Discover/AlienVault API
live

AlienVault APIalienvault.com

Access AlienVault OTX threat intelligence via API: search pulses, retrieve IOCs, look up adversary profiles, and query indicator reputation for IPs, domains, and CVEs.

Endpoint health
verified 6d ago
search_pulses
get_adversary_details
get_pulse_indicators
browse_adversaries
get_recent_alerts
7/7 passing latest checkself-healing
Endpoints
7
Updated
21d ago

What is the AlienVault API?

The AlienVault OTX API exposes 7 endpoints covering threat pulses, indicators of compromise, and adversary profiles from the Open Threat Exchange community. Use get_indicator_details to query reputation scores and associated pulses for IPv4 addresses, domains, file hashes, and CVEs, or use search_pulses to find relevant threat intelligence by keyword across the full OTX pulse library.

Try it
Page number for pagination.
Sort order for results.
Number of results per page.
Search keyword (e.g. 'cobalt strike', 'ransomware'). Omitting returns all pulses.
api.parse.bot/scraper/9d8a168a-f773-44d8-8ecb-0d09fbcbcd89/<endpoint>
Ready to send
Fill in the parameters and hit sign in to send to see live response data here.
Call it over HTTPgrab a free API key at signup
curl -X GET 'https://api.parse.bot/scraper/9d8a168a-f773-44d8-8ecb-0d09fbcbcd89/search_pulses?page=1&sort=-modified&limit=5&query=ransomware' \
  -H 'X-API-Key: $PARSE_API_KEY'
Python SDK · recommended

Typed, relational, agent-ready

A generated client with real types, enums, and the links between objects — the structure a flat JSON response can't carry. Autocompletes in your editor and reads cleanly to coding agents.

  • Fully typed · autocompletes
  • Objects link to objects
  • Typed errors & pagination

Typed Python client. Set up the SDK in your uv project, then pull this API’s typed client:

uv add parse-sdk
uv run parse init
uv run parse add --marketplace alienvault-com-api

uv run parse add --marketplace pulls a pinned snapshot of this canonical API — it won’t change underneath you. To customize it, subscribe and swap to your own copy.

from parse_apis.alienvault_open_threat_exchange_otx_api import OTX, PulseSort, IndicatorType, IndicatorSection, AdversarySort

otx = OTX()

# Search for recent ransomware-related threat pulses
for pulse in otx.pulses.search(query="ransomware", sort=PulseSort.NEWEST, limit=5):
    print(pulse.name, pulse.indicator_count, pulse.modified)

    # Drill into indicators for this pulse
    for ioc in pulse.indicators.list(limit=3):
        print(ioc.type, ioc.indicator, ioc.is_active)

# Look up threat intelligence for a specific IP indicator
detail = otx.indicatordetails.lookup(
    indicator_type=IndicatorType.IPV4,
    value="8.8.8.8",
    section=IndicatorSection.GENERAL,
)
print(detail.indicator, detail.reputation, detail.sections)

# Browse known threat adversaries
for adversary in otx.adversaries.browse(sort=AdversarySort.NAME_ASC, limit=5):
    print(adversary.value, adversary.uuid)
    if adversary.meta:
        print(adversary.meta.country, adversary.meta.synonyms)
All endpoints · 7 totalmissing one? ·

Full-text search over threat intelligence pulses by keyword, tag, or metadata. Returns paginated results sorted by modification date by default. Omitting the query returns all pulses. Each pulse summary includes indicator counts and author info but not the full indicator list (use get_pulse_indicators for that).

Input
ParamTypeDescription
pageintegerPage number for pagination.
sortstringSort order for results.
limitintegerNumber of results per page.
querystringSearch keyword (e.g. 'cobalt strike', 'ransomware'). Omitting returns all pulses.
Response
{
  "type": "object",
  "fields": {
    "next": "string or null, URL of next page",
    "count": "integer, total number of matching pulses",
    "results": "array of pulse summary objects",
    "previous": "string or null, URL of previous page"
  },
  "sample": {
    "data": {
      "next": "https://otx.alienvault.com/otxapi/pulses/?q=ransomware&limit=5&page=2&sort=-modified",
      "count": 11052,
      "results": [
        {
          "id": "6a2951722e6ca0cbaaac430b",
          "name": "Ransomware Analysis: Go Binary and Fast Encryption",
          "tags": [
            "double extortion",
            "gentlemen"
          ],
          "author": {
            "id": "2",
            "username": "AlienVault"
          },
          "created": "2026-06-10T11:58:42.962000",
          "modified": "2026-06-10T13:44:10.922000",
          "adversary": "The Gentlemen",
          "description": "The Gentlemen is a Ransomware-as-a-Service operation...",
          "indicator_count": 8
        }
      ],
      "previous": null
    },
    "status": "success"
  }
}

