API Reference
Getting Started
Make your first API call to enrich an IP address:
curl -H "X-API-Key: YOUR_API_KEY" https://api.portsix.io/api/v1/ip/8.8.8.8Need an API key? See the Authentication guide to generate one.
Base URL
https://api.portsix.ioResponse Format
All API responses are JSON formatted:
{
"status": "success",
"data": {
...
},
"metadata": {
"timestamp": "2025-10-28T15:00:00Z",
"processing_time_ms": 45
}
}Rate Limits
Rate limits vary by tier: 100-1,000 requests per minute depending on your subscription level. See the Pricing & Usage section for detailed pricing information.
Lookup API
Query observables for threat intelligence and contextual enrichment from multiple data sources.
IP Address Lookup
Enrich IP addresses with comprehensive contextual intelligence including geolocation, network information, cloud provider detection, and threat intelligence.
Credit Cost: 1 credit (basic lookup) or 3 credits (with threat intel enrichment)
/api/v1/ip/{ip_address}Enriches an IPv4 or IPv6 address with all available intelligence data.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip_address | string | Yes | IPv4 or IPv6 address to enrich (e.g., 8.8.8.8 or 2001:4860:4860::8888) |
include_threat_intel | boolean | No | Include threat intelligence data (+2 credits). Default: false |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" "https://api.portsix.io/api/v1/ip/185.220.101.45"Example Response
{
"success": true,
"data": {
"observable_id": 3664181,
"type": "ipv4",
"value": "185.220.101.45",
"status": "active",
"risk_score": 43.74,
"enriched_at": "2026-01-03T21:26:26Z",
"geo": {
"country_code": "DE",
"country_name": "Germany",
"city": "Berlin",
"state_province": "State of Berlin",
"latitude": 52.52,
"longitude": 13.405,
"timezone": "Europe/Berlin"
},
"asn": {
"asn": 60729,
"org_name": "TORSERVERS-NET",
"country_code": "DE"
},
"cloud": null,
"anonymization": {
"type": "tor-exit",
"provider": "TOR",
"confidence": 1.0
},
"rdns": {
"hostname": "tor-exit-45.for-privacy.net",
"provider": "1.1.1.1"
},
"whois": {
"rir": "RIPE",
"whois_server": "whois.ripe.net"
},
"threat_intel": {
"tags": [
{"name": "Anon: Tor"},
{"name": "Brute Force"},
{"name": "Protocol: Ssh"}
],
"sources": ["alienvault_otx", "greensnow-blocklist"],
"first_seen": "2025-12-01T03:14:09Z",
"last_seen": "2025-12-30T06:44:02Z",
"confidence": 90
},
"relationships": [
{
"direction": "outgoing",
"relationship_type": "resolves_to",
"target_type": "domain",
"target_value": "for-privacy.net",
"confidence": 0.85
}
]
},
"meta": {
"credits_cost": 7,
"credits_remaining": 9993,
"execution_time_ms": 2515
}
}Enrichment Data Sources
GeoIP Data
- Country, state/province, city
- Coordinates (latitude/longitude)
- Postal code and timezone
ASN Information
- Autonomous System Number
- Organization name
- Country of registration
Cloud Provider Detection
- AWS, GCP, Azure, Cloudflare, Fastly
- Service and region information
- Updated from official provider IP ranges
Anonymization Services
- TOR exit nodes and relays
- VPN providers
- Proxy services (HTTP, SOCKS4, SOCKS5)
- Datacenter hosting
Risk Scoring
Risk scores range from 0-100 based on behavioral indicators and anonymization services. See the Scoring Methodology page for details.
- 0-30: Low risk (benign infrastructure)
- 31-60: Medium risk (suspicious activity)
- 61-80: High risk (known malicious indicators)
- 81-100: Critical risk (active threats)
Domain Lookup
Enrich domain names with WHOIS data, DNS records, SSL certificates, age analysis, and threat intelligence.
