Domain Risk Analysis API

Fast, synchronous domain-level risk assessment for high-volume screening and real-time validation.

Overview

What is Domain Risk Analysis?

Domain Risk Analysis provides fast, synchronous risk assessment for domains and URLs. It checks for typosquatting, suspicious keywords, domain age, and SSL certificate issues—ideal for high-volume screening and real-time validation.

Synchronous

2-5 seconds

Pricing

$0.0025/scan

Domain Analysis

No content scraping

What It Analyzes

• Domain patterns (typosquatting, suspicious keywords)
• DNS and RDAP (domain age, registration)
• SSL certificate validation

When to Use Domain Risk Analysis

• High-volume URL screening (1000s/day)
• Real-time validation requirements
• Domain-level threat detection only
• Cost-sensitive operations

Analyze a Domain

Send a POST request to analyze a domain for security risks. The analysis is synchronous and returns a risk ID and results immediately.

Endpoint

POST https://api.urlert.com/v1/domain-risks

Request Body

{
  "url": "https://secure-login.paypa1.com/verify-account"
}

Code Examples

curl -X POST https://api.urlert.com/v1/domain-risks \
  -H "Authorization: Bearer u_sk_your_api_token_here" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://secure-login.paypa1.com/verify-account"}'

import requests

response = requests.post(
    'https://api.urlert.com/v1/domain-risks',
    headers={
        'Authorization': 'Bearer u_sk_your_api_token_here',
        'Content-Type': 'application/json'
    },
    json={'url': 'https://secure-login.paypa1.com/verify-account'}
)

data = response.json()
print(data['risk_id'])

const response = await fetch('https://api.urlert.com/v1/domain-risks', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer u_sk_your_api_token_here',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ url: 'https://secure-login.paypa1.com/verify-account' })
});

const data = await response.json();
console.log(data.risk_id);

Response (200 OK)

{
  "risk_id": "990e8400-e29b-41d4-a716-446655440004",
  "status": "completed",
  "created_at": "2024-01-15T10:30:00Z"
}

Response Schema

Detailed structure of the domain risk analysis response object.

Top-Level Fields

Field	Type	Description
risk_id	`string`	UUID of the domain risk analysis
url	`string`	The URL that was analyzed
created_at	`string`	ISO 8601 timestamp when analysis was performed
report	`object`	Risk assessment report

The main risk assessment report containing the verdict, threat classification, and supporting evidence from domain and network analysis.

Field	Type	Description
request_url	`string`	The original URL that was submitted for analysis
final_assessment	`enum`	Top-level verdict: • `Malicious` - High confidence threat detected • `Suspicious` - Multiple red flags but not definitive • `Benign` - Analyzed and found safe • `Unknown` - Analysis could not be completed
threat_type	`enum`	Classification of detected threat: • `Phishing / Credential Theft` • `Typosquatting / Brand Impersonation` • `Direct IP Access` • `Infrastructure Anomalies` • `Newly Registered Domain` • `Benign`
confidence_score	`number`	Confidence level (0-100) indicating certainty of the assessment
executive_summary	`string`	Plain-English explanation of the findings
evidence_findings	`array`	List of specific evidence from domain and network analysis. Empty if no threats found.

Individual findings from domain and network analysis. Each finding has a predefined ID from the evidence catalogue (e.g., DR-DOM-002, DR-NET-001).

Field	Type	Description
finding_id	`string`	Unique identifier from evidence catalogue (e.g., `DR-DOM-002`, `DR-NET-001`)
severity	`enum`	Severity level: `Critical`, `High`, `Medium`, `Low`, `Informational`
source_agent	`string`	Agent that identified this finding (e.g., `StaticAnalysisAgent`, `NetworkAnalysisAgent`)
description	`string`	Standardized description from the evidence catalogue (e.g., "Suspected typosquatting detected")
details	`string`	Custom, case-specific details with actual evidence (e.g., "The domain 'paypa1.com' appears to be typosquatting 'paypal.com'")

Common Finding IDs:

• DR-DOM-001: High-risk TLD • DR-DOM-002: Typosquatting • DR-DOM-003: Suspicious keywords
• DR-NET-001: Newly registered domain • DR-NET-014: Self-signed SSL • DR-NET-016: Free CA
• DR-NET-017: Public platform • DR-NET-018: Direct IP address
• DR-SYS-001: DNS failure • DR-SYS-002: Invalid SSL certificate

Example Responses

{
  "risk_id": "990e8400-e29b-41d4-a716-446655440004",
  "url": "https://example.com",
  "created_at": "2024-01-15T10:30:00Z",
  "report": {
    "request_url": "https://example.com",
    "final_assessment": "Benign",
    "threat_type": "Benign",
    "confidence_score": 95,
    "executive_summary": "No security issues detected.",
    "evidence_findings": []
  }
}

{
  "risk_id": "990e8400-e29b-41d4-a716-446655440004",
  "url": "https://secure-login.paypa1.com/verify-account",
  "created_at": "2024-01-15T10:30:00Z",
  "report": {
    "request_url": "https://secure-login.paypa1.com/verify-account",
    "final_assessment": "Malicious",
    "threat_type": "Phishing / Credential Theft",
    "confidence_score": 90,
    "executive_summary": "The domain 'paypa1.com' is a high-confidence typosquat of 'paypal.com' and is newly registered (3 days old). The subdomain 'secure-login' also contains suspicious keywords.",
    "evidence_findings": [
      {
        "finding_id": "DR-DOM-002",
        "severity": "Critical",
        "source_agent": "StaticAnalysisAgent",
        "description": "Suspected typosquatting detected.",
        "details": "The domain 'paypa1.com' appears to be typosquatting 'paypal.com' (character substitution: 'l' → '1')."
      },
      {
        "finding_id": "DR-NET-001",
        "severity": "Critical",
        "source_agent": "NetworkAnalysisAgent",
        "description": "Domain is very newly registered.",
        "details": "The domain 'paypa1.com' was registered 3 days ago."
      },
      {
        "finding_id": "DR-DOM-003",
        "severity": "Low",
        "source_agent": "StaticAnalysisAgent",
        "description": "Suspicious keywords found in domain.",
        "details": "The subdomain 'secure-login' contains a 'credential' keyword: 'login'.",
        "category": "credential"
      },
      {
        "finding_id": "DR-NET-016",
        "severity": "Informational",
        "source_agent": "NetworkAnalysisAgent",
        "description": "Site uses a free Certificate Authority.",
        "details": "The SSL certificate was issued by 'Let's Encrypt', a free CA."
      }
    ]
  }
}

Rate Limits

Domain Risk Analysis endpoints are rate limited per organization, per minute.

Operation	Limit	Description
POST /v1/domain-risks	20/minute	Analyze domains for risk
GET /v1/domain-risks/:risk_id	20/minute	Retrieve analysis results

Best Practices

• Screen in Bulk: Use this API for high-volume, cost-sensitive screening (1000s/day).
• Validate in Real-Time: Integrate into signup flows or link validation for fast feedback (2-5s).
• Handle All Assessments: Your integration should handle Malicious, Suspicious, Benign, and Unknown results.
• Secure Your Token: Never expose your API token in client-side code or public repositories. Use environment variables.
• Handle Errors: Always check response status codes and handle errors appropriately (insufficient balance, rate limits, etc.).