Threat Feed API
Threat Feed API
Fetch threat‑intel posts and/or taxonomy (categories, industries, networks) from Threat Feeds with tight filtering and per-endpoint quota enforcement.
Endpoint
POST https://api.whiteintel.io/get_threat_feeds.phpContent-Type: application/json
Quick start
Latest posts (no filters)
curl -L 'https://api.whiteintel.io/get_threat_feeds.php' -H 'Content-Type: application/json' \
--data '{"apikey":"<YOUR_KEY>","page":1,"limit":5}'List available industries (taxonomy)
curl -L 'https://api.whiteintel.io/get_threat_feeds.php' -H 'Content-Type: application/json' \
--data '{"apikey":"<YOUR_KEY>","taxonomy":"industries","limit":100}'Access & quotas
Auth: API key via JSON body
{ "apikey": "…" }.Plan requirement: This plan is an add-on for yearly Threat Intel license holders.
Daily quota: 20 calls.
Burst rate limit: 1 call / 5 seconds (429 on violation).
Method:
POSTonly.Content-Type:
application/json.
Modes
This endpoint supports two modes:
Posts mode (default) — returns documents from
Threat Feedswith filters.Taxonomy mode — set
"taxonomy": "categories" | "industries" | "networks"to get distinct values with counts, optionally filtered by date.
Request
Posts mode (default)
{
"apikey": "YOUR_KEY", // required
"page": 1, // optional, default 1 (1-based)
"limit": 100, // optional, default 100, min 1, max 100
"start_date": "YYYY-MM-DD", // optional (inclusive)
"end_date": "YYYY-MM-DD", // optional (inclusive)
"category": "ransomware", // string OR array (max 2 values)
"industry": ["Manufacturing"], // string OR array (max 2 values)
"network": ["darkweb","telegram"] // string OR array (multi allowed)
}Filter rules
Dates:
start_dateandend_dateare inclusive at the day level. Internally we query[start, end+1day).Category / Industry: exact match strings. Arrays are allowed but max 2 values each (requests with more than 2 are 400).
Network: exact match, array allowed (no explicit cap).
Pagination:
pageis 1-based.limitis 1..100.
Examples
Single industry:
curl -L 'https://api.whiteintel.io/get_threat_feeds.php' -H 'Content-Type: application/json' \
--data '{"apikey":"<YOUR_KEY>","page":1,"limit":50,"industry":"Government Administration"}'Two industries + last 30 days:
curl -L 'https://api.whiteintel.io/get_threat_feeds.php' -H 'Content-Type: application/json' \
--data '{"apikey":"<YOUR_KEY>","page":1,"limit":100,"start_date":"2025-08-08","end_date":"2025-09-07","industry":["Government Administration","Education"]}'Category + network:
curl -L 'https://api.whiteintel.io/get_threat_feeds.php' -H 'Content-Type: application/json' \
--data '{"apikey":"<YOUR_KEY>","page":1,"limit":100,"category":"ransomware","network":["darkweb"]}'Taxonomy mode
{
"apikey": "YOUR_KEY", // required
"taxonomy": "categories", // required: categories | industries | networks
"start_date": "YYYY-MM-DD", // optional
"end_date": "YYYY-MM-DD", // optional
"limit": 100 // optional, 1..100 (default 100)
}Examples
# Categories in the last 30 days
curl -L 'https://api.whiteintel.io/get_threat_feeds.php' -H 'Content-Type: application/json' \
--data '{"apikey":"<YOUR_KEY>","taxonomy":"categories","start_date":"2025-08-08","end_date":"2025-09-07","limit":100}'# Networks (all time)
curl -L 'https://api.whiteintel.io/get_threat_feeds.php' -H 'Content-Type: application/json' \
--data '{"apikey":"<YOUR_KEY>","taxonomy":"networks","limit":100}'Responses
Posts mode
{
"success": true,
"mode": "posts",
"remaining_threat_feed_calls": 42,
"results": [
{
"id": 12345,
"uuid": "e7f2…",
"published_url": "https://…",
"title": "…",
"category": "ransomware",
"network": "darkweb",
"published_at": "2025-09-06 12:34:56",
"victim_organization": "Acme Corp",
"victim_site": "acme.example",
"victim_domain": "acme.com",
"victim_industry": "Manufacturing",
"victim_country": "US",
"threat_actor_names_cached": "ActorX",
"tags_csv": "lockbit,leak",
"tags_norm_json": ["lockbit","leak"],
"threat_actors_norm_json": ["ActorX"],
"screenshots_json": [{"url":"https://…/1.png"}]
}
]
}Fields
id, uuid — identifiers
published_url — source URL (if available)
title — post title
category — e.g.,
ransomwarenetwork — e.g.,
darkweb,telegrampublished_at — UTC datetime
victim_* — contextual victim metadata
threat_actor_names_cached — human-readable actor names
tags_csv — comma-separated tags
tags_norm_json, threat_actors_norm_json, screenshots_json — JSON arrays
Taxonomy mode
{
"success": true,
"mode": "taxonomy",
"taxonomy": "industries",
"remaining_threat_feed_calls": 43,
"results": [
{"value":"Government Administration","cnt":2809},
{"value":"Education","cnt":1835}
]
}Fields
taxonomy — which taxonomy you requested
results[] — objects of
{ value, cnt }
Errors
400
Invalid JSON body.
Malformed JSON
400
Limit must be between 1 and 100.
limit out of range
400
category accepts at most 2 values.
>2 categories provided
400
industry accepts at most 2 values.
>2 industries provided
400
Invalid taxonomy. Use 'categories'…
Bad taxonomy value
403
API Key is missing. / Invalid API Key.
Missing or invalid credentials
403
Threat Feed add-on is required…
If you do not have threat feeds add on
403
Threat Feed daily limit is reached.
When daily quota reached.
403
API calls are only available for…
Base plan is not entitled
429
Please wait 5 seconds between requests.
Rate limit exceeded
500
Internal error.
Unhandled server issue
Notes & best practices
Exact matches: Category, industry, and network filters are exact (case‑sensitive depends on DB collation). Prefer using taxonomy first to fetch valid values.
Date windows: If you specify only
start_date, you’ll get everything from that day forward. If onlyend_date, you’ll get everything up to that day.Sorting: Results are ordered by
published_at DESC, id DESC.Quotas: Track
remaining_threat_feed_callsto avoid surprises.Max payloads: Use pagination; consider smaller
limitwith multiple pages for heavy consumers.
Last updated