IOC formats & endpoints
The same IOC data — IPs, domains, hashes, emails, crypto wallets, threat actors — is exposed in 11 different ways across REST, STIX, MISP and the CLI. Start here.
If you just want a free blocklist…
No auth required. Public /iocs feed — high-confidence, last 30 days.
curl https://threatcluster.io/api/iocs/public/feed.txt
If you're plugging into MISP…
Point MISP at /misp/ (public, 10 events) or /api/misp/?token=… (50).
MISP feed URL: https://threatcluster.io/api/misp/?token=…
If you want one threat's full STIX bundle…
/api/threats/{id}/stix emits Report + Actors + Malware + AttackPatterns + Indicators with relationships.
curl ".../api/threats/abcd1234/stix?tlp=clear"
Pick by scope
Endpoints split into three scopes by the question they answer. Use the right one and you don't need a token.
"Give me every confirmed bad domain/IP from the last 30 days."
Use to populate a firewall, DNS sinkhole, or SIEM watchlist on a schedule.
"Give me everything (IOCs, TTPs, actors, relationships) for this incident."
Use from a SOAR playbook or when ingesting one incident into MISP / OpenCTI / ATT&CK Navigator.
"I have an unknown IP — have you seen it, and in which reports?"
Use from an analyst console when triaging an unfamiliar indicator.
Scope 1 · Bulk site-wide feeds
Every confirmed bad indicator across the whole site, on a rolling time window.
| Endpoint | Format | Auth | Tier | Default confidence | Notes |
|---|---|---|---|---|---|
/api/iocs/public/feed.txt |
txt | public · no auth | Public | high | Free blocklist — one IOC per line, last 30 days, domains + IPs. Drops into pi-hole, pfSense, DNS sinkholes. Landing: /iocs. |
/api/iocs/public/feed.json |
json | public · no auth · CORS | Public | high | Same data with confidence, reason, first/last seen, up to 5 source citations per IOC. |
/api/iocs/public/feed.csv |
csv | public · no auth | Public | high | Spreadsheet-friendly. Sources pipe-separated inside the cell. |
/api/iocs/feed |
txt · csv · json · stix | Feed token or session | Researcher+ | confirmed | Same idea, more powerful — wider window, every IOC type (hashes, wallets, emails), medium/low included, defang option. Cache 15 min. The upgrade path from the public feed. |
/api/iocs/export |
txt · csv · json | Feed token or session | Researcher+ | all | Triggers a download (Content-Disposition). Same data as /feed but as a file. Filter ?confidence=, ?hours=, ?types=. |
/api/public/v1/iocs/feed |
txt · csv · json · stix | API key (X-API-Key) | Business+ | confirmed | Same data as /api/iocs/feed but on the stable v1 public API contract (scope iocs:read). For integrations you ship to customers. |
/api/public/v1/iocs/export |
txt · csv · json | API key | Business+ | confirmed | Public-API equivalent of /api/iocs/export. |
Scope 2 · Per-incident (you supply a cluster ID)
For one specific incident, in whichever format your downstream tool wants.
| Endpoint | Format | Auth | Tier | What it returns | Notes |
|---|---|---|---|---|---|
/api/threats/{id}/iocs |
txt · csv · json | public | Public | Flat list of just the IOCs from this one cluster | Excludes false_positive. Optional ?defang=true. Use for a quick "give me this incident's indicators" call. |
/api/threats/{id}/stix |
STIX 2.1 Bundle | public | Public | Full graph: Report + ThreatActor + Malware + AttackPattern + Vulnerability + Indicator + relationships | TLP-marked. Use for MISP / OpenCTI / Anomali ingest where you want the relationships, not just bare indicators. |
/api/threats/{id}/attack-navigator |
ATT&CK Navigator layer | public | Public | JSON layer of only this cluster's TTPs (no IOCs) | Drop into MITRE Navigator to visualise coverage for one incident. |
/api/public/v1/threats/{id}/iocs |
txt · csv · json | API key | Business+ | Same as /api/threats/{id}/iocs |
Public-API contract for embedded integrations. |
/api/public/v1/threats/{id}/stix |
STIX 2.1 Bundle | API key | Business+ | Same as /api/threats/{id}/stix |
Public-API contract for embedded integrations. |
Scope 3 · Per-IOC reverse lookup (you supply the value)
"I have this IP / domain / hash. Have you seen it, and where?"
| Endpoint | Format | Auth | Tier | What it returns | Notes |
|---|---|---|---|---|---|
/api/iocs/lookup?value=… |
json | public | Public | List of clusters that mention this IOC, with titles, threat scores, and dates | Case-insensitive. Cap with ?limit=N (max 100). Use this when an unknown indicator hits your console. |
MISP feeds (specialised, cross-scope)
Point your MISP instance at one URL and it polls the rest. Public mirror gives a taste; authenticated mirror gives the full set + historical backfill.
| Endpoint | Format | Auth | Tier | Notes |
|---|---|---|---|---|
/misp/manifest.json |
MISP feed manifest | public | Public · 10 events | Add /misp/{event_uuid}.json per event, /misp/hashes.csv for bulk hashes. |
/api/misp/manifest.json?token=… |
MISP feed manifest | token | Researcher+ · 50 events · ?since= backfill |
Historical replay via ?since=YYYY-MM-DD or ?days=N. |
Confidence levels
confirmed (default)Validated by the offline classifier with high/medium/low confidence. Excludes pending and false-positive.
pendingFreshly extracted from articles but not yet validated. Returned in the X-IOC-Pending-Count header on every response so consumers can see the lag.
high / medium / lowIndividual filters for slicing the validated set.
false_positiveClassifier-rejected indicators (legitimate domains, security-vendor IPs, etc.). Excluded from every default response.