IP Address Enrichment API
Enrich IP addresses with comprehensive contextual intelligence including geolocation, network information, cloud provider detection, reverse DNS, WHOIS data, and threat intelligence. The IP enrichment endpoint transforms raw IP addresses from firewall logs, IDS alerts, and network traffic into actionable intelligence for security operations.
Port Six's IP enrichment API delivers sub-100ms response times with 95%+ data coverage for both IPv4 and IPv6 addresses. Each response includes a risk score and confidence score alongside enrichment data, so your team can prioritize threats without manual research.
/v1/ip/{ip_address}Enriches an IPv4 or IPv6 address with all available intelligence data.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip_address | string | Yes | IPv4 or IPv6 address to enrich (e.g., 185.220.101.45) |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" "https://api.portsix.io/v1/ip/185.220.101.45"Example Response
{
"success": true,
"data": {
"observable_id": 3664181,
"type": "ipv4",
"value": "185.220.101.45",
"status": "active",
"risk_score": 43.74,
"enriched_at": "2026-01-03T21:26:26Z",
"geo": {
"country_code": "DE",
"country_name": "Germany",
"city": "Berlin",
"state_province": "State of Berlin",
"latitude": 52.52,
"longitude": 13.405,
"timezone": "Europe/Berlin"
},
"asn": {
"asn": 60729,
"org_name": "TORSERVERS-NET",
"country_code": "DE"
},
"cloud": null,
"anonymization": {
"type": "tor-exit",
"provider": "TOR",
"confidence": 1.0
},
"rdns": {
"hostname": "tor-exit-45.for-privacy.net",
"provider": "1.1.1.1"
},
"whois": {
"rir": "RIPE",
"whois_server": "whois.ripe.net"
},
"threat_intel": {
"tags": [
{"name": "Anon: Tor"},
{"name": "Brute Force"},
{"name": "Protocol: Ssh"}
],
"sources": ["alienvault_otx", "greensnow-blocklist"],
"first_seen": "2025-12-01T03:14:09Z",
"last_seen": "2025-12-30T06:44:02Z",
"confidence": 90
},
"relationships": [
{
"direction": "outgoing",
"relationship_type": "resolves_to",
"target_type": "domain",
"target_value": "for-privacy.net",
"confidence": 0.85
}
]
},
"meta": {
"credits_cost": 7,
"credits_remaining": 9993,
"execution_time_ms": 2515
}
}Enrichment Data Sources
GeoIP Data
- Country, state/province, city
- Coordinates (latitude/longitude)
- Timezone
ASN Information
- Autonomous System Number
- Organization name
- Country of registration
Cloud Provider Detection
- AWS, GCP, Azure, Cloudflare, Fastly, DigitalOcean
- Service and region information
- Updated from official provider IP ranges
Anonymization Services
- TOR exit nodes and relays
- VPN providers
- Proxy services (HTTP, SOCKS4, SOCKS5)
- Datacenter hosting
Reverse DNS (RDNS)
- PTR record hostname lookup
- Provider information (DNS resolver used)
- Hostname can reveal infrastructure ownership
WHOIS Data
- Regional Internet Registry (RIR)
- Network allocation information
- Organization details when available
Relationships
- Outgoing: What this IP resolves to (domains)
- Incoming: What resolves to this IP (domains, other IPs)
- Relationship types: resolves_to, hosts, communicates_with
- Confidence scores and observation timestamps
Risk Scoring
Risk scores range from 0-100 based on behavioral indicators and anonymization services. See the full scoring methodology for details.
- 0-30: Low risk (benign infrastructure)
- 31-60: Medium risk (suspicious activity)
- 61-80: High risk (known malicious indicators)
- 81-100: Critical risk (active threats)
When to Use IP Enrichment
SIEM Alert Enrichment
Automatically enrich every external IP in firewall logs, IDS alerts, and EDR events. Know immediately if a connection is coming from a Tor exit node, cloud provider, or known malicious infrastructure. Reduce alert fatigue by surfacing only high-risk connections. See our integration guides for Splunk, Sentinel, and QRadar.
Threat Hunting & Investigation
During threat hunting campaigns, enrich suspicious IPs to identify patterns. Use geolocation and ASN data to pivot across related infrastructure. The relationships field reveals connected domains, peer IPs, and infrastructure clusters.
Automated Threat Blocking
Enrich IPs before adding them to firewall blocklists. Use risk scores to determine which IPs warrant immediate blocking. Filter out false positives by excluding legitimate cloud providers or known VPN services. Combine with behavior feeds for automated perimeter defense.
Compliance & Fraud Prevention
Use geolocation enrichment for compliance checks (GDPR, data residency requirements). Detect anonymization services (Tor, VPN, proxy) for fraud prevention. Track connections from high-risk countries or unauthorized regions.
Incident Response
During incident response, enrich every IP in network logs to determine the scope of compromise. Identify C2 servers, lateral movement paths, and data exfiltration destinations. Geolocation and ASN data helps determine threat actor origin.
IP Enrichment FAQ
Do you support IPv6?
Yes, Port Six supports both IPv4 and IPv6 enrichment. IPv6 addresses receive the same enrichment data: GeoIP, ASN, cloud provider detection, anonymization services, and threat intelligence.
How accurate is GeoIP data?
GeoIP data is 95%+ accurate at country level and 80%+ at city level. Cloud IPs (AWS, GCP, Azure) have 100% provider detection accuracy, though geolocation reflects datacenter location rather than end-user location.
How often is data updated?
Threat intelligence is updated continuously as new reports are ingested. ASN data is refreshed weekly from Regional Internet Registries. Cloud provider IP ranges are updated daily from official provider sources. Tor exit node lists are updated hourly.
What does an IP lookup cost?
IP lookups cost 1 credit minimum plus 1 credit per enrichment field returned. A typical lookup with GeoIP, ASN, RDNS, and threat intelligence costs 5-7 credits. Fields without data are not charged. See pricing for credit costs.
Related Endpoints
- Domain Enrichment — WHOIS, DNS records, SSL certificates, and threat data
- File Hash Lookup — Malware family attribution and risk scoring
- Behavior Feeds — Bulk threat indicators filtered by behavior type