About the AlienVault API

Threat Pulses and IOCs

The search_pulses endpoint accepts a query string (e.g. 'cobalt strike', 'ransomware') alongside sort, limit, and page parameters, and returns a paginated list of pulse summaries including id, name, tags, indicator_count, and author. Once you have a pulse ID, get_pulse_details returns the full metadata: MITRE ATT&CK technique objects via attack_ids, associated malware_families, and a detailed description. get_pulse_indicators then pages through the actual IOCs in that pulse — each indicator object carries indicator (the value), type, is_active, and created timestamp.

Indicator Lookup

get_indicator_details accepts a type (IPv4, IPv6, domain, hostname, url, file, or cve) and a value, plus an optional section parameter. Available sections include general, geo, reputation, url_list, passive_dns, and malware. The response returns a reputation integer score, a pulse_info object with the count and list of pulses referencing that indicator, and (for the general section) a whois URL. Note that some section and type combinations may not have data available upstream.

Adversary Profiles

browse_adversaries returns a paginated list of known threat actors, each with a canonical value (name), description, and uuid. The list can be sorted alphabetically with the sort parameter. get_adversary_details performs case-insensitive name matching and returns the full meta object — which includes fields such as country, synonyms, refs, capabilities, and victimology — along with the adversary's uuid and description.

Recent Activity

get_recent_alerts returns the most recently modified pulses sorted by modification date, using the same response shape as search_pulses. It accepts page and limit for pagination. This is the appropriate endpoint for polling for newly published or updated threat intelligence without a specific search term.

Reliability & maintenanceVerified

The AlienVault API is a managed, monitored endpoint for alienvault.com — not a raw scraper you maintain. Every endpoint is automatically health-checked on a schedule, and when alienvault.com changes and a check fails, the API is automatically queued for repair and re-verified. It is built to keep working as the site underneath it changes.

This isn't an official alienvault.com API — it's an independent, maintained REST wrapper over public data. Where the source has no official API (or only a limited one), Parse gives you a stable contract over a source that never promised one, and keeps it current. Need a new endpoint or field? You can revise it yourself in plain English and the agent rebuilds it against the live site in minutes — contributing the change back to the shared API is free.

Last verified
6d ago
Latest check
7/7 endpoints passing
Maintenance
Monitored & self-healing
Will this API break when the source site changes?+
It's built not to. Every endpoint is health-checked on a schedule with automated test probes. When the source site changes and a check fails, the API is automatically queued for repair and re-verified — that's the self-healing layer. Each API page shows when its endpoints were last verified. And because marketplace APIs are shared, any fix reaches everyone using it.
Is this an official API from the source site?+
No — Parse APIs are independent, managed REST wrappers over publicly available data. That is the point: where a site has no official API (or only a limited one), Parse gives you a maintained, monitored endpoint for that data and keeps it working as the site changes — so you get a stable contract over a source that never promised one.
Can I fix or extend this API myself if I need a new endpoint or field?+
Yes — and you don't have to wait on us. This API was generated by the Parse agent, which stays attached. Describe the change in plain English ("add an endpoint that returns reviews", "fix the price field") in the revise box on the API page or via the revise_api MCP tool, and the agent rebuilds it against the live site in minutes. Contributing the change back to the public API is free.
What happens if I call an endpoint that has an issue?+
Errors are machine-readable: a bad call returns a clean status with the list of available endpoints and a repair hint, so an agent (or you) can recover or trigger a fix instead of failing silently. Confirmed failures feed the automatic repair queue.
Common use cases
  • Automate IP reputation checks by querying get_indicator_details with type IPv4 to retrieve reputation scores and associated pulse counts for traffic observed in SIEM alerts.
  • Enrich SOAR playbooks with CVE context by calling get_indicator_details with type cve and a CVE ID to surface related threat pulses.
  • Build a threat feed ingestion pipeline using get_recent_alerts to poll for newly modified pulses and get_pulse_indicators to extract fresh IOCs.
  • Map adversary TTPs by fetching get_adversary_details for actor names and correlating the returned meta.capabilities and meta.victimology fields with internal incident data.
  • Search the OTX pulse library by malware family or campaign name using search_pulses with query to identify relevant pulses for a current investigation.
  • Enumerate all IOCs for a specific pulse using get_pulse_indicators with pagination to build a blocklist of active indicators filtered by is_active.
  • Profile a domain during incident response using get_indicator_details with type domain and sections passive_dns or malware to see historical resolution and associated malware data.
Pricing & limitsSee full pricing →
TierPriceCredits/monthRate limit
Free$0/mo1005 req/min
Hobby$30/mo1,00020 req/min
Developer$100/mo5,000100 req/min

