How To Build A Threat Response API With FastAPI

There are several great APIs available for threat intel. AbuseIP is one of them and the big sell is that it is Free!

Running this API direct, is always an option however, for this I am going to build my own and include theirs. In doing so, I can then build on this and incorporate multiple APIs to enrich the data.

Let us start with the basics…

First, you need a host. I like to use a cloud hosting service. I use IONOS as it is cheap and cheerful. You can also get a freebie by using other cloud providers such as Azure and AWS.

On my IONOS, my “Dev” hosts cost around £3 p/m p/h. Click here

For this, I am going to use a low-spec Debian host. Once you have connected, let’s install the following:

Once you’ve done the above, create an app folder and a python file (You need to create)

Then create your file which can stay in the main directory.


If you are wanting to run your FastAPI using HTTPS, you will need a certificate. CertBot is the easiest method, and instructions can be found here:

Once you have your key files, you can reference them later within

Now we have the basics done, let’s get to work.

Edit your file and add the following: Code on Github

Let’s break that down so we know what’s what.

In this section, I am importing all the libraries, I need:

Here I am defining the app and running a simple HTML page on the default path:

You don’t need this btw, however for example:

Here is our code for AbuseIP part. Notice @app.get(’/abuse/{abip}’). You can make this whatever, however, if this is new to you.

The @app.get is referring to a GET request.

The ‘/abuse/’ section is the URL path, so for this instance, it will run once a user has entered

The {abip} is the variable being passed by the user. We use this to check what the user has entered.
 We then pass this under async def abusescan(abip: str):

For this I’ve chosen to use httpx however there are multiple options. If you are following and implementing, you will need to change the contents to your key [Found on your AbuseIP account].

Once you’ve added or created your (API), let’s run it. For this, simply run:

A simple test would be to load in your browser to confirm:

That’s it. You now have a simple API you can build upon. For this instance, you could create a Powershell function such as: Code on Github

This could allow your users to query single or multiple IPs at once without needing a central script or having the API key.

Get single IP:

Get multiple:

You could also use it to enrich data within your Security platforms. If your XDR, EDR for instance accepts “Web Hooks”, you can use your API to return necessary data to automate part of your incident response.

You will need to do some parsing and filtering on the API side, as some solutions would push a full JSON request, however once done, it could benefit you in the long run.

Just before I end, it’s worth noting that I would add some recommendations:

· Don’t run under root.

· Restrict the Firewall, if possible, for inbound requests.

· Do not store the API keys within the production code.

· Have fun with it.

The last point is the main thing. If curious enough, you might be able to build something cool. Although it may be basic, FastAPI or Flask do allow you to combine solutions to create something special.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at

%d bloggers like this: