IOC Lookup API

Click here for the OpenAPI spec

The IOC Lookup API lets your security stack ask one question: “What does Q-Feeds know about this indicator?”
Send an IP, domain, URL, or hash and get a structured, sanitised response with verdict, score, enrichments, MITRE ATT&CK links, related indicators, and analyst context, without logging into the portal or parsing bulk feed files.

Built for SOC workflows, SIEM enrichment, ticketing, and custom integrations, the API complements Q-Feeds blocklist feeds: feeds tell you that something is bad; IOC Lookup explains why and how it fits in your investigation.

What you get on a match

• Verdict, confidence score, and human-readable verdict reasons
• First seen / last seen and enrichment status
• Tags, public analyst notes, and multi-source context
• Enrichments (e.g. GeoIP, DNSBL, threat intel providers)
• MITRE ATT&CK technique, group, and software links where available
• Linked IOCs and relationship context for pivoting

Designed for production use

• Single lookup — one indicator per request
• Bulk lookup — up to 200 values per request for alert triage and batch enrichment
• Usage endpoint — check monthly quota without spending a lookup credit
• Monthly quota per API key / License

Typical use cases

• Enrich SIEM or XDR alerts with verdict and context before an analyst opens a ticket
• Power internal “threat lookup” widgets in your own portal or customer console
• Feed SOAR playbooks with structured JSON instead of screen-scraping
• Validate suspicious IPs, domains, URLs or Hashes during incident response
• Batch-check indicator lists from phishing reports or threat hunts