complimentary access to 25 years of network defense

Hash Validation.
Built for triage.

Team Cymru operates the Malware Hash Registry for the analysts, researchers, and detection engineers who triage malware at scale. Programmatic hash lookups against 30+antivirus databases and over 8 years of our own malware analysis, returned in near-real-time over HTTPS, DNS, or WHOIS. Built for the workflows where speed matters most. Operated for the community, not as a product.

By the Numbers

30

+

Antivirus Database Sources

8

+ YRS

Team Cymru Malware Analysis

DAILY

Registry Refresh

3

Access Protocols (HTTPS/DNS/WHOIS)

What is MHR

Advanced malware detection through community-scale hash validation.

The Malware Hash Registry is a programmatic hash validation service operated by TeamCymru. Submit an MD5, SHA-1, or SHA-256 hash via HTTPS, DNS, or WHOIS and get back a near-real-time response showing the last time the sample was seen and the percentage of 30+ antivirus databases that flagged it. Built for the triage workflows where a single lookup answers the question: is this thing malware.

01

30+ Antivirus Databases

Every hash you submit gets cross-referenced against 30+undisclosed antivirus vendor databases plus Team Cymru’s own malware analysis. One lookup. The collective signalof every major detection engine in the industry.

02

Near-Real-Time Response

Hash query in, detection result back. Returns the last-seen timestamp and the percentage of antivirus packages that flagged the sample. Fast enough for analyst triage workflows; structured enough for pipeline automation.

03

Three Hash Formats

Supports MD5, SHA-1, and SHA-256. Whatever your detection pipeline produces, MHR accepts. Submit a single hash, a batch over the API, or query interactively from the portal during an investigation.

04

Three Access Protocols

Query over HTTPS, DNS, or WHOIS.  Pick the protocol your stack already supports. False-positive filtering and NIST exclusions baked in. No appliance, no SDK, no integration tax.

Service Detail

Malware Hash Registry access.

01

ADVANCED MALWARE DETECTION

MHR Lookup Service

Programmatic hash validation against 30+ antivirus databases and 8+ years of Team Cymru malware analysis. Submit MD5, SHA-1, or SHA-256 hashes over HTTPS, DNS, or WHOIS. Get back the last-seen timestamp and antivirus detection percentage. False positives filtered. NIST entries excluded. Built for triage workflows where the answer needs to come back in milliseconds.

OPERATIONAL OUTCOMES

  • Cross-reference any hash against 30+ antivirus database sources in a single lookup
  • Validate MD5, SHA-1, or SHA-256 hashes via HTTPS, DNS, or WHOIS
  • Returns last-seen timestamp + antivirus package detection percentage
  • False positives filtered (NIST exclusions, polymorphic dedup, <10% detection threshold)
  • 8+ years of Team Cymru malware analysis behind every response

Best For

SOC Analysts
Detection Engineers
Researchers
Network Security Teams
Integration Partners

Why MHR

We don’t sell MHR. We share it.

Team Cymru built the Malware Hash Registry for the analysts who triage samples at 2 AM, the detection engineers wiring up pipelines, and the researchers chasing campaigns across borders. Hash validation should never be a paywall between you and the answer. So we share 8+ years of our own malware analysis and cross-reference it against every major antivirus database in the industry, free, for the community of defenders who keep the internet a little less hostile.

Our Promise

Every defender deserves a fast answer to one question: is this thing malware? We’ve been answering it for over a decade. We’ll keep answering it as long as the question gets asked.”

Team Cymru
MHR STEWARDS · OPERATED FOR THE COMMUNITY

Shared with defenders, not licensed to them.

MHR is free for non-commercial use. No subscription. No query quota on the community tier. No invoice at the end of a trial. The intelligence belongs to the people defending the internet, and the cost of access should never be the thing that stops a triage call.

Accessible from whatever stack you run.

We support HTTPS for security-sensitive integrations, DNS for low-friction lookups, and WHOIS for legacy automation. We don't care which one you pick. We care that the answer is in your pipeline bythe time the analyst needs it.

