The Speculus API

Direct, programmatic access to the NIO enrichment engine. A single REST call turns any IP address into a full intelligence object: threat score, geolocation, ASN, proxy flags, and a plain-English verdict. Built for developers who want to embed network intelligence directly into their stack.

Get API Access Start free

Response

{
  "verdict": "This IP has been identified as Botnet infrastructure on a potentially compromised host.",
  "intel": {
    "risk": "very high",
    "score": 77,
    "attribution": "Cobalt Strike",
    "tor_node": false,
    "vpn_proxy": false,
    "is_blacklisted": false,
    "is_datacenter": true,
    "activity": "Botnet",
    "first_seen": "2026-06-20 11:46:49"
  },
  "identity": {
    "ip": "43.143.244.134",
    "connection_type": "",
    "isp": "Shenzhen Tencent Computer Systems Company Limited",
    "org": "Tencent Cloud Computing (Beijing) Co., Ltd",
    "asn": 45090
  },
  "location": {
    "city": "Beijing",
    "country": "China",
    "country_code": "CN",
    "coordinates": {
      "lat": 39.9042,
      "lon": 116.407
    }
  }
}

What you get

One REST call returns everything your detection logic needs. No stitching multiple feeds together.

●

Sub-50ms enrichment

Median response time of 38ms p50, 92ms p99. Edge POPs in NA, EU, APAC.

●

Plain-English verdicts

Every response includes a NIO-generated summary describing what the IP is and how to treat it.

●

Full identity object

Threat score, ASN, ISP, geolocation, connection type, datacenter, VPN, Tor, residential proxy.

●

Threat actor attribution

Mapped to APT groups, UNC clusters, FIN crews, and named malware families when known.

●

Bulk + streaming

Single lookups, batched POST up to 1,000 IPs, or a Server-Sent Events stream for continuous enrichment.

●

99.9% uptime SLA

Enterprise rate limits, dedicated keys, audit logs, and 24/7 incident response.

Start enriching in five minutes.

Generate a token, make a curl request, get back a NIO verdict.

Get API Access Start free