Discover/alienvault.com API
live

alienvault.com APIalienvault.com

Access AlienVault OTX threat intelligence via API: search pulses, retrieve IOCs, look up adversary profiles, and query indicator reputation for IPs, domains, and CVEs.

Developer Toolsgovernment publicb2b directory
Endpoints
7
Updated
10d ago
Try it
Page number for pagination.
Sort order. Accepted values: '-modified' (newest first), 'modified' (oldest first), '-name
Number of results per page.
Search keyword (e.g. 'cobalt strike', 'ransomware'). Omitting returns all pulses.
api.parse.bot/scraper/9d8a168a-f773-44d8-8ecb-0d09fbcbcd89/<endpoint>
Ready to send
Fill in the parameters and hit sign in to send to see live response data here.
Use it in your codegrab a free API key at signup
curl -X GET 'https://api.parse.bot/scraper/9d8a168a-f773-44d8-8ecb-0d09fbcbcd89/search_pulses?limit=2&query=ransomware' \
  -H 'X-API-Key: $PARSE_API_KEY'
All endpoints · 7 totalclick to expand

Search for threat intelligence pulses by keyword, tag, or metadata. Returns paginated results sorted by modification date by default.

Input
ParamTypeDescription
pageintegerPage number for pagination.
sortstringSort order. Accepted values: '-modified' (newest first), 'modified' (oldest first), '-name', 'name'.
limitintegerNumber of results per page.
querystringSearch keyword (e.g. 'cobalt strike', 'ransomware'). Omitting returns all pulses.
Response
{
  "type": "object",
  "fields": {
    "next": "string or null, URL of next page",
    "count": "integer, total number of matching pulses",
    "results": "array of pulse summary objects with id, name, description, modified, created, tags, indicator_count, author",
    "previous": "string or null, URL of previous page"
  },
  "sample": {
    "data": {
      "next": "https://otx.alienvault.com/otxapi/pulses/?q=cobalt+strike&limit=5&page=2&sort=-modified",
      "count": 5452,
      "results": [
        {
          "id": "69c081afa2bd54a9599b7c07",
          "name": "PhishDestroy — Active Phishing & Crypto Scam Domains",
          "tags": [],
          "author": {
            "id": "348394",
            "username": "phishdestroy"
          },
          "created": "2026-03-22T23:56:29.438000",
          "modified": "2026-05-01T08:00:04.093000",
          "description": "Real-time feed of phishing, crypto drainer, and scam domains",
          "indicator_count": 141505
        }
      ],
      "previous": null
    },
    "status": "success"
  }
}

About the alienvault.com API

The AlienVault OTX API exposes 7 endpoints covering threat pulses, indicators of compromise, and adversary profiles from the Open Threat Exchange community. Use get_indicator_details to query reputation scores and associated pulses for IPv4 addresses, domains, file hashes, and CVEs, or use search_pulses to find relevant threat intelligence by keyword across the full OTX pulse library.

Threat Pulses and IOCs

The search_pulses endpoint accepts a query string (e.g. 'cobalt strike', 'ransomware') alongside sort, limit, and page parameters, and returns a paginated list of pulse summaries including id, name, tags, indicator_count, and author. Once you have a pulse ID, get_pulse_details returns the full metadata: MITRE ATT&CK technique objects via attack_ids, associated malware_families, and a detailed description. get_pulse_indicators then pages through the actual IOCs in that pulse — each indicator object carries indicator (the value), type, is_active, and created timestamp.

Indicator Lookup

get_indicator_details accepts a type (IPv4, IPv6, domain, hostname, url, file, or cve) and a value, plus an optional section parameter. Available sections include general, geo, reputation, url_list, passive_dns, and malware. The response returns a reputation integer score, a pulse_info object with the count and list of pulses referencing that indicator, and (for the general section) a whois URL. Note that some section and type combinations may not have data available upstream.

Adversary Profiles

browse_adversaries returns a paginated list of known threat actors, each with a canonical value (name), description, and uuid. The list can be sorted alphabetically with the sort parameter. get_adversary_details performs case-insensitive name matching and returns the full meta object — which includes fields such as country, synonyms, refs, capabilities, and victimology — along with the adversary's uuid and description.

Recent Activity

get_recent_alerts returns the most recently modified pulses sorted by modification date, using the same response shape as search_pulses. It accepts page and limit for pagination. This is the appropriate endpoint for polling for newly published or updated threat intelligence without a specific search term.

