ThreatBolt API Reference
The ThreatBolt REST API provides direct programmatic access to CyberXTron's threat intelligence — IOC enrichment for individual indicators and bulk malicious feeds for IPs, domains, URLs, and file hashes.
Base URL
https://apix.cyberxtron.com
Authentication
ThreatBolt uses a dual-header authentication scheme. Every request must include both headers:
| Header | Description |
|---|---|
XTRON-ORG-KEY | Your organization's access key |
XTRON-ORG-SECRET | Your organization's access secret |
Requests missing these headers, or with invalid credentials, return 401 Unauthorized.
To obtain credentials, contact support@cyberxtron.com.
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/ip/malicious-feed?format=json"
Rate Limiting
Every response includes rate limit headers:
| Header | Description |
|---|---|
X-RateLimit-Limit | Total requests allowed in the current window |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | UTC datetime when the current window resets |
When the limit is exceeded, the API returns 429 Too Many Requests with error code ERL001.
Endpoints
IOC Enrichment
Retrieve a full enrichment summary for a single IOC — including threat actor context, MITRE ATT&CK TTPs, risk score, and targeting data.
GET /threatbolt/api/v1/ioc/enrichment-summary
Query Parameters
| Parameter | Required | Description |
|---|---|---|
ioc | Yes | The IOC value to look up. Supported types: IPv4, IPv6, URL, Domain, Hash (SHA-1, SHA-256, MD5). For URLs, percent-encode all unsafe characters per RFC 3986 (e.g. spaces as %20). |
Example Request
# Look up an IP address
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/enrichment-summary?ioc=203.0.113.45"
# Look up a domain
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/enrichment-summary?ioc=malicious-domain.example"
# Look up a URL (percent-encoded)
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/enrichment-summary?ioc=http%3A%2F%2Fexample.com%2Fmalware.exe"
# Look up a file hash (SHA-256)
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/enrichment-summary?ioc=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Example Response
{
"success": true,
"data": {
"ioc_summary": {
"type": "ip",
"value": "203.0.113.45",
"location": "Russia",
"recent_reference_time": "2026-03-28T14:22:00Z"
},
"xtron_threat_intel": {
"name": "APT29",
"category": "Threat Actor",
"risk_score": 92,
"risk_level": "Critical",
"capability": {
"threat_capability": ["Command and Control", "Data Exfiltration"],
"mitre_ttps": ["T1071.001", "T1041", "T1566.002"]
},
"intent": {
"intent": ["Espionage", "Data Theft"]
},
"impact": {
"confidentiality_impact": ["High"],
"integrity_impact": ["Medium"],
"availability_impact": ["Low"],
"reputational_impact": ["High"],
"financial_impact": ["Medium"]
},
"target": {
"target_country": ["United States", "Germany", "United Kingdom"],
"target_industry": ["Government", "Defense", "Finance"],
"target_vulnerability": ["CVE-2023-23397", "CVE-2021-40539"]
}
},
"is_whitelisted": false,
"analysis_status": "completed"
}
}
Notes:
analysis_statuscan becompletedorinprogress. Wheninprogress, the response contains onlyioc_summarywith basic information — the enrichment is not yet ready.is_whitelisted: truemeans the IOC has been cleared by CyberXTron and should not be treated as malicious.risk_scoreranges from 0 to 100.risk_levelmaps to:Low(0–25),Medium(26–50),High(51–75),Critical(76–100).
Malicious IP Feed
Returns the current feed of malicious IP addresses (IPv4 and IPv6).
GET /threatbolt/api/v1/ioc/ip/malicious-feed
Query Parameters
| Parameter | Required | Type | Default | Description |
|---|---|---|---|---|
format | Yes | json | csv | json | Output format |
include | No | all | high | critical | all | Filter by malicious severity level |
target_country | No | string | — | Filter to IOCs targeting a specific country |
target_industry | No | string | — | Filter to IOCs targeting a specific industry |
Example Requests
# All malicious IPs in JSON
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/ip/malicious-feed?format=json"
# Critical-only IPs targeting the Finance industry
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/ip/malicious-feed?format=json&include=critical&target_industry=Finance"
# CSV export
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/ip/malicious-feed?format=csv" \
-o malicious-ips.csv
Example Response (JSON)
{
"success": true,
"data": [
{
"indicator": "203.0.113.45",
"xtron_score": 92,
"category": "Ransomware"
},
{
"indicator": "198.51.100.22",
"xtron_score": 76,
"category": "Phishing"
}
]
}
Example Response (CSV)
indicator, xtron_score, category
203.0.113.45, 92, Ransomware
198.51.100.22, 76, Phishing
Malicious Domain Feed
Returns the current feed of malicious domains used for command and control, phishing, and malware delivery.
GET /threatbolt/api/v1/ioc/domain/malicious-feed
Supports the same query parameters as the Malicious IP Feed.
Example Request
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/domain/malicious-feed?format=json&include=high"
Example Response
{
"success": true,
"data": [
{
"indicator": "evil-c2-domain.net",
"xtron_score": 85,
"category": "Command and Control"
},
{
"indicator": "phishing-portal.xyz",
"xtron_score": 78,
"category": "Phishing"
}
]
}
Malicious URL Feed
Returns the current feed of malicious URLs hosting malware, phishing pages, or exploit kits.
GET /threatbolt/api/v1/ioc/url/malicious-feed
Supports the same query parameters as the Malicious IP Feed.
Example Request
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/url/malicious-feed?format=json&include=critical"
Example Response
{
"success": true,
"data": [
{
"indicator": "http://malicious-site.ru/payload.exe",
"xtron_score": 95,
"category": "Malware Distribution"
},
{
"indicator": "https://fake-login.example.com/harvest",
"xtron_score": 88,
"category": "Phishing"
}
]
}
Malicious Hash Feed
Returns the current feed of malicious file hashes (MD5, SHA-1, SHA-256).
GET /threatbolt/api/v1/ioc/hash/malicious-feed
Supports the same query parameters as the Malicious IP Feed.
Example Request
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/hash/malicious-feed?format=json&include=critical"
Example Response
{
"success": true,
"data": [
{
"indicator": "e3b0c44298fc1c149afbf4c8996fb924...",
"xtron_score": 91,
"category": "Ransomware"
},
{
"indicator": "da39a3ee5e6b4b0d3255bfef95601890...",
"xtron_score": 83,
"category": "Trojan"
}
]
}
Response Schemas
Feed Response
{
"success": true,
"data": [
{
"indicator": "string",
"xtron_score": 0,
"category": "string"
}
]
}
| Field | Type | Description |
|---|---|---|
success | boolean | true on success |
data | array | Array of indicator objects |
data[].indicator | string | The IOC value (IP, domain, URL, or hash) |
data[].xtron_score | number | CyberXTron threat score (0–100) |
data[].category | string | Threat category (e.g. Ransomware, Phishing, C2) |
IOC Enrichment Response
{
"success": true,
"data": {
"ioc_summary": {
"type": "string",
"value": "string",
"location": "string | null",
"recent_reference_time": "2026-03-28T14:22:00Z"
},
"xtron_threat_intel": {
"name": "string",
"category": "string",
"risk_score": 0,
"risk_level": "Low | Medium | High | Critical",
"capability": {
"threat_capability": ["string"],
"mitre_ttps": ["string"]
},
"intent": {
"intent": ["string"]
},
"impact": {
"confidentiality_impact": ["string"],
"integrity_impact": ["string"],
"availability_impact": ["string"],
"reputational_impact": ["string"],
"financial_impact": ["string"]
},
"target": {
"target_country": ["string"],
"target_industry": ["string"],
"target_vulnerability": ["string"]
}
},
"is_whitelisted": false,
"analysis_status": "completed | inprogress"
}
}
Error Codes
| HTTP Status | Error Code | Description |
|---|---|---|
400 | E001 | Unsupported IOC type. Supported: IPv4, IPv6, URL, Domain, Hash (SHA-1, SHA-256, MD5) |
401 | E102 | Invalid organization key or secret |
403 | E101 | Subscription suspended or expired — visit portal.cyberxtron.com or contact support@cyberxtron.com |
429 | ERL001 | Rate limit exceeded |
500 | E500 | Internal server error |
Error Response Format
{
"success": false,
"errors": [
{
"code": "E102",
"detail": "Invalid organization key or secret"
}
]
}
TAXII 2.1 for automated ingestion
For scheduled, automated feed ingestion into a SIEM, TIP, or SOAR, use the TAXII 2.1 endpoint. It is the standard protocol for threat intelligence exchange and is natively supported by Splunk, Microsoft Sentinel, OpenCTI, MISP, and most other platforms.