About Karaliste.net
Platform documentation, data sources, API reference, and usage guidelines.
Honeypot Network
Distributed honeypot sensors that capture active scanning, brute-force attempts and exploit probes from across the internet.
Malware Infrastructure
IPs associated with command-and-control servers, malware distribution and botnet activity detected via threat analysis pipelines.
Abuse Reports
Aggregated data from public abuse databases, spam monitors and community-reported threat actors.
Active Scanning Detection
Passive and active scanning fingerprinting to identify IPs conducting port scans, vulnerability enumeration and reconnaissance.
Firewall Rules
Automatically block malicious IPs at the perimeter using our blacklist.txt export.
SIEM Integration
Ingest structured JSON data into Splunk, Elastic, QRadar or any SIEM platform.
Threat Hunting
Cross-reference network logs with our IP database to surface hidden intrusion attempts.
API Automation
Automate IP reputation lookups in your security orchestration and response workflows.
| Score | Risk Level | Description | Action |
|---|---|---|---|
| 1 | Single observed event. Minimal risk; passive scan or probe. | Monitor | |
| 2 | Repeated events or secondary data source confirmation. | Caution | |
| 3 | Active exploitation attempts or confirmed brute-force activity. | Alert | |
| 4 | Multi-source confirmed malicious activity. Known attack source. | Block | |
| 5 | Active C2, ransomware distribution or critical infrastructure threat. | Block Now |
GET
https://karaliste.net/exports/siem/siem.json
Returns feed metadata: total IP count, total pages and generation timestamp.
{ "total_pages": 21720, "total_ips": 2171987, "generated_at": "2026-02-17T20:47:07Z" }
GET
https://karaliste.net/exports/siem/page_{n}.json
Returns a paginated array of IP threat records. Replace
{n} with any page number from 1 to total_pages.ipstringIPv4 address or CIDR block
asnintegerAutonomous System Number
asn_orgstringOrganization registered to the ASN
country_codestringISO 3166-1 alpha-2 country code
country_namestringFull country name in English
scoreinteger 1–5Threat severity score (see score reference)
GET
https://karaliste.net/exports/blacklist.txt
Plain-text list of all blacklisted IPs, one per line. Suitable for direct import into firewall rule sets, fail2ban, iptables or HAProxy.
All endpoints are publicly accessible with no rate limits or authentication. Data is refreshed periodically. For high-frequency automated polling, please cache responses locally and respect server resources.
Continuous Updates
The feed is regenerated regularly as new threat signals are processed. The
generated_at field in siem.json always reflects the latest build timestamp.
Global Coverage
Threat actors from 100+ countries are tracked. Coverage is highest for Asia-Pacific, Eastern Europe, and the Middle East where scan traffic originates most frequently.
Automatic Expiry
IPs that cease malicious activity are removed after a defined observation window to minimize false positives in your blocking rules.
Website
False Positive Removal
If your IP is incorrectly listed, contact us with evidence of legitimate use. We review all removal requests within 72 hours.
License & Usage
This data is provided free of charge for both commercial and non-commercial use. Attribution is appreciated but not required.
Disclaimer
Data is provided as-is. Karaliste.net is not liable for any damages resulting from the use or misuse of this threat intelligence feed.