One credit = one API call regardless of which marketplace API you call. Exceeding the rate limit returns a 429 response. Authenticate with the X-API-Key header.

Frequently asked questions
Does AlienVault OTX have an official developer API?+
Yes. AlienVault provides an official OTX DirectConnect API documented at https://otx.alienvault.com/api. The Parse API surfaces the same OTX data through a normalized interface that does not require managing OTX API keys directly.
What does `get_indicator_details` return, and does the `section` parameter matter?+
It always returns type, indicator, reputation, and pulse_info (count plus associated pulses). The section parameter filters which additional data block is included — for example, geo adds geographic data for IP indicators, passive_dns adds historical DNS resolution records, and malware adds associated malware samples. Some section/type combinations return no data if OTX has no records for that combination.
Does the API expose private OTX pulses or user-specific subscriptions?+
No. The API returns publicly visible OTX data. Private pulses created within an OTX account or subscription-gated content are not accessible. Coverage is limited to the public Open Threat Exchange dataset. You can fork this API on Parse and revise it to add authentication flows that expose account-specific pulse subscriptions if needed.
Is there an endpoint for querying pulse activity by a specific author or OTX user?+
Not currently. The search_pulses endpoint filters by keyword, tag, and sort order, and the browse_adversaries endpoint covers named threat actors — but neither supports filtering by OTX author username. You can fork this API on Parse and revise it to add an author-filtered pulse endpoint.
How fresh is the data returned by `get_recent_alerts`?+
Results reflect the most recently modified pulses in the OTX public dataset at the time of the request. The OTX community contributes and updates pulses continuously, so freshness depends on community activity. The response includes a modified timestamp per pulse so you can determine when each was last updated.
Page content last updated . Spec covers 7 endpoints from alienvault.com.
Related APIs in Developer ToolsSee all →
worldmonitor.app API
Monitor global events and geopolitical developments in real-time by accessing live conflict reports, military movements, cyber threats, economic indicators, maritime activity, and 15 other critical intelligence categories. Track everything from supply chain disruptions and infrastructure status to market quotes, weather patterns, and displacement data to stay ahead of worldwide geopolitical shifts.
dbugs.ptsecurity.com API
Search and explore detailed information about cybersecurity vulnerabilities, including trending threats and researcher profiles from PT Security's comprehensive vulnerability database. Track security researcher leaderboards and get in-depth parameters for specific vulnerabilities to stay informed about the latest threats.
alphavantage.co API
Track stock prices, forex rates, and cryptocurrency values with real-time and historical market data, while accessing company financials, earnings reports, and technical indicators. Search tickers, monitor economic indicators, analyze news sentiment, and get global quotes all in one place.
fa.omron.co.jp API
Access Omron Industrial Automation security advisories and CVE data. Search advisories by product or keyword, retrieve detailed advisory information by OMSR ID, or pull the latest security feed. Returns vulnerability identifiers, affected products, severity metadata, and remediation details.
airdrops.io API
Discover and track crypto airdrops in real-time by browsing latest opportunities, searching by category, and viewing detailed project information including participation requirements and token details. Monitor live cryptocurrency prices and stay updated on hot and potential airdrops all in one place.
annualreports.com API
Search for and access thousands of international company annual reports in PDF and HTML formats, while filtering by ticker, exchange, industry, sector, company size, and location. Browse company profiles and financial documents across different markets and industries to find the information you need.
agent.ai API
Search and discover AI agents in the Agent.ai marketplace by filtering through categories and tags, then view detailed agent information and builder profiles. Find the perfect AI solution for your needs by browsing available agents, exploring builder credentials, and comparing agent capabilities across different categories.
explodingtopics.com API
Discover rapidly growing trends, emerging startups, and top-performing websites by filtering through trending topics by category and volatility. Programmatically access detailed trend analysis, related topics, blog coverage, and curated highlights to stay ahead of market movements.