Credit Cost: 1 credit (basic lookup) or 3 credits (with threat intel enrichment)
Available Enrichment Data
- WHOIS - Registrar, creation/expiration dates, registrant country, privacy protection status
- DNS Records - A, AAAA, MX, NS, TXT, CNAME records with TTL
- SSL/TLS - Certificate issuer, validity dates, self-signed detection
- Age Analysis - Domain age, newly registered domain detection (<30 days)
- Reputation - Typosquatting detection, suspicious TLD flags, DGA pattern scoring
- Threat Intel - Behavioral tags, malware family associations, first/last seen timestamps
/api/v1/domain/{domain}Enriches a domain name with WHOIS, DNS, and threat intelligence data.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Yes | Domain name to enrich (e.g., example.com) |
include_threat_intel | boolean | No | Include threat intelligence data (+2 credits). Default: false |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" "https://api.portsix.io/api/v1/domain/for-privacy.net"Example Response
{
"success": true,
"data": {
"observable_id": 2378031,
"type": "domain",
"value": "for-privacy.net",
"status": "active",
"risk_score": 15.34,
"enriched_at": "2026-01-03T21:26:39Z",
"dns": {
"dns_a": {
"record_type": "A",
"records": ["64.68.200.44"],
"provider": "1.1.1.1"
},
"dns_mx": {
"record_type": "MX",
"records": ["mail.for-privacy.net"]
},
"dns_ns": {
"record_type": "NS",
"records": ["dns1.easydnssec.com", "dns2.easydnssec.net"]
}
},
"whois": {
"domain_name": "FOR-PRIVACY.NET",
"registrar": "easyDNS Technologies Inc.",
"created": "2019-02-28T13:44:09Z",
"expires": "2026-02-28T13:44:09Z",
"nameservers": ["DNS1.EASYDNSSEC.COM", "DNS2.EASYDNSSEC.NET"]
},
"categorization": {
"status": "safe",
"provider": "Google Safe Browsing API v4"
},
"threat_intel": {
"tags": [
{"name": "Domain Age: > 1 year"},
{"name": "Safe Browsing: Safe"},
{"name": "TLD: .net"}
],
"sources": [],
"confidence": 20
},
"relationships": [
{
"direction": "outgoing",
"relationship_type": "resolves_to",
"target_type": "ipv4",
"target_value": "64.68.200.44",
"confidence": 0.9
},
{
"direction": "incoming",
"relationship_type": "resolves_to",
"source_type": "ipv4",
"source_value": "185.220.101.45",
"confidence": 0.85
}
]
},
"meta": {
"credits_cost": 7,
"credits_remaining": 9993,
"execution_time_ms": 2686
}
}Hash Lookup
Look up file hashes (MD5, SHA1, SHA256) in our threat intelligence database.
Credit Cost: 5 credits
Available Data
- Threat Intel - Behavioral tags, sources, first/last seen timestamps
- Risk Score - Threat level assessment (0-100)
- Relationships - Associated infrastructure and indicators
Supported Hash Types
- MD5 - 32 hex characters
- SHA1 - 40 hex characters
- SHA256 - 64 hex characters (preferred for accuracy)
/api/v1/hash/{hash}Look up a file hash in the threat intelligence database.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash | string | Yes | MD5, SHA1, or SHA256 hash |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" "https://api.portsix.io/api/v1/hash/44d88612fea8a8f36de82e1278abb02f"Example Response
{
"type": "hash",
"value": "44d88612fea8a8f36de82e1278abb02f",
"hash_type": "md5",
"observable_id": 11223,
"status": "active",
"risk_score": 85,
"threat_intel": {
"tags": ["malware:emotet", "behavior:trojan", "delivery:email"],
"sources": ["abuse-ch", "malwarebazaar"],
"first_seen": "2024-03-10T08:00:00Z",
"last_seen": "2025-10-20T12:30:00Z",
"confidence": 90
},
"relationships": []
}Threat Query API
Query threat intelligence data, CVEs, relationships, and MITRE ATT&CK framework.
Observable Search
Search for observables in the database. Returns all matching records with associated tags, relationships, and metadata.
Credit Cost: 2 credits per query
/api/v1/observables/searchSearch for observables with optional filtering.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | No | Search query (IP, domain, hash, or text search) |
type | string | No | Filter by observable type (ipv4, ipv6, domain, hash) |
min_threat_score | number | No | Minimum risk score (0-100) |
limit | integer | No | Results per page (default: 10) |
offset | integer | No | Pagination offset |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" "https://api.portsix.io/api/v1/observables/search?query=185.220&type=ipv4&limit=10"Example Response
{
"success": true,
"data": {
"indicators": [
{
"id": 2151394,
"type": "ipv4",
"value": "91.195.240.123",
"risk_score": 70.84,
"last_reported": "2026-01-03T19:34:02Z"
},
{
"id": 2233625,
"type": "ipv4",
"value": "192.169.69.25",
"risk_score": 65.48,
"last_reported": "2026-01-03T19:24:02Z"
}
],
"pagination": {
"total": 1247,
"limit": 10,
"offset": 0
}
},
"meta": {
"credits_cost": 20,
"credits_remaining": 9980,
"execution_time_ms": 450,
"result_count": 10,
"total_results": 1247
}
}Coming Soon
The following endpoints are planned but not yet implemented. They will be available in a future release:
- CVE Lookup (
/api/v1/intel/cve/{cve_id}) - Query CVE records with CVSS scores and MITRE mappings - Relationships (
/api/v1/intel/relationships/{observable_id}) - Domain-to-IP resolutions and infrastructure clustering - Observable History (
/api/v1/intel/observables/{id}/history) - Lifecycle tracking and observation windows - Sightings (
/api/v1/intel/observables/{id}/sightings) - Real-world observations from honeypots and SIEM alerts - Tags Query (
/api/v1/intel/observables/{id}/tags) - Tag classifications with taxonomy and confidence - Threat Context (
/api/v1/intel/observables/{id}/threat-context) - Threat actors, campaigns, and malware associations - MITRE ATT&CK (
/api/v1/intel/mitre/techniques/{id}) - Technique details with CVE mappings
Note: Tags, threat context, and relationships are included in the IP/Domain lookup responses when available. These dedicated endpoints will provide more detailed querying capabilities.
