List IOCs (Indicators of Compromise)
The primary IOC export endpoint. Returns indicators of compromise — IPs, domains, URLs, file hashes, email addresses, CVEs, and MITRE ATT&CK technique IDs — extracted from articles and ingested from threat feeds (URLhaus, Feodo Tracker, ThreatFox).
What’s an IOC?
An Indicator of Compromise is a forensic artifact that suggests a system has been compromised. The feed mixes:
- Article-extracted IOCs: pulled out of writeups by our extraction pipeline (
source.origin: "article") - Feed-sourced IOCs: ingested directly from threat-intel feeds (
source.origin: "feed")
Common use cases
1. SIEM block-list ingestion (recent IPs)
GET /api/v1/iocs?type=ipv4&confidence=high&since=2026-05-16T00:00:00Z&format=txt
Returns one IP per line — perfect for piping into a firewall block-list.
2. Hash IOCs for EDR detection
GET /api/v1/iocs?type=sha256&confidence=high&limit=1000
3. APT-tagged IOCs for threat hunting
GET /api/v1/iocs?industry=finance&since=2026-05-01T00:00:00Z&limit=500
4. CSV export for spreadsheet analysis
GET /api/v1/iocs?type=domain&format=csv&limit=1000
Output formats
json(default): structured response with metadata + paginationcsv: 10-column CSV — id, type, value, confidence, first_seen, last_seen, source_article, source_feed, category, tagstxt: bare IOC values one per line — for direct firewall/EDR ingestion
Tier behavior
| Tier | Per request | Lookback | Formats |
|---|---|---|---|
| Free | 100 | 1 day | json only |
| Pro | 10,000 | 365 days | json, csv, txt |
Pagination
Standard offset + limit. For walks past ~1k offsets, use the Articles endpoint pattern (cursor) or narrow your time window.
Authorizations
API key in X-API-Key header
Query Parameters
Filter by IOC type. Common: ipv4, domain, sha256. Less common: email, cve (use /api/v1/articles?cve_text_search= for CVE search), mitre_attack (technique IDs).
ipv4, ipv6, domain, url, md5, sha1, sha256, sha512, email, cve, mitre_attack "ipv4"
Filter by the originating source category. threat-intel = direct from threat feeds (URLhaus etc.). news/research/vendor/government = extracted from articles in that category.
news, research, threat-intel, vendor, government "threat-intel"
Filter by confidence level. high = both source and extraction high-confidence; use this for automated blocking. medium/low are for review/analyst surfacing.
high, medium, low "high"
Filter to IOCs tagged with a target industry sector. Available: finance, healthcare, government, technology, manufacturing, retail, energy, education, telecom, transportation, defense, water.
"finance"
Lower time bound on extracted_at (ISO 8601). Silently clamped to your tier lookback.
"2026-05-16T00:00:00Z"
Upper time bound on extracted_at (ISO 8601).
"2026-05-17T00:00:00Z"
Max results per request. Tier-capped (Free=100, Pro=10000). Use the Articles endpoint with cursor pagination for unbounded scans.
1 <= x <= 10000500
Pagination offset. Cheap up to ~1000; for deeper walks narrow your time window instead.
x >= 00
json (full envelope), csv (10 columns), txt (bare values one per line — drop directly into firewall/EDR).
json, csv, txt "txt"
When false, the context field is omitted from each IOC (saves ~30% payload on average). Useful for SIEM ingestion that only needs the value.
false