ContrastAPI

Look up the Autonomous System Number (ASN) for a domain or IP address, returning the AS number, organization name, and all announced IPv4/IPv6 prefixes. Use this to identify which network operator owns an IP range, or to understand the network infrastructure behind a domain. For detailed IP-level intelligence (ports, reputation), use ip_lookup instead. Returns JSON with fields: asn (number), holder (organization name), prefixes_v4 (array of CIDR blocks), and prefixes_v6. Read-only lookup, no authentication required.

Comprehensive domain audit in a single call — combines a full domain report (DNS, WHOIS, SSL, subdomains, WAF, threat intel, risk score), live HTTP security headers, and technology stack fingerprinting. Use this when you want a complete picture of a target without making multiple requests. For investigations that need only one aspect (e.g. just DNS or just SSL), use the dedicated tool instead. Returns JSON with fields: domain, report (full domain intel), technologies (detected tech stack with categories and count), live_headers (HTTP response headers from the live site), and a combined summary. Read-only orchestrated lookup, no authentication required.

Look up multiple CVEs in a single request — efficient for vulnerability scanning, dependency audits, and threat intelligence pipelines that need to enrich many CVE IDs at once. Each CVE returns full details (severity, CVSS breakdown, EPSS score, KEV status, description, references). Use bulk_cve_lookup instead of calling cve_lookup repeatedly when you have a list of 5+ CVEs to check. For a single CVE, use cve_lookup. Returns JSON with fields: results (array of CVE details), total, successful, failed, and summary. Read-only database lookup, free tier allows 10 IDs per request, Pro allows 50.

Enrich multiple Indicators of Compromise in a single request — auto-detects each indicator type (IP/domain/URL/hash) and queries threat feeds (ThreatFox, URLhaus, Feodo) in parallel. Use this for SOC alert triage, threat hunting, or batch enrichment when you have many suspicious indicators to investigate at once. For a single indicator, use ioc_lookup. Returns JSON with fields: results (array with indicator, type, threat_level, sources), total, successful, failed, timed_out, partial (true if some indicators hit the overall timeout), and summary. Read-only threat feed query, free tier allows 10 indicators per request, Pro allows 50.

Validate a set of HTTP security headers that you already have (e.g. copied from browser DevTools, a curl response, or an existing configuration). Checks Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and Referrer-Policy against security best practices. Unlike scan_headers (which fetches headers live from a domain), this tool analyzes headers you provide directly — useful for testing configurations before deployment or validating headers from non-public servers. Returns JSON with fields: total (finding count), by_severity (counts), and findings (array with severity, header_name, issue, and recommendation). Read-only validation, no external requests made.

Static analysis tool that scans source code snippets for injection vulnerabilities: SQL injection (string concatenation in queries), command injection (unsanitized input in shell commands), and path traversal (user input in file paths). Uses language-specific patterns to detect unsafe data flow. This tool performs read-only analysis on the provided code string — it does not access any files, execute any code, or modify system state. For hardcoded key detection, use check_secrets. Returns JSON with fields: total (finding count), by_severity (CRITICAL/HIGH/MEDIUM/LOW counts), and findings array.

Static analysis tool that scans source code snippets for hardcoded tokens and keys (e.g. AWS access keys, API tokens, connection strings). Uses pattern matching with language-specific context to reduce false positives. This tool performs read-only analysis on the provided code string — it does not access any files, environment variables, or system resources. The code is analyzed in-memory and not stored. For injection vulnerability detection, use check_injection. Returns JSON with fields: total (finding count), by_severity (CRITICAL/HIGH/MEDIUM/LOW counts), and findings array.

Retrieve detailed information about a specific CVE vulnerability including description, CVSS v3.1 base score and vector, EPSS exploitation probability score, CISA KEV (Known Exploited Vulnerabilities) status, affected products (CPE), and reference URLs. Use this when you have a specific CVE ID and need full details. To search for CVEs by product or severity, use cve_search instead. To find public exploits for a CVE, use exploit_lookup. Returns JSON with fields: cve_id, description, cvss_score, cvss_vector, cvss_breakdown, epss (score + percentile), kev (boolean + due_date), affected_products, and references. Read-only database lookup, no authentication required.

Search the CVE database for vulnerabilities matching filters on product name, severity level, and publication date range. Use this to find recent vulnerabilities affecting specific software, or to get an overview of critical CVEs in a time window. For details on a specific CVE you already know, use cve_lookup instead. Returns JSON with fields: total (matching count), cves (array of objects with cve_id, description, cvss_score, severity, published_date, and epss_score). Results are sorted by publication date, newest first. Read-only database query, no authentication required.

