Criminal IP Review
IP and domain scanner that scores addresses by malicious activity and maps CVEs to exposed service banners.
Quick Verdict
Threat hunters and SOC analysts who need to enrich IPs from logs or incidents with malicious activity context before escalating or blocking.
Pros
- + Malicious activity score per IP — tags C2 infrastructure, scanner nodes, VPN exit nodes, Tor exits, and honeypots in a single lookup
- + CVE mapping on banner data: shows which vulnerabilities apply to a detected service version without requiring a separate lookup
- + ICS/SCADA exposure detection indexed separately — findable by device type, not just port
- + Domain search returns all resolved IPs and subdomains with individual threat scores, not just raw DNS records
- + API included at Standard ($49/mo), making it accessible for solo analysts who want automated enrichment
Cons
- − Index smaller than Shodan's — launched 2022, newer service with less historical depth and device coverage
- − 500 API credits per month on Standard depletes quickly; automated enrichment workflows will hit the wall within days of active use
- − CVE mapping depends on banner-based version detection — services that suppress version strings won't match, and misidentified versions produce false positives
- − Free tier allows only 10 searches/day — not enough to run a real evaluation before committing to a paid plan
- − Minimal third-party integrations and community tooling compared to Shodan
What Criminal IP Is
Criminal IP scans the entire IPv4 space. Every IP address gets a threat score based on its history. Associations with command and control servers, port scanners, VPN exit nodes, Tor exits, and honeypots drive that score.
IPs are not all equal. Some host outdated services, OpenSSL for example. You're looking at a host, and there's an outdated version running. Criminal IP tells you which CVEs apply. No need to cross-reference.
The index launched in 2022. It's smaller than Shodan's. Threat scoring and CVE mapping are built-in. You won't find that native to Shodan.
What It's Good For
Enriching IPs from logs before taking action is key. When an IP appears in firewall logs, a SIEM alert, or a phishing email header, Criminal IP provides context fast. You'll learn its classification: C2 node, known scanner, or clean commercial host. That's your call: block, investigate, or ignore. This beats running it through multiple feeds.
Threat hunting benefits too. Criminal IP allows you to filter by malicious score and open port patterns, surfacing IPs that look like C2 candidates. The service exposure patterns are also revealed, not just blacklisted IPs. Criminal IP's classification does the legwork that Shodan leaves you.
Criminal IP helps audit CVE exposure across an ASN. You can query an ASN, filter by service banner, and find hosts running a specific software version. Criminal IP maps CVEs, letting you enumerate exposure. No separate scanner is needed, though hardened services may hide.
Criminal IP indexes industrial control exposures. You can search by device type to find exposed SCADA endpoints in a target country or sector. The results are available faster here than in Shodan.
Criminal IP shines in threat intel correlation. Incident IPs get batch-enriched against malicious activity. Classifications map to analyst decisions. The API handles the heavy lifting.
Getting Started
The free tier gives you 10 searches daily, limited data, no API. It's enough to test, but not enough to work; you'll hit the wall fast with a decent-sized IP list.
The Standard plan costs $49/mo, offering API access and 100 searches/day. It's good for daily enrichment and light automation. However, 500 API credits a month can burn fast. The Unlimited plan is $149/mo with 2,000 credits, suitable for busy SOCs automating everything.
You can run some recent IPs through search, check the malicious score, look up the domain, and see subdomains and IPs tied to it. This provides immediate value, including checking malicious scores, looking up domains, seeing subdomains, and IPs.
Criminal IP Search Filters
The search interface and API support filter-based queries. Useful filters for investigations include is_open, data, os, port.
You use these to narrow results, like port:80 to focus on web servers.
