IP Security Database
Overview
Our IP Security Database and Threat Intelligence provides advanced malicious IP detection for both IPv4 and IPv6 addresses. This powerful IP threat intelligence database identifies high-risk IPs linked to spamming, phishing, botnets, open proxies, VPNs, Tor exit nodes, and compromised hosts. By integrating this intelligence into your systems, you can enhance fraud prevention, block suspicious connections in real-time, and protect your applications, APIs, and networks against cyberattacks.
Each IP record includes IP reputation data, threat categories, risk scores, and attack classifications, giving you actionable insights for automated security workflows. Our intelligence is aggregated from multiple trusted sources worldwide, ensuring broad coverage of malicious infrastructure. Combined with IP Location data, this database enables easy to correlate threats by region, detect patterns, and take proactive measures against evolving attacks.
We update our IP security feeds multiple times every single day, so that latest intelligence always back your defenses. The database is available in CSV, MMDB, or custom formats for seamless integration with SIEMs, firewalls, fraud detection engines, and other cybersecurity platforms. Full documentation includes schema definitions, file specifications, and integration examples to help you deploy quickly and efficiently.
Available Database Formats
CSV Database Documentation
1.Overview
The CSV version of our IP to Security Database is delivered as a ZIP archive that includes Gzip-compressed files with IP ranges, location details, and multilingual place names. It’s well-suited for bulk imports and easy integration into relational databases.
2.Archive Content
After downloading and extracting the IP to Security CSV database archive, you’ll find the following files (with their types noted):
db-ip-security.csv.gzThis Gzip-compressed CSV provides threat intelligence: IP ranges, threat scores, Tor/proxy flags, and more.
README.mdDocumentation for dataset contents, schema, usage, and support.
db-ip-security.md5Always verify downloaded files with the provided checksum before importing.
On Linux, if sha256sum is not installed, first run:
sudo apt-get install coreutilsThen check the archive files against the checksum file with:
sha256sum -c checksum.txtExample output:
db-ip-security.csv.gz: OK
README.md: OK
db-ip-security.md5: OKIf a file’s checksum does not match, FAILED will be shown instead of OK . If verification fails, first confirm that the download completed correctly; if the issue persists, please contact our support team.
Schema
This section describes the schema of each file included in the IP to Security Database archive. For every file, you’ll find its purpose, field definitions, and examples to help with integration.
1.db-ip-security.csv.gz
This file contains security threat data for IP address ranges. It maps each IP block to a threat_score and flags for specific security attributes, including Tor usage, proxy details, and identifying the IP as a known attacker, bot, or cloud provider.
| Field | Type | Description | Can be empty? | Example |
|---|---|---|---|---|
| start_ip | string | The starting IP address of the range in IPv4 or IPv6 format. | No | 192.168.0.1 |
| end_ip | string | The ending IP address of the range in IPv4 or IPv6 format. | No | 192.168.0.255 |
| threat_score | integer | The threat_score is a numerical value indicating the potential risk associated with the IP range, where a higher score suggests a greater risk. | No | 80 |
| is_tor | boolean | Indicates whether the IP range is associated with a Tor network. A value of true means it is a Tor exit node. | No | false |
| is_proxy | boolean | Indicates whether the IP range is associated with a proxy server. A value of true means it is a proxy. | No | true |
| proxy_type | string | The type of proxy associated with the IP range, such as VPN, OpenVPN, WireGuard, etc. | Yes | VPN |
| proxy_provider | string | The name of the provider or service that operates the proxy server for the IP range. | Yes | Nord VPN |
| is_anonymous | boolean | Indicates whether the IP range is associated with anonymous browsing. A value of true means it is an anonymous proxy. | No | true |
| is_known_attacker | boolean | Indicates whether the IP range has been flagged as associated with known attackers or malicious activity. | No | true |
| is_bot | boolean | Indicates whether the IP range is associated with bot traffic. A value of true means it is likely a bot. | No | false |
| is_spam | boolean | Indicates whether the IP range has been flagged for sending spam. A value of true means it is associated with spam activity. | No | false |
| is_cloud_provider | boolean | Indicates whether the IP range belongs to a cloud service provider. A value of true means it is a cloud provider. | No | true |
| cloud_provider | string | The name of the cloud service provider associated with the IP range, such as AWS, Azure, Google Cloud, etc. | Yes | Packethub S.A. |
Example Records
2.File Relationship Diagram
File Format & Encoding
All IP to Security CSV datasets are provided in UTF-8 encoding, comma-separated, and compressed with Gzip (.csv.gz). Each file includes a header row listing the field names for clarity and consistency.
Field values are unquoted by default, with quotes applied only in the following cases:
- Line breaks within text fields.
- Commas inside a value (e.g., addresses).
- Lists of values (e.g., languages).
- Spaces that may be auto-quoted by export tools.
MMDB Database Documentation
1.Overview
MMDB version of the database consists of three files: one MMDB file containing IP security data, a README file, and a checksum file, all compressed together in a ZIP file for easy delivery.
2.Archive Content
After downloading and extracting the IP to Security MMDB database archive, you’ll find the following files (with their types noted):
db-ip-security.mmdbContains security details for IP addresses: VPN/proxy, Tor, attacker flags, and cloud provider names.
README.mdDocumentation for dataset contents, schema, usage, and support.
db-ip-security.md5Always verify downloaded files with the provided checksum before importing.
On Linux, if sha256sum is not installed, first run:
sudo apt-get install coreutilsThen check the archive files against the checksum file with:
sha256sum -c checksum.txtExample output:
db-ip-security.mmdb: OK
README.md: OK
db-ip-security.md5: OKIf a file’s checksum does not match, FAILED will be shown instead of OK . If verification fails, first confirm that the download completed correctly; if the issue persists, please contact our support team.
Response Schema
This section describes the structure of the data returned from the IP to Security MMDB file. Each field is detailed with its type, meaning, and example values to help you interpret responses and integrate them into your applications.
1.db-ip-security.mmdb
This file contains security details for both IPv4 and IPv6 address ranges. Below is an example of the structure you will encounter in the response.
2.Field Reference
The following reference lists all fields available in the MMDB response. Each entry includes the field path, its description, data type, and example value to help you understand how to parse and integrate the data.
Example Records
Data Format & Constraints
- All fields defined in the schema are always present in the IP to Security MMDB response.
- Fields may contain empty strings (""), but never null, so null checks are not required.
- Place names such as countries, states, districts, and cities are available in multiple translations.
- All text values are encoded in UTF-8.
- Field names and response structure remain stable across updates for backward compatibility.
Database Updates & Delivery
When you subscribe to our IP to Security database, we’ll send you static download links for the archive in your chosen formats. These links never change, so you can use them both for your initial download and for all future updates.
Our databases are refreshed daily and weekly, ensuring you always have access to the most current data. Each time your subscribed dataset is updated, you’ll also receive an email notification so you don’t miss a release.
For automated workflows, you can check our status endpoint to see the last update timestamp. When the date changes, simply re-fetch the archive using your static download URL to pull the latest version into your system.
