Two purpose-built APIs — one for deep contextual intelligence, one for high-speed indicator ingestion. Both available over REST and TAXII 2.1. No compromise, no force-fit.
Not every use case needs the same data. We built two distinct APIs so analysts and engineers each get exactly what they need — nothing more, nothing less.
Full-breadth threat intelligence built for analysis, context, and enrichment. Query across the complete STIX 2.1 object graph — threat actors, malware families, campaigns, victims, target sectors, CVEs, TTPs, relationships, and more. Designed for analysts building situational awareness and platforms that need the complete picture.
{
"type": "bundle",
"objects": [
{
"type": "threat-actor",
"name": "FIN99",
"aliases": ["SilverFox"],
"primary_motivation": "financial-gain",
"sectors": ["financial-services", "retail"],
"external_references": [{ ... }]
},
{
"type": "campaign",
"name": "Operation CloudHook"
},
{ "type": "relationship", ... }
]
}Lean, fast, and purpose-built for automated indicator ingestion. Delivers only STIX indicator objects — IPv4 addresses, domains, URLs, and file hashes — optimised for direct pipeline consumption. Pipe fresh, high-fidelity IOCs straight into your SIEM, EDR, firewall, or blocklist without wading through rich contextual objects you don't need.
{
"type": "indicator",
"spec_version": "2.1",
"pattern": "[domain-name:value = 'evil.example.com']",
"valid_from": "2026-04-01T00:00:00Z",
"valid_until": "2026-07-01T00:00:00Z",
"indicator_types": ["malicious-activity"]
}Separate per-type endpoints return only currently active indicators as plain values — one per line, no STIX wrapping. Available for IPv4, IPv6, domains, URLs, MD5, SHA-1, and SHA-256 hashes.
GET /ioc/ipv4/active 185.220.101.45 193.32.162.73 45.142.212.100
TAXII 2.1 support is built in. If your platform already speaks the protocol, point it at the server and start consuming intelligence in minutes — no custom connectors, no middleware, no hand-rolled parsing.
OASIS TAXII 2.1 & STIX 2.1 — works with any compliant client out of the box.
Each feed has a dedicated collection. Subscribe to exactly what you need — nothing more.
Use TAXII's added_after parameter to efficiently poll for only new objects since your last sync.
REST or TAXII 2.1 — use whichever transport fits your stack. No tradeoffs.
Enterprise-grade features for production deployments.
Leverage powerful PostgREST syntax to query denormalized array columns. Filter by threat actor, malware family, target sector, MITRE ATT&CK pattern, geography, or time window — across both APIs.
Build highly tailored feeds using logical operators. Combine timestamps, geographic targeting, and source filters to pipe only relevant intelligence into your security stack.
Every response includes complete source attribution via external_references. Trace any piece of intelligence back to the original research for validation and audit.
Complete API reference covering both APIs — authentication, endpoints, filtering syntax, TAXII collections, and worked examples.
Read the Docs →Instant push notifications when new intelligence matching your criteria is published. Build reactive security automation without constant polling.
Query historical intelligence by time window using latest_ts and earliest_ts. Track the evolution of threat actors, malware families, and CVE exploitation over time.
If it speaks REST or TAXII 2.1, it works. Pre-built connectors for the most common platforms — and a clean API for everything else.
REST and TAXII 2.1 are language-agnostic by design. Python, Node.js, Go, Java, PowerShell — if it can make an HTTP request, it integrates.
Get access to both APIs and start building with structured threat intelligence today. Enterprise tier only.