> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# TAXII 2.1 server overview and discovery

> SOC Defenders provides a TAXII 2.1 server for automated threat feed polling. Discover the API root and available collections at /api/taxii2/.

SOC Defenders exposes a TAXII 2.1 server that allows you to integrate the threat intelligence feed directly into SIEM platforms, threat intelligence platforms (TIPs), and custom tooling using the industry-standard TAXII protocol. TAXII (Trusted Automated eXchange of Intelligence Information) is defined by OASIS and is natively supported by tools such as Splunk, Microsoft Sentinel, IBM QRadar, and OpenCTI. Objects are served in STIX 2.1 format.

<Note>
  TAXII 2.1 access requires a Pro subscription. Upgrade your account at [socdefenders.ai](https://socdefenders.ai) to enable this feature.
</Note>

## Protocol overview

TAXII 2.1 organises threat data into **collections** — named groups of STIX objects such as all IOCs, IP addresses only, file hashes, or CVEs. Clients discover the server's API root, list available collections, and then poll individual collections for objects, optionally using the `added_after` parameter to retrieve only objects added since their last poll.

## Discovery endpoint

Send a GET request to the discovery URL to retrieve the server's title, description, contact information, and the API root URL you will use for all subsequent requests.

**Method:** `GET https://socdefenders.ai/api/taxii2/`

**Authentication:** Required — pass your API key in the `Authorization` header as a Bearer token.

**Tier:** Pro.

### Example request

```bash theme={null}
curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/taxii2/"
```

### Example response

```json theme={null}
{
  "title": "SOC Defenders TAXII Server",
  "description": "Threat intelligence feed aggregating 30+ cybersecurity sources including CISA alerts, vendor advisories, and threat research",
  "contact": "support@socdefenders.ai",
  "default": "https://www.socdefenders.ai/api/taxii2/api/",
  "api_roots": ["https://www.socdefenders.ai/api/taxii2/api/"]
}
```

## Response fields

<ResponseField name="title" type="string">
  Human-readable name of the TAXII server.
</ResponseField>

<ResponseField name="description" type="string">
  Description of the threat intelligence feed provided by this server.
</ResponseField>

<ResponseField name="contact" type="string">
  Contact address for the server operator. Reach the SOC Defenders team at `support@socdefenders.ai`.
</ResponseField>

<ResponseField name="default" type="string">
  The default API root URL. Use this as the base URL for collections and object requests.
</ResponseField>

<ResponseField name="api_roots" type="string[]">
  Array of API root URLs available on this server. Each root can have its own set of collections.
</ResponseField>

## API root

All collection and object requests are made under the API root returned in the discovery response:

```
https://www.socdefenders.ai/api/taxii2/api/
```

Proceed to [Collections](/api-reference/taxii/collections) to list the available collections, or to [Collection Objects](/api-reference/taxii/objects) to begin fetching STIX objects.
