REST API, a tc CLI, an agent tool surface, and SIEM-ready feeds. Anything you can do in the UI, you can do from a script or a pipeline.
Same data, four interfaces. Use the API for backend integrations, the CLI for ad-hoc and CI work, the agent tools for AI workflows, and the feeds for SIEM and TIP ingestion.
JSON-first. OAuth2 + scoped agent keys. Every cluster, entity, IOC, exposure, report and workflow operation reachable from one base URL.
# Get today's top clusters curl -H "Authorization: Bearer $TC_KEY" \ https://threatcluster.io/api/public/v1/clusters?limit=10
Single binary, OS keyring auth, JSON-first output. Pipe results into jq, cron a hunt query, kick off a report from CI.
# Trending clusters in the last 24h, JSON to jq tc clusters list --hours 24 --sort score \ | jq '.[] | {title, score, sources}'
The same API exposed as discoverable tools for agentic workflows. Search clusters, fetch entity graphs, score CVEs, generate reports — from inside an LLM loop.
# Available as MCP-style tool definitions tools: - search_clusters(query, sector?, hours?) - get_entity(name, type) - generate_report(cluster_ids, style)
RSS for reading-list ingestion. MISP feed for sharing. STIX 2.1 bundles per cluster. Webhooks for real-time delivery into Splunk, Sentinel, Elastic, OpenSearch, or any HTTP listener.
# Public RSS, no key required curl https://threatcluster.io/feed.xml # MISP manifest (public, 50 events) curl https://threatcluster.io/misp/manifest.json
The free tier of the feed is public. Sign up for an account if you want personalised filtering, higher item counts, or filters by entity, sector, or threat score.
| Endpoint | Auth | What you get |
|---|---|---|
| /feed.xml | public | RSS 2.0. Latest 10 clusters with title, summary, link, score, category. |
| /rss | public | Alias for /feed.xml. |
| /misp/manifest.json | public | MISP feed manifest. Drop the base URL into any MISP instance under Sync Actions → List Feeds. |
| /misp/hashes.csv | public | Hash list for MISP enrichment. SHA-256, SHA-1, MD5. |
| /misp/{event_uuid}.json | public | Individual MISP event in MISP JSON format, TLP-marked. |
| /api/public/v1/clusters | key | Paginated cluster index with filters: sector, threat score, freshness, entity overlap. |
| /api/public/v1/clusters/{id}/stix | key | STIX 2.1 bundle for the cluster — indicators, threat-actor, malware, attack-pattern, relationships. TLP-marked. |
| /api/public/v1/entities/{name} | key | Full entity intelligence record: profile, frequency, related entities, recent clusters. |
| /api/public/v1/iocs/export | key | Bulk IOC export. TXT, CSV, JSON. Filter by type, confidence, time window. |
| /api/public/v1/openapi.json | public | OpenAPI 3.1 spec for the entire public surface. Generate clients for any language. |
Wire the platform into the tools you already run. No custom adapter, no middleware shim.
Webhook ingestion into HEC, or scheduled pull via REST.
Webhook to Log Analytics, or hunt-query export in KQL.
RSS, JSON pull, or hunt-query export in Lucene.
Native MISP feed. TLP-marked events, automatic sync.
STIX 2.1 bundle ingestion via the public API.
Webhook actions in workflows. Inline cluster cards.
Webhook routing into Cortex XSOAR, Tines, Torq.
Jira, ServiceNow, Linear via webhook or API.
RSS, JSON, RSS-with-filter URLs for embeddable feeds.
Most teams never hit a limit. If you're building something high-volume, get in touch and we'll scope a tier with the headroom you need.
60 requests per minute, per IP. No key required.
1,000 requests per minute. Standard rate-limit headers on every response.
Higher per-key limits, scoped per customer. Set during onboarding.
OpenAPI spec, CLI, agent tools, and SIEM-ready feeds. Start with the public endpoints; upgrade to keyed access when you need it.