Behavior Feeds API
Pre-filtered threat intelligence feeds organized by threat behavior. Designed for SIEM integration, blocklist generation, and automated threat response. Returns lean indicator data optimized for high-volume consumption.
Feed Architecture
Feeds provide curated lists of indicators tagged with specific threat behaviors. Unlike our enrichment endpoints that return full context, feeds are optimized for:
- High-volume consumption - Up to 1,000 indicators per request
- Incremental sync -
updated_atparameter for delta updates - Multiple formats - JSON, CSV, EDL (External Dynamic List), STIX 2.1
- Minimal latency - Lean response format for fast parsing
Available Feeds
| Feed | Endpoint | Indicators | Description |
|---|---|---|---|
| C2 | /api/v1/feeds/behavior/c2 | 1M+ | Command & Control infrastructure |
| Phishing | /api/v1/feeds/behavior/phishing | 17K+ | Phishing and credential theft |
| Ransomware | /api/v1/feeds/behavior/ransomware | 12K+ | Ransomware infrastructure and wallets |
| Malware Distribution | /api/v1/feeds/behavior/malware-distribution | 390K+ | Malware hosting and distribution |
C2 Feed
Command & Control infrastructure indicators including Cobalt Strike, Sliver, Metasploit, and 100+ malware families. Updated continuously as new C2 servers are discovered.
Credit Cost: 10-50 credits depending on tier
/api/v1/feeds/behavior/c2Returns C2 infrastructure indicators with risk scoring for triage.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
limit | integer | No | Results per page (default: 100, max: 1000) |
offset | integer | No | Pagination offset for large result sets |
days | integer | No | Filter to indicators seen in last N days (tier-dependent max) |
updated_at | string | No | ISO8601 timestamp - only return indicators modified after this time (for incremental sync) |
format | string | No | Response format: json (default), csv, edl, stix |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" \
"https://api.portsix.io/api/v1/feeds/behavior/c2?limit=100"Example Response
{
"success": true,
"data": {
"indicators": [
{
"id": 12345,
"type": "ipv4",
"value": "185.220.101.45",
"risk_score": 85,
"last_reported": "2026-01-02T14:30:00Z"
},
{
"id": 12346,
"type": "domain",
"value": "c2.malware-domain.com",
"risk_score": 92,
"last_reported": "2026-01-02T12:15:00Z"
}
],
"pagination": {
"limit": 100,
"offset": 0,
"total": 1031374
}
},
"meta": {
"credits_cost": 10,
"execution_time_ms": 850,
"result_count": 100,
"total_results": 1031374
}
}Phishing Feed
Phishing infrastructure including credential harvesting sites, GoPhish servers, and brand impersonation domains.
Credit Cost: 10-50 credits depending on tier
/api/v1/feeds/behavior/phishingReturns phishing infrastructure indicators.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
limit | integer | No | Results per page (default: 100, max: 1000) |
offset | integer | No | Pagination offset |
updated_at | string | No | ISO8601 timestamp for incremental sync |
format | string | No | Response format: json, csv, edl, stix |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" \
"https://api.portsix.io/api/v1/feeds/behavior/phishing?limit=50&format=json"Example Response
{
"success": true,
"data": {
"indicators": [
{
"id": 23456,
"type": "ipv4",
"value": "202.10.45.245",
"risk_score": 59,
"last_reported": "2026-01-02T22:14:02Z"
}
],
"pagination": {
"limit": 50,
"offset": 0,
"total": 17960
}
},
"meta": {
"credits_cost": 10,
"execution_time_ms": 650
}
}Ransomware Feed
Ransomware infrastructure including payment addresses (Bitcoin, Monero), negotiation sites, and data leak portals.
Credit Cost: 30-100 credits depending on tier
/api/v1/feeds/behavior/ransomwareReturns ransomware-related indicators including cryptocurrency addresses.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
limit | integer | No | Results per page (default: 100, max: 1000) |
offset | integer | No | Pagination offset |
updated_at | string | No | ISO8601 timestamp for incremental sync |
format | string | No | Response format: json, csv, edl, stix |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" \
"https://api.portsix.io/api/v1/feeds/behavior/ransomware?limit=100"Example Response
{
"success": true,
"data": {
"indicators": [
{
"id": 34567,
"type": "bitcoin_address",
"value": "113vooUGjtHFecKGAAhxhEpXt9gXFVArzm",
"risk_score": 50,
"last_reported": "2026-01-02T03:54:02Z"
}
],
"pagination": {
"limit": 100,
"offset": 0,
"total": 12011
}
},
"meta": {
"credits_cost": 30,
"execution_time_ms": 1200
}
}Malware Distribution Feed
Malware hosting and distribution infrastructure. Includes download servers, dropper domains, and exploit kit landing pages.
