaviour such as blacklist appearances and known anonymiser detections) with proactive indicators (the likelihood that an IP belongs to a hosting or data-centre environment with no eyeball behind the device).
This dual approach helps you identify threats before they act — a critical advantage for zero-day defence — while still leveraging historical evidence where available. Key outputs include hostingLikelihood (0–10), AS/provider context, anonymiser indicators, and related hazard flags. For background on the model and concepts, see What is Hosting Likelihood? and the Hazard Report overview.
If you need geolocation with polygonal confidence areas in the same response, use IP Geolocation with Confidence Area & Hazard Report API. For a simplified risk verdict (low / moderate / high), see the User Risk API.
Get Started
This API is part of the IP Geolocation API Package and is available in free and paid plans. Please visit the IP Geolocation API Package package page for limits and pricing information.
Endpoint
Request
Responses
200OK
Sample Query
Schema
isKnownAsTorServerbooleanDetermines whether the requested ip address is known as utilised by a TOR server
isKnownAsVpnbooleanDetermines whether the requested ip address is known as utilised by a VPN server
isKnownAsProxybooleanDetermines whether the requested ip address is known as utilised by a proxy server
isSpamhausDropbooleanDetermines whether the requested ip address is listed on the spamhause drop all traffic list.
The spamhaus drop (don't route or peer) lists are advisory 'drop all traffic' lists, consisting of netblocks that are 'hijacked'
or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers)
isSpamhausEdropbooleanDetermines whether the requested ip address is listed on the spamhause edrop list
According to spamhaus, edrop is an extension of the drop list that includes sub-allocated netblocks controlled by spammers or cyber criminals
isSpamhausAsnDropbooleandetermines whether the requested ip address is listed on the spamhause asn-drop list.
According to spamhaus, asn-drop contains a list of autonomous system numbers controlled by spammers or cyber criminals, as well as hijacked asns
isBlacklistedUceprotectbooleanDetermines whether the requested ip address is blacklisted at uceprotect.net or backscatterer.org
isBlacklistedBlocklistDebooleanDetermines whether the requested ip address is blacklisted at blocklist.de
isKnownAsMailServerbooleanDetermines whether the requested ip address is known as utilised by an SMTP mail server
mailServerDomainstringThe last detected SMTP domain name making use of this ip address
isKnownAsPublicRouterbooleanDetermines whether the requested ip address is known as utilised by a public router
isBogonbooleanIndicates whether the IP address is excluded from public Internet use
by the authorities but announced into the global routing table via BGP
isUnreachablebooleanDetermines whether the requested ip address is not reachable via the public Internet
hostingLikelihoodintegerThe likelihood 0-10 of a hosting origin
isHostingAsnbooleanDetermines whether the requested ip address was announced by an autonomous system which is likely to publish hosting networks
isCellularbooleanDetermines whether the requested ip address was detected as utilised within a cellular network
iCloudPrivateRelaybooleanDetermines whether the requested ip address was detected as Apple iCloud Private Relay address
Sample Response
403Access denied, or your quota limit has exceeded
Sample Response
405The requested IP address is not valid
Sample Response
500An error has occurred and did not complete your request. Please try again
Sample Response