Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

SOC Defenders supports two complementary standards for structured threat intelligence sharing. The STIX 2.1 endpoint returns a point-in-time bundle of indicators you can download on demand. The TAXII 2.1 server exposes the same data as a live feed your SIEM can poll automatically — no custom scripts required.
Both STIX 2.1 and TAXII 2.1 require a Pro subscription. Upgrade at socdefenders.ai.

STIX 2.1 export

The STIX endpoint returns a valid STIX 2.1 bundle containing indicator objects for each IOC and a single identity object representing SOC Defenders as the producer. Endpoint: GET /api/v1/iocs/stix

Authentication

Pass your API key as a Bearer token in the Authorization header.

Query parameters

The STIX endpoint accepts the same filter parameters as GET /api/v1/iocs:
ParameterTypeDescription
typestringFilter by IOC type: ipv4, ipv6, domain, url, md5, sha1, sha256, cve, email
sincestringISO 8601 timestamp — return only IOCs added after this date
industrystringCISA Critical Infrastructure sector slug
confidencestringlow, medium, or high

Example request

curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/stix?type=ipv4&confidence=high"

Response structure

The response is a STIX 2.1 bundle. Each IOC appears as an indicator object inside the objects array. 
{
  "type": "bundle",
  "spec_version": "2.1",
  "id": "bundle--a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "objects": [
    {
      "type": "identity",
      "spec_version": "2.1",
      "id": "identity--socdefenders",
      "name": "SOC Defenders",
      "identity_class": "organization"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f1e2d3c4-b5a6-7890-abcd-ef0987654321",
      "created": "2026-05-17T00:00:00.000Z",
      "modified": "2026-05-17T00:00:00.000Z",
      "name": "Malicious IPv4: 203.0.113.42",
      "pattern": "[ipv4-addr:value = '203.0.113.42']",
      "pattern_type": "stix",
      "valid_from": "2026-05-17T00:00:00.000Z",
      "indicator_types": ["malicious-activity"],
      "confidence": 85
    }
  ]
}

TAXII 2.1 server

The SOC Defenders TAXII 2.1 server lets your SIEM poll for new threat intelligence automatically using the standard TAXII protocol. Configure it once and your SIEM fetches updates on its own schedule. Discovery endpoint: GET /api/taxii2/ API root: https://www.socdefenders.ai/api/taxii2/api/

Authentication

Pass your API key as the password in HTTP Basic Auth, or use an Authorization: Bearer header — both are accepted. 
curl -u "your_email@example.com:sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/taxii2/"

TAXII endpoints

EndpointDescription
GET /api/taxii2/Server discovery — returns API roots and server metadata
GET /api/taxii2/api/collections/List available collections (all IOCs, IPs only, hashes only, CVEs, etc.)
GET /api/taxii2/api/collections/{id}/objects/Paginated STIX objects from a specific collection

Discovery response

Calling the discovery endpoint returns the server title, description, and available API roots: 
{
  "title": "SOC Defenders TAXII 2.1 Server",
  "description": "Aggregated threat intelligence from 30+ cybersecurity sources",
  "contact": "support@socdefenders.ai",
  "api_roots": [
    "https://www.socdefenders.ai/api/taxii2/api/"
  ]
}

Fetching objects from a collection

Once you have a collection ID from the /collections/ endpoint, retrieve its STIX objects: 
curl -u "your_email@example.com:sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/taxii2/api/collections/all-iocs/objects/?limit=100"
The response returns a standard TAXII envelope containing STIX objects, with next cursor values for pagination.