ThreatBolt REST API

The ThreatBolt REST API gives you programmatic access to two capabilities: IOC enrichment (look up any indicator and get full threat context) and malicious feeds (download bulk lists of malicious IPs, domains, URLs, and hashes).

Base URL

https://apix.cyberxtron.com

Authentication

ThreatBolt uses two custom request headers for authentication. Both are required on every request:

XTRON-ORG-KEY: your_org_key
XTRON-ORG-SECRET: your_org_secret

These credentials are provisioned by the CyberXTron team — they are not managed through the self-service dashboard. Contact support@cyberxtron.com to request or rotate your API credentials.

danger

Never expose your XTRON-ORG-KEY or XTRON-ORG-SECRET in client-side code, public repositories, or logs. Use environment variables or a secrets manager.

Quick Start

Test your credentials with a single request:

curl \
  -H "XTRON-ORG-KEY: your_org_key" \
  -H "XTRON-ORG-SECRET: your_org_secret" \
  "https://apix.cyberxtron.com/threatbolt/api/v1/ioc/ip/malicious-feed?format=json&include=critical"

A successful response returns "success": true with a data array of indicators.

IOC Enrichment

The enrichment endpoint takes a single IOC and returns full threat context: risk score, threat actor attribution, MITRE ATT&CK TTPs, targeting information, and impact assessment.

Endpoint

GET /threatbolt/api/v1/ioc/enrichment-summary?ioc=VALUE

Supported IOC Types

IPv4 and IPv6 addresses
Domains
URLs (must be RFC 3986 percent-encoded)
File hashes: MD5, SHA-1, SHA-256

Example

# Enrich an IP
curl \
  -H "XTRON-ORG-KEY: your_org_key" \
  -H "XTRON-ORG-SECRET: your_org_secret" \
  "https://apix.cyberxtron.com/threatbolt/api/v1/ioc/enrichment-summary?ioc=203.0.113.45"

# Enrich a domain
curl \
  -H "XTRON-ORG-KEY: your_org_key" \
  -H "XTRON-ORG-SECRET: your_org_secret" \
  "https://apix.cyberxtron.com/threatbolt/api/v1/ioc/enrichment-summary?ioc=suspicious-domain.net"

# Enrich a SHA-256 hash
curl \
  -H "XTRON-ORG-KEY: your_org_key" \
  -H "XTRON-ORG-SECRET: your_org_secret" \
  "https://apix.cyberxtron.com/threatbolt/api/v1/ioc/enrichment-summary?ioc=e3b0c44298fc1c149afbf4c8996fb924..."

Understanding the Response

{
  "success": true,
  "data": {
    "analysis_status": "completed",
    "is_whitelisted": false,
    "ioc_summary": {
      "type": "ip",
      "value": "203.0.113.45",
      "location": "Russia",
      "recent_reference_time": "2026-03-28T14:22:00Z"
    },
    "xtron_threat_intel": {
      "name": "APT29",
      "category": "Threat Actor",
      "risk_score": 92,
      "risk_level": "Critical",
      "capability": {
        "threat_capability": ["Command and Control", "Data Exfiltration"],
        "mitre_ttps": ["T1071.001", "T1041", "T1566.002"]
      },
      "intent": {
        "intent": ["Espionage", "Data Theft"]
      },
      "impact": {
        "confidentiality_impact": ["High"],
        "integrity_impact": ["Medium"],
        "availability_impact": ["Low"],
        "reputational_impact": ["High"],
        "financial_impact": ["Medium"]
      },
      "target": {
        "target_country": ["United States", "Germany"],
        "target_industry": ["Government", "Defense"],
        "target_vulnerability": ["CVE-2023-23397"]
      }
    }
  }
}

Key fields:

Field	Description
`analysis_status`	`completed` — enrichment data is ready. `inprogress` — analysis is underway; only `ioc_summary` is returned for now. Re-query in a few minutes.
`is_whitelisted`	If `true`, CyberXTron has cleared this IOC as benign — do not block it.
`risk_score`	0–100. Maps to `Low` (0–25), `Medium` (26–50), `High` (51–75), `Critical` (76–100).
`mitre_ttps`	MITRE ATT&CK technique IDs associated with this indicator.

Malicious Feeds

Download bulk IOC lists for automated ingestion. Four feed types are available:

Feed	Endpoint
Malicious IPs	`GET /threatbolt/api/v1/ioc/ip/malicious-feed`
Malicious Domains	`GET /threatbolt/api/v1/ioc/domain/malicious-feed`
Malicious URLs	`GET /threatbolt/api/v1/ioc/url/malicious-feed`
Malicious Hashes	`GET /threatbolt/api/v1/ioc/hash/malicious-feed`

Query Parameters

Parameter	Required	Values	Default	Description
`format`	Yes	`json`, `csv`	`json`	Output format
`include`	No	`all`, `high`, `critical`	`all`	Filter by threat severity
`target_country`	No	string	—	Filter to IOCs targeting a specific country
`target_industry`	No	string	—	Filter to IOCs targeting a specific industry

JSON vs CSV

JSON is suitable for programmatic processing, SIEM ingestion, and enrichment pipelines:

{
  "success": true,
  "data": [
    { "indicator": "203.0.113.45", "xtron_score": 92, "category": "Ransomware" },
    { "indicator": "198.51.100.22", "xtron_score": 76, "category": "Phishing" }
  ]
}

CSV is suitable for firewall blocklists, flat-file imports, and tools that accept CSV threat feeds:

indicator, xtron_score, category
203.0.113.45, 92, Ransomware
198.51.100.22, 76, Phishing

Filtering Examples

# Critical-severity malicious IPs only
curl \
  -H "XTRON-ORG-KEY: your_org_key" \
  -H "XTRON-ORG-SECRET: your_org_secret" \
  "https://apix.cyberxtron.com/threatbolt/api/v1/ioc/ip/malicious-feed?format=json&include=critical"

# High and critical domains targeting Finance
curl \
  -H "XTRON-ORG-KEY: your_org_key" \
  -H "XTRON-ORG-SECRET: your_org_secret" \
  "https://apix.cyberxtron.com/threatbolt/api/v1/ioc/domain/malicious-feed?format=json&include=high&target_industry=Finance"

# All malicious hashes for US-targeted threats, CSV format
curl \
  -H "XTRON-ORG-KEY: your_org_key" \
  -H "XTRON-ORG-SECRET: your_org_secret" \
  "https://apix.cyberxtron.com/threatbolt/api/v1/ioc/hash/malicious-feed?format=csv&target_country=United%20States" \
  -o hashes.csv

Rate Limiting

Every response includes headers showing your current usage:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 987
X-RateLimit-Reset: 2026-04-01T12:00:00Z

When the limit is exceeded, the API returns 429 with:

{
  "success": false,
  "errors": [{ "code": "ERL001", "detail": "Rate limit exceeded" }]
}

Error Reference

Code	HTTP	Meaning
`E001`	400	Unsupported IOC type for enrichment
`E101`	403	Subscription suspended or expired
`E102`	401	Invalid `XTRON-ORG-KEY` or `XTRON-ORG-SECRET`
`ERL001`	429	Rate limit exceeded
`E500`	500	Internal server error

Integration Patterns

SIEM Feed Ingestion (Scheduled Pull)

Schedule a cron job to pull the latest feeds and push them into your SIEM:

#!/bin/bash
# Pull critical IPs every hour and send to your ingestion endpoint
curl -s \
  -H "XTRON-ORG-KEY: $XTRON_ORG_KEY" \
  -H "XTRON-ORG-SECRET: $XTRON_ORG_SECRET" \
  "https://apix.cyberxtron.com/threatbolt/api/v1/ioc/ip/malicious-feed?format=json&include=critical" \
  | your-siem-ingest-tool --source threatbolt

Alert Enrichment

Look up IOCs from your SIEM alerts in real time to add threat context:

import requests
import urllib.parse

def enrich_ioc(ioc_value: str, org_key: str, org_secret: str) -> dict:
    encoded = urllib.parse.quote(ioc_value, safe='')
    response = requests.get(
        f"https://apix.cyberxtron.com/threatbolt/api/v1/ioc/enrichment-summary",
        params={"ioc": ioc_value},
        headers={
            "XTRON-ORG-KEY": org_key,
            "XTRON-ORG-SECRET": org_secret,
        },
        timeout=10,
    )
    response.raise_for_status()
    return response.json()

Prefer TAXII 2.1 for automated SIEM ingestion

For native integration with Splunk, Microsoft Sentinel, OpenCTI, or MISP — without custom scripting — use the TAXII 2.1 integration. It is the standard protocol for threat intel exchange and is supported out of the box by most security platforms.

→ Full ThreatBolt API Reference

Base URL​

Authentication​

Quick Start​

IOC Enrichment​

Endpoint​

Supported IOC Types​

Example​

Understanding the Response​

Malicious Feeds​

Query Parameters​

JSON vs CSV​

Filtering Examples​

Rate Limiting​

Error Reference​

Integration Patterns​

SIEM Feed Ingestion (Scheduled Pull)​

Alert Enrichment​