1. Home
  2. Knowledge Base
  3. Cyber Threat Intelligence

Cyber Threat Intelligence

The Edgewatch CTI API provides real-time, first-hand cyber threat intelligence collected from a global honeypot network. It offers enriched data on IP addresses, domains, URLs, and malware hashes, supporting proactive threat detection, enrichment pipelines, and SOC integrations.

Base URL:

https://cti.edgewatch.net

Authentication:
All endpoints require a Bearer Token sent via the Authorization HTTP header.

Authorization: Bearer <your_api_token>

Obtain API keys through your Edgewatch customer portal or contact support.

Authentication

How to authenticate requests:

Include your bearer token in the Authorization header:

curl -H "Authorization: Bearer YOUR_TOKEN" https://cti.edgewatch.net/ip/203.0.113.45

If the token is missing or invalid, the server will respond with:

{
  "detail": "Not authenticated"
}

Endpoint: /ip/{ip}

GET /ip/{ip}

Returns intelligence for an IP address including threat classification, tags, honeypot sightings, and geolocation data.

Example Request:

curl -H "Authorization: Bearer YOUR_TOKEN" https://cti.edgewatch.net/ip/203.0.113.45

Response Example:

{
  "ip_addr": "203.0.113.45",
  "classification": "malicious",
  "tag": ["ssh", "malware"],
  "blacklist": [
    {
      "source": "Cowrie",
      "description": "SSH brute-force",
      "first_seen": "2025-05-12 00:30:45",
      "last_seen": "2025-05-12 01:15:00",
      "count": 15
    }
  ],
  "location": { "lat": 35.0, "lon": 103.0 },
  "creation_time": "2025-05-12 00:30:45",
  "modification_time": "2025-05-12 01:15:00",
  "type": "ip"
}

Endpoint: /hostname/{hostname}

GET /hostname/{hostname}

Retrieves intelligence about a specific hostname or subdomain, including resolved IPs and domain-level metadata.

Endpoint: /url/{url}

GET /url/{url}

Returns contextual intelligence for a given URL, such as sightings, classification, and associated tags.

Note: URL must be percent-encoded.

Example:

curl -H "Authorization: Bearer YOUR_TOKEN" https://cti.edgewatch.net/url/https%3A%2F%2Fevil.example.com%2Fdropper.exe

Endpoint: /sample/{hash}

GET /sample/{hash}

Returns metadata and threat classification for a file hash (SHA256 or MD5), including detection count, file type, and malware tags.

Fields:

  • sha256, md5, sha1
  • filetype, filename, size
  • classification
  • tags
  • blacklist entries with sources

TAXII 2.1 Server

Accessing STIX feeds

You can pull structured STIX 2.1 bundles from our TAXII 2.1 endpoint:

https://cti.edgewatch.net:9000/

For details on available collections and authentication setup, refer to the TAXII Server Guide.

Response Codes

CodeDescription
200Success
401Unauthorized (invalid token)
404IOC not found
429Rate limit exceeded
500Internal server error
Was this article helpful?
Yes No

Need Support?

Can't find the answer you're looking for?
Contact Support