Common use cases
  • Automate IP reputation checks by querying get_indicator_details with type IPv4 to retrieve reputation scores and associated pulse counts for traffic observed in SIEM alerts.
  • Enrich SOAR playbooks with CVE context by calling get_indicator_details with type cve and a CVE ID to surface related threat pulses.
  • Build a threat feed ingestion pipeline using get_recent_alerts to poll for newly modified pulses and get_pulse_indicators to extract fresh IOCs.
  • Map adversary TTPs by fetching get_adversary_details for actor names and correlating the returned meta.capabilities and meta.victimology fields with internal incident data.
  • Search the OTX pulse library by malware family or campaign name using search_pulses with query to identify relevant pulses for a current investigation.
  • Enumerate all IOCs for a specific pulse using get_pulse_indicators with pagination to build a blocklist of active indicators filtered by is_active.
  • Profile a domain during incident response using get_indicator_details with type domain and sections passive_dns or malware to see historical resolution and associated malware data.
Pricing & limitsSee full pricing →
TierPriceCredits/monthRate limit
Free$0/mo1005 req/min
Hobby$30/mo1,00020 req/min
Developer$100/mo5,000250 req/min

One credit = one API call regardless of which marketplace API you call. Exceeding the rate limit returns a 429 response. Authenticate with the X-API-Key header.

Frequently asked questions
Does AlienVault OTX have an official developer API?+
Yes. AlienVault provides an official OTX DirectConnect API documented at https://otx.alienvault.com/api. The Parse API surfaces the same OTX data through a normalized interface that does not require managing OTX API keys directly.
What does `get_indicator_details` return, and does the `section` parameter matter?+
It always returns type, indicator, reputation, and pulse_info (count plus associated pulses). The section parameter filters which additional data block is included — for example, geo adds geographic data for IP indicators, passive_dns adds historical DNS resolution records, and malware adds associated malware samples. Some section/type combinations return no data if OTX has no records for that combination.
Does the API expose private OTX pulses or user-specific subscriptions?+
No. The API returns publicly visible OTX data. Private pulses created within an OTX account or subscription-gated content are not accessible. Coverage is limited to the public Open Threat Exchange dataset. You can fork this API on Parse and revise it to add authentication flows that expose account-specific pulse subscriptions if needed.
Is there an endpoint for querying pulse activity by a specific author or OTX user?+
Not currently. The search_pulses endpoint filters by keyword, tag, and sort order, and the browse_adversaries endpoint covers named threat actors — but neither supports filtering by OTX author username. You can fork this API on Parse and revise it to add an author-filtered pulse endpoint.
How fresh is the data returned by `get_recent_alerts`?+
Results reflect the most recently modified pulses in the OTX public dataset at the time of the request. The OTX community contributes and updates pulses continuously, so freshness depends on community activity. The response includes a modified timestamp per pulse so you can determine when each was last updated.
Page content last updated . Spec covers 7 endpoints from alienvault.com.
Related APIs in Developer ToolsSee all →
arxiv.org API
Search and discover academic research papers on arXiv using keywords, authors, titles, categories, and dates, then access detailed metadata for any paper. Browse the complete arXiv category taxonomy to explore research across different scientific disciplines.
theresanaiforthat.com API
Search and discover AI tools across different tasks, get detailed information about specific tools, browse available deals, and stay updated on the latest tools. Find the perfect AI solution for your needs by filtering by task category or checking featured and trending tools.
oeis.org API
Search OEIS for integer sequences by keyword, A-number, or known terms, then retrieve full sequence entries and b-file term data.
nvidia.com API
nvidia.com API
sketchfab.com API
Search and browse 3D models on Sketchfab, including filtering by category, license, animation, and downloadability. Retrieve detailed model metadata, creator profiles, collections, thumbnails, tags, and viewer configuration options.
mvnrepository.com API
Search Maven artifacts and retrieve detailed information about Java libraries, including artifact details, relocation notices, and popular package rankings. Find the exact dependencies you need and discover trending open-source projects in the Maven ecosystem.
intelx.io API
Search leaked databases, darknet markets, and paste sites to uncover exposed credentials, breach data, and threat intelligence across the internet. Retrieve detailed results including file previews, account information, and phonebook records to investigate security threats and monitor data breaches.
duden.de API
Get German verb conjugations, parts of speech, and usage frequency from Duden's comprehensive database. Quickly look up how to conjugate any German verb across all tenses and moods.
AlienVault OTX API — Threat Intelligence Data · Parse