curl -H "Authorization: Bearer sk_live_..." \
"https://socdefenders.ai/api/v1/iocs?type=ipv4&confidence=high&since=2026-05-16T00:00:00Z&limit=500"{
"meta": {
"total": 1523,
"limit": 100,
"offset": 0,
"generated_at": "2024-12-09T10:30:00Z",
"feed_version": "1.0",
"source": "SOC Defenders",
"filters": {
"type": "all",
"category": "all",
"confidence": "all",
"since": "2024-12-08T00:00:00Z",
"until": "2024-12-09T10:30:00Z"
}
},
"data": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"type": "ipv4",
"value": "192.168.1.1",
"confidence": "high",
"first_seen": "2024-12-08T14:30:00Z",
"last_seen": "2024-12-09T08:15:00Z",
"source": {
"article_id": "abc123",
"article_title": "New APT Campaign Targeting Financial Sector",
"article_url": "https://socdefenders.ai/item/abc123",
"feed_name": "Krebs on Security",
"category": "news"
},
"context": "C2 server used in APT28 campaign",
"tags": [
"apt28",
"c2",
"financial"
],
"mitre_techniques": [
"T1071",
"T1059"
]
}
],
"links": {
"self": "https://socdefenders.ai/api/v1/iocs?limit=100&offset=0",
"next": "https://socdefenders.ai/api/v1/iocs?limit=100&offset=100"
}
}The primary IOC export endpoint. Returns indicators of compromise — IPs, domains, URLs, file hashes, email addresses, CVEs, and MITRE ATT&CK technique IDs — extracted from articles and ingested from threat feeds (URLhaus, Feodo Tracker, ThreatFox).
An Indicator of Compromise is a forensic artifact that suggests a system has been compromised. The feed mixes:
source.origin: "article")source.origin: "feed")GET /api/v1/iocs?type=ipv4&confidence=high&since=2026-05-16T00:00:00Z&format=txt
Returns one IP per line — perfect for piping into a firewall block-list.
GET /api/v1/iocs?type=sha256&confidence=high&limit=1000
GET /api/v1/iocs?industry=finance&since=2026-05-01T00:00:00Z&limit=500
GET /api/v1/iocs?type=domain&format=csv&limit=1000
json (default): structured response with metadata + paginationcsv: 10-column CSV — id, type, value, confidence, first_seen, last_seen, source_article, source_feed, category, tagstxt: bare IOC values one per line — for direct firewall/EDR ingestion| Tier | Per request | Lookback | Formats |
|---|---|---|---|
| Free | 100 | 1 day | json only |
| Pro | 10,000 | 365 days | json, csv, txt |
Standard offset + limit. For walks past ~1k offsets, use the Articles endpoint pattern (cursor) or narrow your time window.
curl -H "Authorization: Bearer sk_live_..." \
"https://socdefenders.ai/api/v1/iocs?type=ipv4&confidence=high&since=2026-05-16T00:00:00Z&limit=500"{
"meta": {
"total": 1523,
"limit": 100,
"offset": 0,
"generated_at": "2024-12-09T10:30:00Z",
"feed_version": "1.0",
"source": "SOC Defenders",
"filters": {
"type": "all",
"category": "all",
"confidence": "all",
"since": "2024-12-08T00:00:00Z",
"until": "2024-12-09T10:30:00Z"
}
},
"data": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"type": "ipv4",
"value": "192.168.1.1",
"confidence": "high",
"first_seen": "2024-12-08T14:30:00Z",
"last_seen": "2024-12-09T08:15:00Z",
"source": {
"article_id": "abc123",
"article_title": "New APT Campaign Targeting Financial Sector",
"article_url": "https://socdefenders.ai/item/abc123",
"feed_name": "Krebs on Security",
"category": "news"
},
"context": "C2 server used in APT28 campaign",
"tags": [
"apt28",
"c2",
"financial"
],
"mitre_techniques": [
"T1071",
"T1059"
]
}
],
"links": {
"self": "https://socdefenders.ai/api/v1/iocs?limit=100&offset=0",
"next": "https://socdefenders.ai/api/v1/iocs?limit=100&offset=100"
}
}Documentation Index
Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
Use this file to discover all available pages before exploring further.
API key in X-API-Key header
Filter by IOC type. Common: ipv4, domain, sha256. Less common: email, cve (use /api/v1/articles?cve_text_search= for CVE search), mitre_attack (technique IDs).
ipv4, ipv6, domain, url, md5, sha1, sha256, sha512, email, cve, mitre_attack "ipv4"
Filter by the originating source category. threat-intel = direct from threat feeds (URLhaus etc.). news/research/vendor/government = extracted from articles in that category.
news, research, threat-intel, vendor, government "threat-intel"
Filter by confidence level. high = both source and extraction high-confidence; use this for automated blocking. medium/low are for review/analyst surfacing.
high, medium, low "high"
Filter to IOCs tagged with a target industry sector. Available: finance, healthcare, government, technology, manufacturing, retail, energy, education, telecom, transportation, defense, water.
"finance"
Lower time bound on extracted_at (ISO 8601). Silently clamped to your tier lookback.
"2026-05-16T00:00:00Z"
Upper time bound on extracted_at (ISO 8601).
"2026-05-17T00:00:00Z"
Max results per request. Tier-capped (Free=100, Pro=10000). Use the Articles endpoint with cursor pagination for unbounded scans.
1 <= x <= 10000500
Pagination offset. Cheap up to ~1000; for deeper walks narrow your time window instead.
x >= 00
json (full envelope), csv (10 columns), txt (bare values one per line — drop directly into firewall/EDR).
json, csv, txt "txt"
When false, the context field is omitted from each IOC (saves ~30% payload on average). Useful for SIEM ingestion that only needs the value.
false