Loading
Download a curated list of malicious IPs directly from your dashboard. Filter by confidence level, geography, protocol, ASN, and severity — then export as plaintext or JSON for immediate firewall integration.
The Blacklist Export gives you a downloadable list of IP addresses flagged as malicious by SikkerAPI. Every IP comes with a confidence score based on observed attack behavior — brute-force attempts, exploit scans, credential stuffing, and more.
IPs are sourced from two channels: SikkerAPI's global honeypot sensor network (the primary source) and community reports submitted by users. Unlike static blocklists, the SikkerAPI blacklist is continuously updated from live data. You control exactly what goes in: set a minimum confidence threshold, filter by country or ASN, choose specific protocols, and download in a format your firewall or SIEM understands.
Access the blacklist exporter from your dashboard under Tools → Blacklist.
The top section of the blacklist page shows a score distribution histogram. Each bar represents a 10-point bucket (0-9, 10-19, … 90-99), showing how many malicious IPs fall in that confidence range. The histogram updates in real-time as you adjust filters.
Use the slider to set your minimum confidence level. IPs below this threshold are excluded from the download. A higher threshold gives you fewer but higher-confidence results. The default is 25, but for firewall blocklists we recommend 50+ for broad coverage or 75+ to minimize false positives. IPs below 35 are typically benign scanners or very new IPs that haven't accumulated enough evidence yet.
The highlighted bars show which score buckets are included in your download. As you drag the slider right, fewer IPs are included but confidence increases.
| Score Range | What It Means | Use Case |
|---|---|---|
| 90-100 | Very high confidence — multiple critical behaviors, sustained activity, often corroborated by community reports | High-value production firewalls, zero tolerance |
| 75-89 | High confidence — critical behavior detected (floor of 75) or strong combination of high-severity behaviors and volume | General firewall blocklists, most common setting |
| 50-74 | Moderate confidence — multiple events, medium+ severity behaviors, activity across multiple protocols | SIEM alerting, investigation queues, broader blocking |
| 35-49 | Low confidence — some observed activity, possible primitives but limited behavioral evidence | Threat hunting, research, bulk analysis |
| 0-34 | Minimal evidence — mostly benign scanners, very new IPs with few sessions, or IPs without tagged primitives or labeled behaviors | Not recommended for blocking |
The filters section lets you narrow your blacklist to exactly the threats you care about. All filters are optional — skip any that don't apply. The IP count at the top updates live as you add or remove filters.
Geographic filters — Include only specific countries or exclude them. Use “Include Only” to create a targeted blocklist (e.g., only threats from CN and RU), or “Exclude” to remove friendly traffic (e.g., skip US-based IPs).
IP Version — Filter for IPv4 only, IPv6 only, or both.
Protocols — Comma-separated list of protocols to filter on. Common values: ssh, http, ftp, smtp, mysql, redis, mongodb. Only IPs observed attacking these protocols will be included.
Minimum Severity — Choose from Any, Low and above, Medium and above, High and above, or Very High only. This filters for IPs that have been tagged with at least one behavior at or above the selected severity level. IPs without any labeled behaviors are excluded when a severity filter is set.
ASN filters — Include or exclude by Autonomous System Number. Enter ASNs with or without the “AS” prefix (e.g., AS16509 or 16509). Useful for excluding cloud provider ranges or targeting known-bad hosting providers.
Score Mode — By default, confidence scores include whitelist discounts for known-benign scanners like Googlebot, Censys, and Shodan. Enable Use raw scores to ignore these discounts and score all IPs equally based on observed behavior.
Select your API key, choose a format, set a download limit, and click Download Blacklist. The file is generated on-the-fly with the latest threat data and your applied filters.
API Key — Select which API key to use. Each key has its own daily blacklist quota. The dropdown shows your key type and prefix, along with daily limit and usage.
Format — Choose between Plaintext (one IP per line, ideal for firewall rules) or JSON (full metadata per IP, ideal for SIEM integration or custom processing).
Download Limit — How many IPs to include. Pre-set options are 1,000 / 5,000 / 10,000 / 25,000 / 50,000 / 100,000 — capped at your API key's daily limit.
| Plan | Price | Blacklist IPs / day |
|---|---|---|
| Free | $0/mo | 5,000 |
| Basic | $7/mo | 50,000 |
| Small Business | $14/mo | 75,000 |
| Medium Business | $28/mo | 150,000 |
| Large Business | $56/mo | 350,000 |
Need more capacity? Compare all plan features.
The downloaded file is named sikkerapi-blacklist-YYYY-MM-DD.txt (or .json).
Plaintext — One IP address per line. No headers, no metadata. Directly importable into firewalls, deny lists, and blocklist managers.
203.0.113.42 198.51.100.17 192.0.2.99 45.33.32.156 185.220.101.34
JSON — Full threat metadata for each IP. Includes confidence level, last seen timestamp, session count, observed protocols, country code, ASN, and ASN organization name.
{
"meta": {
"generatedAt": 1710316800000,
"scoreMinimum": 70,
"limit": 10000,
"count": 8432
},
"data": [
{
"ip": "203.0.113.42",
"confidenceLevel": 95,
"lastSeen": 1710316800000,
"sessions": 128,
"protocols": ["ssh", "http"],
"countryCode": "CN",
"asn": "AS4134",
"asnOrg": "CHINANET"
}
]
}Start with a moderate threshold. Set the minimum confidence to 50 or above for your first export. At this level you get IPs with real behavioral evidence. You can raise it to 75+ for stricter blocking, or lower it once you've validated against your own traffic logs.
Use geographic filters wisely. If your service only operates in specific regions, use “Include Countries Only” to create a targeted blocklist. If you serve global traffic, use “Exclude Countries” sparingly to avoid over-blocking.
Match protocols to your stack. If you only run SSH and HTTP, filter for those protocols. You'll get a smaller, more relevant blocklist than an unfiltered dump.
Monitor your quota. The download section shows your daily usage. The quota resets every 24 hours. If you need more capacity, upgrade your plan.
Automate with the API. The same blacklist is available via the Blacklist API endpoint (GET /v1/key/blacklist). Use your API key in a cron job or CI/CD pipeline to automatically refresh your firewall rules daily.
Understand raw scores. By default, IPs from known-benign scanners (Googlebot, Censys, Shodan, etc.) get a score discount. If you want to block all scanners regardless, enable “Use raw scores” in the filters.