Threat Intelligence Feed (API) Overview
From Premium Services
Welcome to the Packet Storm Threat Intelligence Feed

Current development API: https://api.packetstormsecurity.com/v31337.20240702/dev-api
Current production API: https://api.packetstormsecurity.com/v31337.20240702/api

Note: This page is best viewed on a desktop browser.

Background and purpose

For the bulk of our existence, Packet Storm did not offer API access. This led to many organizations scraping data from the web site and overwhelming the RSS feeds in order to mine data. This sort of "integration" does not scale well for anyone involved. As demand for an API has increased significantly in recent times, we have listened, and the API is now available. Whether you want this intelligence feed for your own organization to mine, or to provide feeds to your SIEM system, we are here to help. Feel free to reach our to the staff for any assistance or to help solve any problems. If this is your first time looking at integrating with our API, we strongly suggest you try out the development interface to verify it meets your needs.

Rules

If you are repackaging the API data in your own service offering, there are some simple rules to follow. As noted in the Terms of Service, you cannot resell the feed verbatim.

If you are offering feed and search interaction to our API from a service offering, we expect that you handle authentication, authorization, and accounting (AAA) for your users and that the API secret for Packet Storm MUST stay resident on your systems. It's forbidden for your secret to be shared with your customers or third parties. If we notice an uptick in traffic that indicates this behavior, your key will be disabled without refund.

Note that if you provide functionality in your service that uses your API license to search the archive, your customers will be jointly limited to the ceiling of daily query allowances. This can be annoying for them. A better idea is to make it easy for a client to onboard a license key from Packet Storm inside of your product or service and have functionality built in to use the access.

Features

The API is designed to provide very similar functionality to the site being visited in a web browser. But there are some differences.

Available API requests include telemetry data-retrieval for smarter requests, normal news and file feeds, and searchable news and file feeds (with output available in both the newest and most relevant listings). You can also search via CVE number. Packet Storm is a regularly referenced datapoint in Mitre's CVE database, and we regularly sync our datasets to ensure consistency between the systems.

Available API requests do not include access to user data such as profiles, collections, favorites, etc. The only relevant data related to humans comes from the file requests when referencing a public source and links are provided back to the site for further information.

Data can be output in both JSON and XML formats to suit any programmatic parsing needs. Results are restricted to 25 items at a time, inline with how the current web site operates. This should cover all bases for an integration, but if you can think of a feature we are missing, we always like hearing new ideas. Please send us a note.

Tracking changes

As improvements, bug fixes, and/or features are added to the API, the version will change. The current version will always be noted at the top of this page. As changes may become quite frequent, we will do our best to ensure backwards compatibility to all prior releases and communicate to our customers any decommissioning. Changes for all of Packet Storm are tracked at our Changelog, including API updates.

API authentication

The API is inaccessible without your key. Production keys must be accessed and purchased via the API Manager. To gain access, the key must be passed as a header called "Apisecret".

In order to make it easier for our clients to integrate, an example of a client script written in Ruby is available here. Notice that the entry point noted on the API manager for production versus the development zone is different. The correct key must be used for the correct area in order to work.

Cost

Access to the development API for testing purposes is free. Access to the production API costs $5,000 USD for 30 days. All payment processing is performed via Stripe. Upon payment, you will be activated within 24 hours. Activation is usually very quick.

Access request limit

Access to the development API for testing is limited to 100 queries per day. Access to the API is limited to 1,000 queries per day during a 30-day production subscription license. Requests can be made to the server at a limit of 10 requests per minute. Please note that data in the development interface is restricted to December of 2023.

Request and response examples

The Packet Storm API accepts POST requests with the "Apisecret" header defined. The data submitted in the body should match the form submitted format of parameter=value with differing data being separated by an ampersand ("&"). Please review our example script for a better understanding.
Note: To show API access examples, please use a desktop browser.
Please click a flow below to find out more information in order to start building your client.

List areas ()
List sections ()
List files by CVE ()
List single file entry ()
List files ()
Search files ()
List single news entry ()
List news ()
Search news ()
API Manager


Help Section



 About | Terms | Copyright | Privacy | BlueSky | X | Mastodon
 © 2024 - 2025
All Rights Reserved Packet Storm Security, LLC
Hosting provided by: RokaSecurity