Threat Feed Aggregator — IP & Domain Threat Brief
Consolidated threat brief from reputation, Spamhaus, phishing, and blocklist feeds
How to Use This Tool
- Enter an IPv4 address, domain, or hostname in the query field.
- Valid public domain labels trigger the domain threat brief path.
- Domain path runs phishing analysis, domain DNSBL, IP resolution, and email DNS.
- IPv4 or non-domain input triggers IP reputation plus Spamhaus merge.
- Resolved domain IPv4 embeds malware-ip output as ipThreat when available.
- Review type, summary, and nested signal objects for block or monitor decisions.
About This Tool
Security operations centers ingest indicators from ISAC mailing lists, commercial feeds, and open-source threat repositories — analysts need one aggregated brief instead of opening five separate lookup tabs for every IOC. VSPIC threat feed aggregator calls the threat-intel action with your query, auto-detects domain versus IP input, and assembles a tailored brief: domain path returns phishing heuristics, domain DNSBL on DBL URIBL ZRD, resolved IPv4, embedded ipThreat from malware-ip when A records exist, and SPF DMARC flags; IP path merges reputation fraudScore, detection cards, and per-zone Spamhaus results.
The type field distinguishes domain versus ip responses with different object shapes and a summary sentence for ticket titles. This page frames threat feed aggregator SEO language while the backend matches threat-intelligence-lookup and threat-feed-lookup — breadth for triage speed, with dedicated tools for deep dives on individual signal classes.
Common use cases
- •Check if a VPN or proxy is detected on your connection
- •Validate SSL certificates before launch
- •Scan for email addresses in known breaches
Why use VSPIC for ?
- Single lookup aggregates multiple threat feed signals.
- Automatic domain versus IP detection with tailored brief shape.
- Phishing heuristics plus DNSBL for domain indicators.
- fraudScore plus Spamhaus zones for IP indicators.
- emailAuth SPF and DMARC flags on domain briefs.
- Free instant OSINT-style summary for authorized triage.
Why threat feed aggregation matters
Feed subscribers paste indicators into lookup before sandbox detonation or firewall block commits. Aggregated briefs correlate phishing score, DNSBL status, and Spamhaus listing in one JSON view — reducing mean time to triage during campaign surges.
Aggregation does not replace analyst judgment. Conflicting signals — clean Spamhaus with high phishing score on typosquat — require contextual notes in escalation tickets.
Domain threat brief composition
Domain path returns phishing object with riskScore, riskLevel, and signals from hostname heuristics. dnsbl array shows DBL URIBL ZRD listing status. resolvedIp captures first IPv4 when present. ipThreat embeds malware-ip output including malwareListHits and infrastructure flags.
emailAuth summarizes SPF and DMARC presence — authentication gaps compound distrust on suspicious hostnames.
IP threat brief composition
IP path merges handleReputation output — fraudScore, riskLevel, detections for DNSBL VPN proxy hosting botnet, listedOn, blacklists — with handleSpamhaus per-zone zen SBL XBL PBL results. summary synthesizes fraud score and Spamhaus listed status in one sentence.
Follow malware-ip-checker when you need malwareListHits emphasis without fraud score noise.
Relationship to threat-intelligence-lookup
Both pages call action threat-intel with identical JSON. threat-intelligence-lookup uses threat intelligence SEO vocabulary; threat-feed-aggregator targets operators searching threat feed aggregator terminology from ISAC and commercial feed workflows.
API consumers use threat-intel with query, ip, or domain parameters interchangeably.
Relationship to threat-feed-lookup
threat-feed-lookup and threat-feed-aggregator share the same threat-intel backend with different landing page framing. Choose whichever page title matches your team's vocabulary — automation uses one endpoint.
Cross-link malware-signature-lookup when you need raw DNSBL detail beyond aggregated brief scope.
SOC and SOAR integration
Feed aggregator JSON into SOAR enrichment steps during concurrent indicator processing. Archive brief JSON with ticket closure for metrics on indicator classes over time.
Recheck at incident milestones — threat actors rotate infrastructure within hours.
Phishing plus blocklist correlation
High phishing riskScore with DNSBL listing strongly suggests active campaign infrastructure. Medium phishing with clean DNSBL may indicate reconnaissance registration not yet used. Low phishing with DNSBL hit may reflect compromised legitimate site.
Document signal combinations in tickets rather than relying on summary alone.
API action threat-intel
GET /ip-tools/api/extended?action=threat-intel&query=example.com or query=8.8.8.8. Parse type, summary, and nested objects. Branch on type domain versus ip in automation logic.
Individual actions like reputation and spamhaus remain available when brief payload size is excessive.
Authorized use
Threat feed aggregation on third-party indicators must align with organizational policy and law. Queries use public DNS and data APIs — not intrusive port scanning.
Do not use briefs for discriminatory user profiling or automated punishment without review.
Important notes & limitations
- Aggregator breadth trades depth — use dedicated tools for delisting detail.
- Domain path uses first IPv4 A record only for ipThreat context.
- Heuristic and DNSBL signals are not definitive verdicts.
- Point-in-time snapshot — recheck during active campaigns.
- Authorized investigation only — not for harassment or profiling.
Frequently Asked Questions
Yes. VSPIC offers this threat feed aggregator at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It aggregates key signals for speed. Use dedicated tools for deep analysis and delisting workflows.
Valid public domain labels use domain brief. Bare IPv4 addresses use IP brief with reputation and Spamhaus.
Same threat-intel API and JSON. This page targets threat feed aggregator vocabulary; threat-intelligence-lookup targets threat intelligence terminology.
When an A record IPv4 resolves, malware-ip checker output embeds — DNSBL hits and hosting context.
Yes. IP brief merges reputation results with per-zone Spamhaus lookup output.
threat-intel with the query parameter.
Next step for your check
Continue with threat intelligence lookup on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
Threat Intelligence Lookup
Aggregate IP or domain threat brief — reputation, Spamhaus, phishing, DNSBL
Use Free →Threat Feed Lookup
Threat Feed Lookup — free online tool
Use Free →Malware IP Checker
DNSBL malware and spam blacklist scan with hosting and proxy context
Use Free →Spamhaus Lookup
Query zen, SBL, XBL, and PBL Spamhaus DNSBL zones for any IPv4
Use Free →SSL Checker
Validate SSL/TLS certificates and expiration dates
Use Free →Blacklist Checker
Check if an IP is listed on spam and abuse blacklists
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS