Threat Feed API

This document describes all supported modes under the Threat Feed API endpoint, including Darkweb Chatters, Public News, and Taxonomy queries.

This API endpoint is an add on priced at 3000 USD / year.

📡 API Endpoint

POST https://api.whiteintel.io/get_threat_feeds.php

All modes use the same endpoint. The behavior is controlled with the mode parameter.

🔑 Authentication

Field

Type

Required

Description

apikey

string

yes

Must belong to Enterprise or Threat Intelligence tiers and have Threat Feed enabled

🧭 Available Modes

Mode

Description

darkweb_chatters (default)

Retrieves darkweb chatter intelligence (forums, Telegram groups, marketplaces, leak channels)

public_news

Retrieves cybersecurity news aggregated from trusted OSINT sources

taxonomy

Returns available categories, industries, or networks with item counts

If mode is omitted, the endpoint defaults to darkweb_chatters.

---------------------------------------------------------

1) DARKWEB CHATTERS MODE (DEFAULT)

---------------------------------------------------------

This mode returns intelligence collected from darkweb marketplaces, Telegram groups, underground forums, and leak channels.

Example Request

{
  "apikey": "YOUR_API_KEY",
  "page": 1,
  "limit": 50,
  "category": "ransomware",
  "industry": ["Finance","Manufacturing"],
  "network": ["darkweb"],
  "search": "Cisco credentials"
}

Filtering Options

Field

Type

Description

category (optional)

string or string[] (max 2)

Filters by threat category

industry (optional)

string or string[] (max 2)

Filters by victim industry

network (optional)

string or string[]

Networks like darkweb, telegram

search (optional)

string

Minimum 4 characters. Searches title/content & domain fields

start_date

string

Format: YYYY-MM-DD

end_date

string

Format: YYYY-MM-DD

page

integer

Pagination page number

limit

integer

Between 1–100

Response Example

{
  "success": true,
  "mode": "posts",
  "remaining_threat_feed_calls": 487,
  "results": [
    {
      "id": 91844,
      "uuid": "2f4ad79c-07b1-4416-9931-eaf22fbb3f12",
      "published_url": "https://t.me/example/191",
      "title": "Database of stolen VPN credentials",
      "category": "credential-leak",
      "network": "telegram",
      "published_at": "2025-01-18 10:44:11",
      "victim_domain": "example.com",
      "victim_industry": "Finance",
      "tags_csv": "credentials, vpn",
      "screenshots_json": []
    }
  ]
}

---------------------------------------------------------

2) PUBLIC NEWS MODE

---------------------------------------------------------

The Public News API provides structured and AI-enhanced cybersecurity news aggregated from authoritative OSINT sources.

Enable by using:

"mode": "public_news"

Example Request

{
  "apikey": "YOUR_API_KEY",
  "mode": "public_news",
  "page": 1,
  "limit": 25,
  "search": "ransomware",
  "start_date": "2025-01-01",
  "end_date": "2025-01-31"
}

Features

🔎 Search Highlights

Searches text across:

title
summary
ai_summary

Supports multi-word queries.

📆 Date Filters

Both start_date and end_date are optional.

📄 Pagination

Uses the same pagination behavior as the main threat feed.

Response Example

{
  "success": true,
  "mode": "public_news",
  "remaining_threat_feed_calls": 492,
  "results": [
    {
      "id": 10293,
      "uuid": "c91f0dd3-05c7-4eaf-8806-6dfbb409d2ea",
      "source": "KrebsOnSecurity",
      "title": "Ransomware Group Targets SaaS Providers",
      "summary": "A ransomware group has shifted tactics...",
      "ai_summary": "Attackers focused on supply-chain vectors...",
      "link": "https://krebsonsecurity.com/article123",
      "published_at": "2025-01-15 14:22:10",
    }
  ]
}

---------------------------------------------------------

3) TAXONOMY MODE

---------------------------------------------------------

Returns available values for categories, industries, or networks with post counts. Useful for building dashboards and UI dropdowns.

Example Request

{
  "apikey": "YOUR_API_KEY",
  "taxonomy": "categories",
  "start_date": "2025-01-01",
  "end_date": "2025-01-31"
}

Supported Taxonomies

Taxonomy

Description

Example Response

{
  "success": true,
  "mode": "taxonomy",
  "taxonomy": "categories",
  "remaining_threat_feed_calls": 498,
  "results": [
    { "value": "ransomware", "cnt": 88 },
    { "value": "credential-leak", "cnt": 52 },
    { "value": "data-leak", "cnt": 31 }
  ]
}

🔧 Shared Error Responses

Missing / invalid API key

{ "error": "Invalid API Key." }

Insufficient tier

{ "error": "API calls are only available for Enterprise and Higher tiers." }

Threat Feed disabled

{ "error": "Threat Feed add-on is required to use this API." }

Search too short

{ "error": "Search must be at least 4 characters long." }

Rate limit hit

{ "message": "Please wait 5 seconds between requests." }

⏱ Threat Feed Quotas

Rule

Description

Daily limits enforced

Based on threat_feed_daily_limit

Every request decrements quota

Even empty results

5-second burst limiter

Prevents rapid-fire calls

Response includes remaining quota

remaining_threat_feed_calls

🧪 Quick Test (cURL)

curl -X POST https://api.whiteintel.io/get_threat_feeds.php   -H "Content-Type: application/json"   -d '{
    "apikey": "YOUR_KEY",
    "mode": "public_news",
    "search": "malware",
    "limit": 25
  }'

📘 Summary

Mode

Best For

darkweb_chatters

Darkweb activity, Telegram leaks, threat actor behavior

public_news

Cybersecurity news aggregation + AI summaries

taxonomy

Building analytics dashboards or UI filters

All modes share authentication, quota rules, and rate limits.

PreviousLookalike Domains API NextWatchlists API

Last updated 17 days ago