Port Six Threat Intelligence API Documentation

What is Port Six?

Port Six transforms raw threat indicators into scored, contextualized, actionable intelligence ready for your security stack. We enrich IPs, domains, URLs, and file hashes with behavioral classification, malware attribution, and multi-dimensional risk scoring.

Sub-100ms response times mean you can enrich every firewall connection, validate every URL in email, and block C2 callbacks before data leaves your network.

Why Port Six

Intelligence, Not Just Indicators

Raw IOC feeds tell you an IP is "bad." We tell you why:

• Behavioral classification - Is this C2, phishing, cryptomining, or ransomware infrastructure?
• Malware family attribution - Cobalt Strike, Emotet, Sliver, AsyncRAT, and 100+ families
• Threat actor context - APT attribution when confidence is high
• Temporal analysis - When first seen, how active, is it stale?

Actionable Scoring

Every observable receives three scores to help you tune detection thresholds:

• Risk Score (0-100) - How dangerous is this indicator?
• Confidence Score (0-100) - How certain are we about this assessment?

Block high-risk/high-confidence immediately. Alert on medium for review.

Operational Readiness

Export in formats your security tools understand:

• External Dynamic Lists - Palo Alto, Fortinet, Cisco
• STIX 2.1 / TAXII 2.1 - Standard threat sharing
• Suricata/Snort rules - IDS/IPS ready
• CSV/JSON - Bulk import anywhere

Not Another Portal

Platform Fatigue is Real

The average SOC juggles 25+ security tools. Every new portal means another tab, another login, another context switch. Your analysts are drowning in dashboards.

We're an API, Not a Portal

Port Six is designed to disappear into your existing stack:

• Enrich alerts directly in Splunk, Sentinel, or QRadar
• Push blocklists automatically to your firewall
• Query from scripts, playbooks, and SOAR workflows
• No new tab to check. No new login to remember.

Your analysts stay in their tools. Our intelligence comes to them.

When You Do Need a Dashboard

Our portal exists for API key management and usage analytics - not for manual IOC lookups. Track consumption by endpoint, monitor response times, and forecast credit usage. Then get back to your SIEM.

Platform Highlights

What We Cover

• 100+ malware families tracked with C2 infrastructure mapping
• 50+ threat actor groups monitored with campaign attribution
• Behavioral tags across 12 threat categories (C2, phishing, ransomware, etc.)
• Global coverage with GeoIP, ASN, and cloud provider detection

Enrichment Depth

• IP Addresses: GeoIP, ASN, cloud provider, Tor/VPN/proxy detection, threat tags
• Domains: WHOIS, DNS records, SSL certificates, age analysis, reputation