ShadowSpot Findings API
Retrieve ShadowSpot attack surface findings programmatically — exposed services, CVEs, subdomain takeovers, certificate issues, and cloud misconfigurations.
Base URL
https://incidents.cyberxtron.com
Authentication
Every request requires two custom headers:
XTRON-ORG-KEY: your_org_key
XTRON-ORG-SECRET: your_org_secret
Contact support@cyberxtron.com to obtain credentials.
Endpoint
note
ShadowSpot uses the path /findings rather than /incidents.
GET /api/v1/shadowspot/findings
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
domain | string | — | Filter by affected domain |
status | string[] | — | Open, In Progress, Closed |
severity | string | — | Filter by severity label |
created_date | string | — | Filter by date (YYYY-MM-DD) |
created_time | string | — | Filter by time (HH:MM:SS). Requires created_date. |
page | integer | 1 | Page number (min: 1) |
size | integer | 10 | Results per page (min: 1, max: 100) |
Example Requests
# All open ShadowSpot findings
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://incidents.cyberxtron.com/api/v1/shadowspot/findings?status=Open"
# Filter by domain and severity
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://incidents.cyberxtron.com/api/v1/shadowspot/findings?domain=example.com&severity=Critical"
# Paginate through all findings
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://incidents.cyberxtron.com/api/v1/shadowspot/findings?page=2&size=50"
Example Response
{
"success": true,
"data": [
{
"id": 67890,
"title": "Elasticsearch instance exposed on port 9200",
"taskKey": "SSINC-456",
"status_statusCd": "Open",
"severity_label": "Critical",
"category_name": "Exposed Service",
"taskType_name": "Open Port",
"product_name": "ShadowSpot",
"description": "An Elasticsearch instance is publicly accessible without authentication.",
"createdDt": 1743494400,
"updatedDt": 1743494400,
"priorty": "High",
"assets": "api.example.com:9200",
"url": "http://api.example.com:9200",
"epss": "0.87",
"cvss": "9.8",
"ransomware_exploited_cve": "Yes",
"in_the_wild": "Yes",
"impact": "Unauthenticated access to all indexed data.",
"remediation": "Restrict access using firewall rules or move behind VPN.",
"domain": "example.com",
"verification_details": "Confirmed accessible from public internet."
}
],
"meta": {
"pagination": {
"total": 18,
"page": 1,
"page_size": 10,
"total_pages": 2
}
}
}
Response Fields
Common Fields
| Field | Type | Description |
|---|---|---|
id | integer | Unique numeric ID |
title | string | Finding title |
taskKey | string | Ticket key (e.g., SSINC-456) |
status_statusCd | string | Open, In Progress, Closed |
severity_label | string | Critical, High, Medium, Low |
category_name | string | Finding category |
description | string | Full details |
impact | string | Impact description |
createdDt | integer | Creation Unix timestamp |
updatedDt | integer | Last update Unix timestamp |
ShadowSpot-Specific Fields
| Field | Type | Description |
|---|---|---|
domain | string | Affected domain |
assets | string | Affected asset (host, IP, port) |
url | string | Affected URL |
cvss | string | CVSS score (for CVE findings) |
epss | string | EPSS exploitation probability score |
ransomware_exploited_cve | string | Whether this CVE is exploited by ransomware groups |
in_the_wild | string | Whether the vulnerability is actively exploited |
remediation | string | Specific remediation steps |
verification_details | string | Evidence and confirmation details |
priorty | string | Priority level |
Error Codes
| Status | Description |
|---|---|
401 | Invalid or missing credentials |
403 | Subscription suspended or expired |
422 | Invalid query parameter value |
Health Check
Verify API availability (no auth required):
curl "https://incidents.cyberxtron.com/health"