Last updated: May 4, 2026
ContrastCyber ("we", "us") operates ContrastAPI at api.contrastcyber.com — a security intelligence API providing CVE/EPSS/KEV lookup, MITRE CWE/ATLAS/D3FEND catalog browsing, domain reconnaissance, IOC and threat intelligence, OSINT (WHOIS, subdomains, certificate transparency), code security analysis (secrets, injection, headers), email validation, redirect-chain analysis, robots.txt parsing, and SEO audit. The Service is exposed as 57+ REST endpoints, 49 MCP (Model Context Protocol) tools, 7 MCP Resources, and 3 MCP Prompts. The Service is provided as-is with no warranty.
All results returned by ContrastAPI are provided for informational purposes only and are not a substitute for a professional security audit. CVE severity scores, exploit availability flags, IP reputation verdicts, and domain risk indicators reflect public data sources and heuristics — they may be incomplete, outdated, or wrong for your specific context. Do not rely solely on our results for production security decisions, incident response, or compliance attestation.
The Service analyzes public information (CVE databases, DNS records, SSL certificates, WHOIS data, public threat feeds, robots.txt, HTTP headers). No exploit attempts, brute-force, intrusive scanning, or SMTP probing is performed by us. You agree not to:
No API key, no signup. Rate limited to 30 requests per hour per IP address. Available for personal and commercial use. Some Pro-only enrichment fields (Shodan, AbuseIPDB) are omitted from responses.
Pro keys provide 500 requests per hour per key and enable enrichment fields (Shodan, AbuseIPDB, full IP intel) where available. Enrichment is provided through shared upstream API keys subject to daily provider caps; quotas are expanded as the customer base grows. Subscriptions are billed at the current rate via our payment processors:
By subscribing you agree to keep your API key confidential — you are responsible for all usage under your key — and not to share or resell it. We may revoke API keys that violate these terms without refund. Pricing and rate limits may be adjusted with 30 days notice to existing subscribers.
Free: 30 requests/hour per IP. Pro: 500 requests/hour per key. In addition to per-caller limits, the Service enforces a per-target throttle (60 requests per minute per registrable domain) on web-intelligence endpoints to protect third-party origins. Pro subscribers will receive 30 days notice before structural rate limit changes.
We reserve the right to block, throttle, or ban any IP address, ASN, API key, or user engaging in abusive usage, including but not limited to: automated scraping beyond rate limits, credential stuffing, distributed key-cycling, request-per-minute spikes targeting third-party origins, or any activity that degrades the Service for other users. Bans are enforced at the nginx layer and may apply to a single IP, an IP range, or a CIDR.
The Service may change, be interrupted, or be discontinued without notice. We do not guarantee uptime, availability, or any service level agreement (SLA). Endpoints may be added, modified, or removed; tool catalogs (CVE, ATLAS, D3FEND, CWE) sync from upstream sources on a regular cadence and may briefly show stale data during sync windows. Real-time health is reported at /v1/status.
ContrastAPI stores only: (a) a salted HMAC hash of your IP address, (b) the endpoint category called (path parameters — domains, IPs, CVE IDs, emails, phone numbers, usernames — are stripped before logging), (c) the call timestamp, and (d) for Pro users, an irreversible cryptographic hash of your API key and a NOWPayments/Lemon Squeezy order ID. Domain and IP lookup results are temporarily cached for up to 1 hour to reduce upstream load. No raw IP addresses, query parameters, or response contents are stored in the application database. You can verify this at any time by calling GET /v1/privacy/my-data, which returns every row our database has about you. See our Privacy Policy for full details.
Many endpoints query or analyze data about third-party domains, IP addresses, email addresses, phone numbers, usernames, or organizations. You are responsible for ensuring your use of these lookups complies with applicable laws in your jurisdiction (data protection, anti-stalking, computer misuse, telecommunications). We do not verify whether you have authorization to query specific targets. Some endpoints proxy public threat feeds (URLhaus, AbuseIPDB, Shodan, FireHOL, Tor exit list); use of those datasets is subject to their respective terms.
ContrastAPI is open source software licensed under the MIT License. Source code is available at github.com/UPinar/contrastapi. Catalog data (MITRE ATT&CK, ATLAS, D3FEND, CWE; NIST NVD; FIRST EPSS; CISA KEV) is owned by the respective upstream sources and licensed under their own terms.
THE SERVICE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF HARMFUL COMPONENTS. WE MAKE NO GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR RELIABILITY OF ANY RESULTS, INCLUDING THIRD-PARTY THREAT DATA AND CVE METADATA.
IN NO EVENT SHALL CONTRASTCYBER BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING FROM YOUR USE OF THE SERVICE, INCLUDING BUT NOT LIMITED TO: DATA LOSS, SECURITY BREACHES RESULTING FROM RELIANCE ON API RESULTS, BUSINESS INTERRUPTION, MISSED VULNERABILITIES, OR LOSS OF PROFITS. OUR TOTAL LIABILITY SHALL NOT EXCEED THE AMOUNT YOU PAID US IN THE 12 MONTHS PRECEDING THE CLAIM.
You agree to indemnify and hold harmless ContrastCyber from any claims, damages, or expenses arising from your use of the Service, your violation of these Terms, or your violation of any third party's rights (including unauthorized lookups against individuals or organizations).
These Terms are governed by the laws of the Republic of Turkey. Any disputes shall be resolved in the courts of Istanbul, Turkey.
We may update these Terms at any time. Continued use of the Service constitutes acceptance of the updated Terms. Material changes will be communicated via the website.
For questions about these Terms, contact us at [email protected].