Retrieve all DNS records for a domain including A, AAAA, MX, NS, TXT, CNAME, and SOA record types. Use this when you need to inspect mail routing (MX), verify nameserver delegation (NS), check SPF/DMARC policies (TXT), or confirm IP resolution (A/AAAA). For a broader security overview that includes DNS, use domain_report instead. Returns JSON with a records array, each containing type, value, and TTL fields. Read-only DNS query, no authentication required.

Retrieve a comprehensive security report for a domain combining DNS records, WHOIS registration, SSL/TLS certificate, subdomain discovery, threat reputation, and an overall risk score into a single response. Use this as the first step when investigating a domain — it provides a broad overview. For deeper analysis of a specific area, follow up with the dedicated tool (ssl_check, dns_lookup, etc.). Returns JSON with sections: dns, whois, ssl, subdomains, threats, and a numeric risk_score (0-100, higher = riskier). Read-only lookup, no authentication required.

Check whether an email address uses a known disposable or temporary email provider (e.g. Guerrilla Mail, Temp Mail, Mailinator). Use this for input validation to detect throwaway signups or to assess the legitimacy of a contact email. Returns JSON with fields: disposable (boolean), domain, and provider (name of the disposable service if detected). Read-only lookup against a local database of disposable domains, no authentication required.

Analyze the email security configuration of a domain by checking MX records, SPF policy, DMARC policy, and DKIM selectors. Identifies the mail provider (Google Workspace, Microsoft 365, etc.) and grades the overall email security posture. Use this to verify email authentication setup or assess phishing risk for a domain. Returns JSON with fields: mx_records, provider, spf (record + validity), dmarc (record + policy), dkim (selector results), and grade (A-F with 0-100 score). Read-only DNS queries, no authentication required.

Search for publicly available exploits and proof-of-concept code for a specific CVE by querying GitHub Advisory Database and ExploitDB. Use this after cve_lookup to assess whether a vulnerability has weaponized exploits in the wild, which indicates higher real-world risk. Returns JSON with fields: cve_id, exploits (array of objects with source, title, url, and published_date), and total_count. An empty exploits array means no public exploits were found. Read-only lookup, no authentication required.

Look up a file hash in the MalwareBazaar database to check if it is a known malware sample. Returns malware family name, file type, file size, tags, first/last seen dates, and download count. Use this when you have a suspicious file hash from logs, alerts, or forensic analysis and need to determine if it is malicious. For general IOC lookups that auto-detect indicator type, use ioc_lookup instead. Returns JSON with fields: found (boolean), malware_family, file_type, file_size, tags, first_seen, last_seen, and signature. Read-only database query, no authentication required.

Enrich an Indicator of Compromise (IOC) by auto-detecting its type (IP, domain, URL, or file hash) and querying abuse.ch threat feeds: ThreatFox for malware indicators, URLhaus for malicious URLs, and Feodo for botnet C2 servers. Use this as the primary tool for threat hunting when you have a suspicious indicator but don't know its type. For malware-specific hash lookups with file metadata, use hash_lookup instead. For domain-only threat checks, use threat_intel. Returns JSON with fields: indicator, type (auto-detected), found (boolean), threat_type, malware_family, tags, confidence, source, and references. Read-only threat feed query, no authentication required.

Retrieve comprehensive intelligence about an IP address including geolocation, PTR record, open ports, associated hostnames, known vulnerabilities, abuse reports, and reputation score. Use this to investigate suspicious IPs from logs, identify the owner of an IP, or assess whether an IP is malicious. For network-level info (ASN, IP ranges), use asn_lookup instead. Returns JSON with fields: ip, ptr, geo (country, city, org), ports (array), hostnames, vulns (array), reputation (score + categories), and abuse_contacts. Read-only lookup, no authentication required.

Check if a SHA-1 hash appears in the Have I Been Pwned (HIBP) breach dataset using k-anonymity (only a 5-character prefix is sent to HIBP, the full hash never leaves this tool). This is a read-only lookup — no data is stored, no files are accessed, no system state is modified. Input must be a 40-char hex SHA-1 digest. Returns JSON with fields: found (boolean) and count (number of breach appearances). A count of 0 means the hash has not been seen in any known breaches.

Check if a specific URL is a known phishing page or malware distribution URL by querying the URLhaus database. Use this when you have a full URL (not just a domain) that you suspect may be malicious — for example, from a phishing email or suspicious link. For domain-level threat assessment, use threat_intel instead. For general IOC enrichment, use ioc_lookup. Returns JSON with fields: found (boolean), threat_type (phishing/malware/none), status (online/offline), tags, date_added, and source. Read-only database query, no authentication required.

Validate and analyze a phone number to determine its country, region, carrier, line type (mobile/landline/VoIP), and timezone. Use this to verify phone number legitimacy, identify the carrier or country of origin, or detect VoIP numbers that may indicate fraud. The number must include the country code prefix. Returns JSON with fields: valid (boolean), country, region, carrier, line_type, timezone, and formatted versions (national, international, E.164). Read-only lookup, no authentication required.

Perform a live HTTP request to a domain and analyze the security headers in the response, checking for Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and Referrer-Policy. Use this to audit a live website's header configuration. Unlike check_headers (which validates headers you already have), this tool fetches headers directly from the target. Returns JSON with fields: headers_present (list), headers_missing (list), findings (array with severity and recommendation per header), and a total score. Read-only HTTP GET request to the target domain, no authentication required.

Analyze the SSL/TLS certificate and connection security of a domain by connecting to port 443 and inspecting the certificate chain, cipher suite, protocol version, and expiry date. Use this to verify certificate validity, detect expiring certificates, or audit TLS configuration strength. Returns JSON with fields: grade (A-F), protocol, cipher, issuer, subject, not_before, not_after, chain (array of certificates), and san (Subject Alternative Names). Read-only TLS handshake, no authentication required.

Discover subdomains of a domain using passive methods: Certificate Transparency log searches and DNS common-name brute-forcing. Use this to map an organization's attack surface or find forgotten/exposed services. This is a passive, non-intrusive enumeration — it does not actively probe discovered hosts. Returns JSON with a subdomains array of discovered hostnames and their resolved IP addresses. Read-only lookup, no authentication required.

Identify the technology stack of a website by analyzing HTTP headers, HTML meta tags, and JavaScript includes. Detects CMS (WordPress, Drupal), frameworks (React, Angular), CDN providers (Cloudflare, Akamai), analytics tools, web servers, and programming languages. Use this for reconnaissance to understand what software a target runs. Returns JSON with a technologies array, each containing name, category, confidence percentage, and version (when detectable). Read-only HTTP request, no authentication required.

Check if a domain is associated with malware distribution, botnet C2, or other malicious activity by querying URLhaus and abuse.ch threat feeds. Use this to assess whether a domain is safe to visit or interact with. For checking a specific URL (not just domain), use phishing_check instead. For file-based IOC lookups, use ioc_lookup. Returns JSON with fields: malware_urls (count of active malicious URLs), threat_tags, threat_status, and a summary assessment. Read-only threat feed query, no authentication required.

Comprehensive IP threat report in a single call — combines Shodan InternetDB enrichment (open ports, hostnames, vulnerabilities, CPEs), AbuseIPDB reputation (abuse score, country, ISP), full Shodan lookup (organization, OS, geolocation), and ASN ownership (AS number, prefix). Use this for SOC triage and threat hunting when you need a complete IP profile without making 4+ separate requests. Returns JSON with fields: ip, enrichment, abuseipdb, shodan, asn, threat_level (none/low/medium/high), and a summary. Read-only orchestrated lookup, no authentication required.

Search for a username across multiple social media and developer platforms (GitHub, Reddit, X/Twitter, Instagram, LinkedIn, TikTok, Facebook, YouTube, Pinterest, Telegram, Discord, Mastodon, Keybase, HackerOne, GitLab, Medium) to check if accounts exist. Use this for OSINT investigations to map a person's online presence or verify identity claims. Returns JSON with fields: username, total_found (count), and platforms (array of objects with name, exists (boolean), url, and status_code). Read-only HTTP checks to public profile pages, no authentication required.

Retrieve historical web archive snapshots for a domain from the Wayback Machine, showing when the site was first captured, the most recent snapshot, and total snapshot count over time. Use this to investigate domain history, verify how long a site has existed, or detect changes in content over time. For a broader security overview of a domain, use domain_report instead. Returns JSON with fields: first_snapshot (date + URL), last_snapshot (date + URL), total_snapshots, and a yearly_breakdown of capture counts. Read-only query to the Internet Archive API, no authentication required.

Retrieve WHOIS registration data for a domain including registrar name, registrant organization, creation date, expiry date, last updated date, and authoritative nameservers. Use this to determine domain ownership, age, or expiration status. For a full security overview that includes WHOIS, use domain_report instead. Returns JSON with fields: registrar, creation_date, expiration_date, updated_date, nameservers, status, and dnssec. Read-only WHOIS query, no authentication required.