Developer Portal

For developers

Integrate ThreatNoir IOCs into your security workflow

Use the ThreatNoir MCP server for AI tools, or call the IOC REST API directly.

Generate API key → Explore IOCs →

Getting started

1. Create an account and sign in.
2. Go to Settings → API Keys.
3. Generate a new API key.
4. Install the MCP server (recommended) or use the REST API.

Installation

Use npx or add to your MCP config.

Terminal

# Using npx (recommended)
npx threatnoir-mcp-iocs

# Or add to your .mcp.json

.mcp.json

{
  "mcpServers": {
    "threatnoir-iocs": {
      "command": "npx",
      "args": ["threatnoir-mcp-iocs"],
      "env": { "THREATNOIR_API_KEY": "your-key-here" }
    }
  }
}

Set THREATNOIR_API_KEY to your generated key.

Available tools

search_iocs

Search IOCs by keyword.

Params

query: string
type?: string
limit?: number

list_iocs

List recent IOCs.

Params

type?: string
limit?: number

lookup_ioc

Exact match lookup.

Params

value: string

IOC types

Use these values for type filters.

Type	Example
ip	8.8.8.8
domain	example.com
hash_md5	d41d8cd98f00b204e9800998ecf8427e
hash_sha1	da39a3ee5e6b4b0d3255bfef95601890afd80709
hash_sha256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
url	https://example.com/path
cve	CVE-2024-12345
mitre_attack	T1059
email	analyst@example.com
malware	Emotet

Rate limits

100 requests per minute per API key.
30 requests per minute for unauthenticated access (list only).

REST API

Use Authorization: Bearer tn_live_your_key for authenticated endpoints.

API specification

OpenAPI 3.1 spec
AI plugin manifest
Claude Code skill(copy to ~/.claude/skills/threatnoir/)

Examples

GET https://threatnoir.com/api/v1/iocs?type=cve&limit=10
GET https://threatnoir.com/api/v1/iocs?q=192.168&type=ip

Authorization: Bearer tn_live_your_key

Code examples

Copy‑paste examples for all endpoints. Full schema available in the OpenAPI spec.

Tier	Search	List	Limit
Free (no key)	10/hour, 10 results	30/min, 50 results	—
API Key	100/min, 50 results	100/min, 50 results	5 keys max

Endpoint

IOC Search (free tier, no auth)

import requests
r = requests.get("https://threatnoir.com/api/v1/iocs", params={"q": "log4j", "type": "cve"})
for ioc in r.json()["items"]:
    print(f'{ioc["type"]}: {ioc["value"]} — {ioc["article"]["title"]}')

Endpoint

IOC Search (with API key, higher limits)

Add an Authorization header to use your API key.

headers = {"Authorization": "Bearer tn_live_your_key_here"}
r = requests.get("https://threatnoir.com/api/v1/iocs", params={"q": "192.168"}, headers=headers)

Endpoint

Articles

r = requests.get("https://threatnoir.com/api/v1/articles", params={"q": "ransomware", "limit": 5})

Endpoint

Weekly Roundups

r = requests.get("https://threatnoir.com/api/v1/weekly", params={"limit": 3})

Endpoint

Focus Items

r = requests.get("https://threatnoir.com/api/v1/focus", params={"severity": "critical"})

Endpoint

Awareness Lessons

r = requests.get("https://threatnoir.com/api/v1/awareness", params={"q": "phishing"})

Endpoint

Submit Article (auth required)

Requires a valid API key in the Authorization header.

headers = {"Authorization": "Bearer tn_live_your_key_here"}
r = requests.post("https://threatnoir.com/api/v1/submit",
    headers=headers,
    json={"url": "https://example.com/security-article", "source_name": "My Feed"})