Plan-based features
Which response fields each plan unlocks, plus side-by-side request examples.
All plans hit the same endpoint with the same request shape. What changes is the response fidelity — paid tiers get progressively richer enrichment and investigation context.
Quick field matrix
| Field | Free | Starter | Pro+ |
|---|---|---|---|
indicator, type, status, verdict | ✓ | ✓ | ✓ |
confidence_level | ✓ | ✓ | ✓ |
risk_level, risk_context | ✓ | ✓ | ✓ |
source_count | ✓ | ✓ | ✓ |
categories | ✓ | ✓ | ✓ |
reasons | max 2 | full | full |
geo.country_code | ✓ | ✓ | ✓ |
verified_tld | ✓ | ✓ | ✓ |
confidence_score (0–100) | — | ✓ | ✓ |
risk_description | — | ✓ | ✓ |
provider.name, .type | — | ✓ | ✓ |
provider.services | — | ✓ | ✓ |
recommendation.action | — | ✓ | ✓ |
recommendation.false_positive_likelihood | — | ✓ | ✓ |
geo.country, geo.asn, geo.asn_org | — | ✓ | ✓ |
recommendation.investigation_hint | — | — | ✓ |
rationale | — | — | ✓ |
matching_cidr | — | — | ✓ |
vpn_service, tor_node, public_proxy | — | — | ✓ |
high_risk_parent | — | — | ✓ |
geo.city, .region, .latitude, .longitude | — | — | ✓ |
| Signed webhooks | — | — | Pro+ |
| Team members (invite) | — | — | Team+ |
Example: cloudflare.com on each plan
Free
{
"indicator": "cloudflare.com",
"status": "whitelisted",
"type": "domain",
"verdict": "benign",
"confidence_level": "very_high",
"risk_level": "info",
"risk_context": "Whitelisted",
"source_count": 8,
"categories": ["CDN", "Enterprise"],
"reasons": [
"Ranked within top 1K of Cisco Umbrella list.",
"Major CDN provider corporate infrastructure."
]
}
Starter
Adds provider detection, confidence score, full reasons list, and actionable recommendations:
{
"indicator": "cloudflare.com",
"status": "whitelisted",
"type": "domain",
"verdict": "likely_benign",
"confidence_level": "very_high",
"confidence_score": 100,
"risk_level": "info",
"risk_context": "CDN Security",
"risk_description": "Cloudflare is a major CDN and security provider protecting over 25 million websites.",
"provider": {
"name": "Cloudflare",
"type": "cdn_security",
"services": ["CDN", "WAF", "DDoS Protection", "DNS"]
},
"recommendation": {
"action": "allow_with_logging",
"false_positive_likelihood": "very_high"
}
}
Pro, Team, Enterprise
Everything above plus forensic context, investigation hints, and informational flags (vpn_service, tor_node, etc.). See the full example in Lookup endpoint.
When to upgrade
Decision guide
- Free is for evaluating integrations and learning the API shape
- Starter is the minimum viable tier for production SIEM / SOAR use (you need provider detection and recommendations)
- Pro adds the investigation context an analyst actually reads during triage
- Team unlocks shared quota + per-member usage breakdowns
- Enterprise is for custom SLAs, volume discounts, and MSSP deployments
Plan changes
- Upgrade takes effect immediately — the new plan's fields appear in your next response
- Downgrade (self-serve or via Paddle billing) takes effect at the end of the current billing period
- Past-due / paused / canceled subscriptions fall back to Free-tier quotas and field filtering until resolved — this protects the platform without locking customers out entirely