IoC Enrichment API

Real-time OSINT enrichment for URLs, file hashes, IPv4 addresses, and domains — adversary attribution, malware families, and MITRE ATT&CK techniques in a single call.

API Overview

IoC Enrichment API is a real-time threat intelligence service that goes beyond verdicts and answers the questions a "malicious / clean" score cannot:

• Who is using this indicator?
• Which malware family is it associated with?
• Which MITRE ATT&CK techniques apply?
• Which industries and countries are being targeted?

Send any of four indicator types — a URL, a file hash (MD5 / SHA-1 / SHA-256), an IPv4 address, or a domain — and get back the consolidated open-source intelligence (OSINT) context that has been associated with it.

What you get on every request

• adversaries — named threat actors and campaigns that have used this indicator (e.g. WannaCry Ransomware Group, APT-C-35 (DoNot)).
• malware_families — malware family labels seen alongside this indicator (e.g. Cobalt Strike, Redline, Emotet, Sality).
• attack_ids — MITRE ATT&CK technique identifiers with their official titles (e.g. T1071 — Application Layer Protocol).
• tags — analyst-applied free-form labels accumulated across all referencing reports.
• targeted_countries, industries — victimology context derived from the source reports.
• references — links and citations to the public reports, vendor write-ups, and OSINT feeds that mention this indicator.
• IP-only extras — geolocation (country_code, country_name, city, asn, latitude, longitude).

What can you do with this API?

• 🧠 Add who and why on top of an is-it-bad verdict
• 🎯 Pull MITRE ATT&CK technique IDs straight into your detection engineering workflow
• 🌍 Filter indicators by targeted industry and country (victimology)
• 🔎 Pivot from a single indicator to the malware families and references that mention it
• 🛡️ Attribute C2 infrastructure, phishing campaigns, and malware samples to known adversaries

Response model

Every successful request returns:

{
  "is_success": true,
  "response_code": 200,
  "message": "Success",
  "data": {
    "search_type": "hash",
    "pulse_detail": {
      "indicator": "44d88612fea8a8f36de82e1278abb02f",
      "type": "md5",
      "adversaries": ["..."],
      "malware_families": ["..."],
      "attack_ids": ["T1071 - Application Layer Protocol"],
      "tags": ["..."],
      "industries": ["..."],
      "targeted_countries": ["..."],
      "references": ["..."]
    }
  }
}

When an indicator can't be processed (e.g. a malformed value), the call still returns HTTP 200 with is_success: false and the underlying response_code in the body — inspect is_success rather than relying on the HTTP status alone.

Use cases

GET /url

Enrich a URL — malware family associations, adversary attribution, MITRE ATT&CK techniques, references. Pro tip: pass the full URL including scheme. URL pulse coverage is sparser than hash / domain / IP — best combined with the other endpoints for the full picture.

GET /hash

Enrich a file by MD5 / SHA-1 / SHA-256. Returns named adversaries, malware family labels, MITRE ATT&CK techniques, targeted industries and countries, plus file metadata (size, type, ssdeep).

GET /ip

Enrich an IPv4 address with adversary attribution, malware family context, MITRE techniques, and geolocation (country, city, ASN, latitude / longitude). IPv6 is not currently supported.

GET /domain

Enrich a domain — adversary attribution, malware families seen on this domain, MITRE techniques, targeted industries and countries, references to public reports.

How is this different from IoC Lookup?

IoC Lookup answers "is this dangerous?" (reputation + vendor verdicts). IoC Enrichment answers "who is behind it and what TTPs do they use?" (adversary attribution, malware families, MITRE ATT&CK IDs). They are complementary — most SOC workflows use both.

Need something custom or need support?

Looking for a different response format, a bulk lookup option, a custom integration, or help with setup? Send us a DM and we'll be happy to support you and help you find the best setup for your use case.