Credit Cost: 10-50 credits depending on tier
/api/v1/feeds/behavior/malware-distributionReturns malware distribution infrastructure indicators.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
limit | integer | No | Results per page (default: 100, max: 1000) |
offset | integer | No | Pagination offset |
updated_at | string | No | ISO8601 timestamp for incremental sync |
format | string | No | Response format: json, csv, edl, stix |
Example Request
curl -H "X-API-Key: YOUR_API_KEY" \
"https://api.portsix.io/api/v1/feeds/behavior/malware-distribution?limit=100"Example Response
{
"success": true,
"data": {
"indicators": [
{
"id": 45678,
"type": "url",
"value": "http://malware.example.com/payload.exe",
"risk_score": 95,
"last_reported": "2026-01-02T08:30:00Z"
}
],
"pagination": {
"limit": 100,
"offset": 0,
"total": 392050
}
},
"meta": {
"credits_cost": 10,
"execution_time_ms": 920
}
}Usage Patterns
Initial Sync (First Pull)
For initial blocklist population, paginate through the entire feed:
#!/bin/bash
# Initial sync - paginate through all C2 indicators
API_KEY="YOUR_API_KEY"
OFFSET=0
LIMIT=1000
while true; do
RESPONSE=$(curl -s -H "X-API-Key: $API_KEY" \
"https://api.portsix.io/api/v1/feeds/behavior/c2?limit=$LIMIT&offset=$OFFSET")
COUNT=$(echo $RESPONSE | jq '.data.indicators | length')
echo "Fetched $COUNT indicators at offset $OFFSET"
# Process indicators...
echo $RESPONSE | jq -r '.data.indicators[].value' >> c2_blocklist.txt
# Check if we've reached the end
if [ "$COUNT" -lt "$LIMIT" ]; then
break
fi
OFFSET=$((OFFSET + LIMIT))
doneIncremental Sync (Delta Updates)
For ongoing updates, use updated_at to fetch only changed indicators. This is the recommended pattern for SIEM integration:
#!/bin/bash
# Incremental sync - only fetch changes since last sync
API_KEY="YOUR_API_KEY"
LAST_SYNC="2026-01-01T00:00:00Z" # Store this from previous run
curl -H "X-API-Key: $API_KEY" \
"https://api.portsix.io/api/v1/feeds/behavior/c2?updated_at=$LAST_SYNC&limit=1000"
# Store current timestamp for next sync
# Note: updated_at only returns indicators with actual changes
# (score updates, new sources, etc.) - NOT just daily re-ingestionEDL Format for Firewalls
Generate External Dynamic Lists for Palo Alto, Fortinet, and Cisco firewalls:
# Request EDL format - returns plain text, one indicator per line
curl -H "X-API-Key: $API_KEY" \
"https://api.portsix.io/api/v1/feeds/behavior/c2?format=edl&limit=10000" \
> /var/www/html/edl/c2_blocklist.txt
# Palo Alto will fetch this URL every 6 hours
# Objects > External Dynamic Lists > Source URLResponse Field Reference
Feed responses are intentionally lean to optimize for high-volume consumption. For full enrichment data, use the observable ID with our enrichment endpoints.
| Field | Type | Description |
|---|---|---|
id | integer | Observable ID - use with /api/v1/observables/{id} for full details |
type | string | Indicator type: ipv4, ipv6, domain, url, sha256, bitcoin_address |
value | string | The indicator value (IP, domain, URL, hash, etc.) |
risk_score | number | 0-100 risk score for triage prioritization |
last_reported | string | ISO8601 timestamp - when sources last reported this indicator |
Why No Confidence Score in Feeds?
Feeds provide risk_score for triage but exclude confidenceand other enrichment data. This is intentional:
- Feeds are for detection - Risk score tells you what to block/alert on
- Enrichment is for investigation - Confidence, sources, and context belong in detailed lookups
- Lean responses = faster parsing - Processing 1M+ indicators requires minimal payload
Need confidence scores? Query /api/v1/observables/{id} or /api/v1/ip/{ip}for full context on indicators that triggered alerts.
Related Documentation
- Authentication - API key setup and security
- IP Enrichment - Detailed IP enrichment guide
- Scoring Methodology - How risk and confidence scores are calculated
- Pricing & Usage - Credit costs and usage analytics