Tuned by the people who actually use it.

False-positive filtering, NIST exclusions, polymorphic deduplication. Every quality safeguard in MHR exists because an analyst told us their queue was full of noise. We listen, we filter, we ship cleaner signal. The community shapes the corpus.

Maintained as long as malware keeps coming.

Team Cymru has operated community infrastructure for 25 years. MHR has cross-referenced hashes for defenders worldwide forover a decade and counting. Adversaries don't take quarters off, and neither do we. As long as malware exists, MHR exists.

In Practice

Operator playbooks for the front line.

Same MHR, different defender. Here’s the workflow when the hash hits the queue, what MHR does in the middle, and what the analyst walks away with.

SOC Analysts

Suspicious attachment lands in the SIEM. Is it actually malware?

Pressure

Unknown sample

MHR Action

Hash lookup · HTTPS

Outcome

94% detection match

What changes

Triage answered in seconds.

Detection Engineers

Building a pipeline that auto-validates every hash through the gateway.

Pressure

Volume of file events

MHR Action

Batch via REST API

Outcome

Enriched pipeline

What changes

Pipeline runs without paywall.

Threat Researcheres

Chasing a campaign across borders, dozens of samples to cross-reference.

Pressure

Campaign attribution

MHR Action

30+ AV cross-check

Outcome

Malware family confirmed

What changes

Attribution backed by evidence.

Network Security Teams

Need to enrich secure gateway, CASB, and DMS workflows with hash validation.

Pressure

Tool sprawl

UTRS Action

Community layer added

Outcome

Resilient stack

What changes

One more layer working for you.
Built with Defenders

Need a UTRS capability we don’toffer? Tell us.

Every MHR capability came from a defender asking for it. Protocol support, batch endpoints, false-positive filters, NIST exclusions. If your stack needs something we don’t currently offer, submit a request. The team that operates MHR reads everyone.

Used Worldwide

Validating hashes for the global defender community.

SOC analysts, detection engineers, threat researchers, network security teams, integration partners. MHR is queried millions of times by the defenders working the front lines of malware triage, in pipelines and portals across six continents.

SOC ANALYSTS

Detection Engineers

Threat Researchers

Network Security

Integration Partners

  • 30+ Antivirus Database Sources
  • 8+ Years of Malware Analysis
  • Three Access Protocols
  • Daily Registry Refresh

Defense is Layered

Different problem? Different tool.

MHR validates hashes at the file layer. If your operational priority is filtering bogon routes, mitigating volumetric DDoS, monitoring backbone threats, or coordinating with the global CSIRT community, the Operational Marketplace has the right tool for the mission.

INFRASTRUCTURE INTELLIGENCE

Bogon Networks

Reference data for unrouted, reserved, and unallocated IPv4 and IPv6 prefixes. Six access formats for filtering at the routing layer.

Access Bogon Reference

THREAT DEFENSE

DDoS Mitigation UTRS

Real-time BGP-based DDoS mitigation, coordinated across 1,300+network operators worldwide. Stop volumetric attacks at the source.

COORDINATE DDOS DEFENSE

INTELLIGENCE & REPUTATION

Nimbus Threat Monitor

Near-real-time cyber threat detection for ISPs and hosting providers. Cross-references your network flows against 7M+ IP reputation indicators.

Start Hunting Threats

COMMUNITY COORDINATION

CSIRT Assistance Program

Operational support for national and sector CSIRTs worldwide. Trust-network coordination and incident response.

CONNECT WITH CSIRTS

GLOBAL DEFENDER EXCHANGE COMMUNITY

Is this thing malware?
Get the answer in milliseconds.

Operated by Team Cymru for the analysts, researchers, and detection engineers triaging malware at scale. Hash lookups against 30+ antivirus databases and 8+ years of our own malware analysis, accessible over HTTPS, DNS, or WHOIS. Free for non-commercial use. Built for the community of defenders who keep the internet a little less hostile.

No-Cost Access · Underwritten by Team Cymru