These filters save you time, as you don't have to sift through irrelevant data.
| Filter | Example | Purpose |
|---|---|---|
ip: |
ip:185.220.101.0/24 |
Look up an IP or CIDR range directly |
as_name: |
as_name:DigitalOcean |
Find all indexed IPs within a named ASN |
country: |
country:RU |
Filter results to a specific country |
port: |
port:4444 |
Filter by open port (common C2 port) |
product: |
product:Apache |
Filter by detected service/product name |
cve: |
cve:CVE-2021-44228 |
Find hosts with a specific CVE mapped to their banner |
tag: |
tag:c2 |
Filter by malicious classification tag (c2, scanner, vpn, tor) |
score: |
score:critical |
Filter by Criminal IP's malicious score tier |
domain: |
domain:example.com |
Find all IPs and subdomains for a domain |
is_malicious:true |
is_malicious:true port:22 |
Combine malicious flag with port filter |
To fetch IP details, hit the endpoint: GET https://api.criminalip.io/v1/asset/ip/report?ip=185.220.101.45 Headers: x-api-key: YOUR_API_KEY
An API key is required; without one, no data will be provided.
The response includes IP reputation, geolocation, and threat intelligence, with parsing being straightforward, as JSON is returned.
An example use case is when you spot an unfamiliar IP in logs. You can send it to Criminal IP and receive a risk score and geolocation, then decide if it's worth investigating.
Replace YOUR_API_KEY with your actual key, keep it secure, and do not share.
Pricing
| Plan | Price | API Credits | Key Features |
|---|---|---|---|
| Free | $0/mo | None | 10 searches/day, limited data fields, no API |
| Standard | $49/mo | 500/mo | 100 searches/day, full data fields, API access |
| Unlimited | $149/mo | 2,000/mo | Unlimited searches, higher API volume |
| Enterprise | Custom | Custom | Custom credit volume, SLA, dedicated support |
The Standard plan costs $49 per month, which is suitable for individual analysts. However, it comes with a cap of 500 API credits, which can be quickly reached with automated enrichment. For those looking to scale, the Unlimited plan is available for $149 per month.
Limitations
Criminal IP's index trails Shodan's. The smaller Criminal IP was launched in 2022 and is still growing. Shodan's historical index is larger, with more devices and more results.
Criminal IP adds value through enrichment data and context, not just device counts.
The Standard plan's API credits drain quickly when processing hundreds of IPs. You might outgrow this plan if you have API-driven workflows.
CVE mapping has limits, relying on version strings in banners. Some services hide versions or have vague banners, resulting in false positives. Treat matches as leads and verify with a scanner.
There is no affiliate program.
Community tools are sparse. Shodan has years of integrations and a more extensive ecosystem. If you need specific integrations, rely on custom connectors.
Alternatives
- Shodan — offers broader raw device coverage and a larger historical index than Criminal IP, with more existing integrations and community tooling. Choose Shodan for maximum device discovery volume or when your workflow relies on existing integrations; choose Criminal IP for malicious activity scoring and CVE mapping.
- GreyNoise — focuses on classifying internet background noise, telling you whether an IP is a known benign scanner. GreyNoise and Criminal IP are complementary, with GreyNoise helping filter noise out of alerts and Criminal IP classifying what remains.
- Censys — has stronger certificate transparency coverage and a cleaner unified data model for pivoting across hosts, services, and TLS certs. Choose Censys when your investigation centers on certificate reuse or ASN-level TLS enumeration.
- AlienVault OTX — offers free threat intelligence feeds with community-contributed indicators. While less structured than Criminal IP's per-IP scoring, it's a zero-cost option for basic IP reputation lookups. Use OTX when budget is a constraint; use Criminal IP when you need scored, structured malicious activity data.
Bottom Line
Criminal IP tracks malicious activity, scores IPs, and maps CVEs. Shodan doesn't do this out of the box; you need extra tooling.
IPs from logs need enrichment, and incidents pile up. The Standard tier, $49/mo, pays for itself.
You need raw device discovery at scale; Shodan's bigger index might be better.
Active SOC or threat hunting requires the Unlimited tier ($149/mo), where API credits won't hold you back.
See Also
Best Threat Hunting Tools, Shodan
Further Reading
Tool Relationships
Similar Tools
Shodan
Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.
urlscan.io
Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL
VirusTotal
Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains
C2 Tracker
A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.
Community Rating
Ratings from security researchers. No third-party tracking.
Rate this tool:
This review reflects testing as of 2026-04-02. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →