In the world of Cyber Threat Intelligence (CTI), there has always been a fundamental tension between Context and Action.
Threat Intelligence Platforms (TIPs) and CTI Analysts thrive on context. They want complex STIX 2.1 bundles, rich campaign narratives, MITRE ATT&CK mapping, and relationship graphs.
On the other hand, Detection Engineers, SOCs, and firewalls demand actionable simplicity. A SIEM correlation rule or an EDR doesn't know how to parse a 5,000-line STIX JSON bundle. They need flat, stateful, and highly curated lists of Indicators of Compromise (IOCs) with zero false positives.
For too long, organizations have been forced to choose: write complex parsers to strip down rich intel, or settle for contextless "dumb" blocklists.
Today, we are thrilled to announce a major update to the Threat Landscape API that solves this problem entirely. We have reimagined our data delivery to offer two distinct intelligence streams—available via both REST and native TAXII 2.1.
The Problem: Why You Shouldn't Feed Reports to a Firewall
To understand why we split our API, consider the "8.8.8.8 Problem."
Imagine our researchers publish a highly detailed STIX report on a new ransomware group. The report contains 50 malicious C2 IPs, 10 malicious domains, and notes that the malware pings 8.8.8.8 (Google DNS) to check internet connectivity before encrypting files.
For a CTI analyst, seeing 8.8.8.8 in the report is vital context—it maps to a specific attacker TTP. But if you pipe that raw report directly into Microsoft Sentinel or a Palo Alto firewall, you will instantly generate hundreds of false positive alerts or, worse, block legitimate DNS traffic.
If we simply filtered out the whole report because it contained a benign IP, analysts would lose the 50 actual malicious C2s.
The Solution: Two APIs, One Source of Truth
We realized that mixing intelligence narratives with automated detection feeds creates architectural traps. Our solution was to split our offerings so your tools get exactly what they need, in the exact format they expect.
1. The Context API (/stix_bundles)
Built for: CTI Analysts, OpenCTI, MISP, and Threat Hunters.
This is our raw, unfiltered, premium intelligence feed. When you query the Context API, you receive comprehensive STIX 2.1 bundles.
- Rich Relationships: Threat actors, intrusion sets, campaigns, and vulnerabilities, all linked together.
- Contextual Intelligence: Instead of blindly dropping data that hits MISP warninglists, we enrich the STIX bundles with contextual tags, allowing your analysts to see exactly which indicators are benign infrastructure and which are weaponized.
2. The Detection API (/actionable_iocs)
Built for: SIEMs (Splunk, Sentinel), EDRs, and Automated Defense.
This is our brand-new action tier. We take the indicators from our research, strip away the STIX complexity, and serve them up as highly curated feeds ready for automated lookups. Whether you are filtering for IPv4 addresses, domains, or specific file hashes, this endpoint delivers pure signals.
- Zero Noise: Every indicator is strictly filtered against MISP warninglists at the indicator level. Benign context IPs never make it to this feed.
- Stateful & Auto-Expiring: IOCs have a lifecycle. A malicious domain might be dangerous for months, while a compromised cloud IP might be cleaned up in days. Our Detection API applies intelligent Time-To-Live (TTL) expiration. Stale infrastructure naturally drops off the feed, preventing your SIEM from alerting on old, reassigned IPs.
- Flat Formats: Retrieve the data seamlessly—perfect for dropping straight into an External Dynamic List or a Splunk lookup table.
Seamless Integration: TAXII 2.1 & REST
Great data is only as good as your ability to ingest it. We've ensured that both the Context API and the Detection API are universally accessible:
- TAXII 2.1: If you use enterprise platforms like OpenCTI, ThreatConnect, Microsoft Sentinel, or Splunk Enterprise Security, you don't need to write a single line of code. Simply plug in our TAXII server URL and let your tools sync natively.
- REST API: Prefer writing your own custom integrations? Our standard REST API allows for lightning-fast queries, granular filtering, and easy automation for custom pipelines.
Get Started Today
Whether your goal is tracking the latest Advanced Persistent Threat (APT) campaigns or building high-fidelity detection rules to protect your network tonight, the Threat Landscape API provides the exact data structure you need.
Stop writing complex JSON parsers and start hunting threats.