Cyber Threat
Enrichment API
Cyber Threat
Enrichment API
Cyber Threat
Enrichment API
Prepare Your
API Key
Prepare Your
API Key
Prepare Your
API Key
Before running the command, ensure you have your API key ready. This should be a string of characters you obtained when you created your API key in the previous step.
Make the first enrichment API
for IP enrichment
Make the first enrichment API
for IP enrichment
Make the first enrichment API
for IP enrichment
Unlock the true potential of your IP addresses with our groundbreaking IP Enrichment API.
TLS Certificates
Malware
JARM
Protocols
Open Directories
Honeypots
Phishing
{
"certificate_uuid": "2308568BF69FA6EDAD031AA7A732D59EDA9A6B2490C30CC9E665BD15B946DAFE",
"subject_details": {
"common_name": "Major Cobalt Strike",
"country": null
},
"validity_period": {
"not_before": "2024-03-11T08:16:35",
"not_after": "2024-06-09T08:16:35"
},
"timestamps": {
"first_seen": "2024-03-17T07:36:49",
"last_seen": "2024-06-23T07:36:24"
},
"identifiers": {
"serial_number": "971914974",
"hash_sha256": "D3D5759DFB5CC168DBF64F79D5F7006025C0AAA9BBF390B54DC1F125A358EF03",
"hash_sha1": "026F22DC7A8DB69B730EA4359A3569FE783E1768",
"hash_md5": "0DA94C4DEC96C6E378DD6D02BE885B64",
"ja4x_fingerprint": "2166164053c1_2166164053c1_30d204a01551"
}
}
TLS Certificates
Malware
JARM
Protocols
Open Directories
Honeypots
Phishing
{
"certificate_uuid": "2308568BF69FA6EDAD031AA7A732D59EDA9A6B2490C30CC9E665BD15B946DAFE",
"subject_details": {
"common_name": "Major Cobalt Strike",
"country": null
},
"validity_period": {
"not_before": "2024-03-11T08:16:35",
"not_after": "2024-06-09T08:16:35"
},
"timestamps": {
"first_seen": "2024-03-17T07:36:49",
"last_seen": "2024-06-23T07:36:24"
},
"identifiers": {
"serial_number": "971914974",
"hash_sha256": "D3D5759DFB5CC168DBF64F79D5F7006025C0AAA9BBF390B54DC1F125A358EF03",
"hash_sha1": "026F22DC7A8DB69B730EA4359A3569FE783E1768",
"hash_md5": "0DA94C4DEC96C6E378DD6D02BE885B64",
"ja4x_fingerprint": "2166164053c1_2166164053c1_30d204a01551"
}
}
TLS Certificates
Malware
JARM
Protocols
Open Directories
Honeypots
Phishing
{
"certificate_uuid": "2308568BF69FA6EDAD031AA7A732D59EDA9A6B2490C30CC9E665BD15B946DAFE",
"subject_details": {
"common_name": "Major Cobalt Strike",
"country": null
},
"validity_period": {
"not_before": "2024-03-11T08:16:35",
"not_after": "2024-06-09T08:16:35"
},
"timestamps": {
"first_seen": "2024-03-17T07:36:49",
"last_seen": "2024-06-23T07:36:24"
},
"identifiers": {
"serial_number": "971914974",
"hash_sha256": "D3D5759DFB5CC168DBF64F79D5F7006025C0AAA9BBF390B54DC1F125A358EF03",
"hash_sha1": "026F22DC7A8DB69B730EA4359A3569FE783E1768",
"hash_md5": "0DA94C4DEC96C6E378DD6D02BE885B64",
"ja4x_fingerprint": "2166164053c1_2166164053c1_30d204a01551"
}
}
TLS Certificates
Malware
JARM
Protocols
Open Directories
Honeypots
Phishing
{
"certificate_uuid": "2308568BF69FA6EDAD031AA7A732D59EDA9A6B2490C30CC9E665BD15B946DAFE",
"subject_details": {
"common_name": "Major Cobalt Strike",
"country": null
},
"validity_period": {
"not_before": "2024-03-11T08:16:35",
"not_after": "2024-06-09T08:16:35"
},
"timestamps": {
"first_seen": "2024-03-17T07:36:49",
"last_seen": "2024-06-23T07:36:24"
},
"identifiers": {
"serial_number": "971914974",
"hash_sha256": "D3D5759DFB5CC168DBF64F79D5F7006025C0AAA9BBF390B54DC1F125A358EF03",
"hash_sha1": "026F22DC7A8DB69B730EA4359A3569FE783E1768",
"hash_md5": "0DA94C4DEC96C6E378DD6D02BE885B64",
"ja4x_fingerprint": "2166164053c1_2166164053c1_30d204a01551"
}
}
faq
faq
faq
Frequently
asked questions
Frequently
asked questions
Frequently
asked questions
What does the Cyber Threat Enrichment API return for an IP address?
The Cyber Threat Enrichment API returns structured enrichment data associated with an IP address. The response includes multiple data blocks when available, such as TLS certificates, malware observations, JARM fingerprints, protocol fingerprints, open directory sightings, honeypot observations, and phishing URLs.
Each block contains its own fields and timestamps, reflecting when the activity was first and last observed.
What does the Cyber Threat Enrichment API return for an IP address?
The Cyber Threat Enrichment API returns structured enrichment data associated with an IP address. The response includes multiple data blocks when available, such as TLS certificates, malware observations, JARM fingerprints, protocol fingerprints, open directory sightings, honeypot observations, and phishing URLs.
Each block contains its own fields and timestamps, reflecting when the activity was first and last observed.
What does the Cyber Threat Enrichment API return for an IP address?
The Cyber Threat Enrichment API returns structured enrichment data associated with an IP address. The response includes multiple data blocks when available, such as TLS certificates, malware observations, JARM fingerprints, protocol fingerprints, open directory sightings, honeypot observations, and phishing URLs.
Each block contains its own fields and timestamps, reflecting when the activity was first and last observed.
What certificate data is included in the enrichment response?
The certificate block includes observed TLS certificates associated with the IP address. Fields may include certificate hashes (SHA256, SHA1, MD5), JA4X values, subject and issuer metadata, validity periods, key properties, and timestamps indicating when the certificate was first and last seen.
Multiple certificates may be returned in a single enrichment response.
What certificate data is included in the enrichment response?
The certificate block includes observed TLS certificates associated with the IP address. Fields may include certificate hashes (SHA256, SHA1, MD5), JA4X values, subject and issuer metadata, validity periods, key properties, and timestamps indicating when the certificate was first and last seen.
Multiple certificates may be returned in a single enrichment response.
What certificate data is included in the enrichment response?
The certificate block includes observed TLS certificates associated with the IP address. Fields may include certificate hashes (SHA256, SHA1, MD5), JA4X values, subject and issuer metadata, validity periods, key properties, and timestamps indicating when the certificate was first and last seen.
Multiple certificates may be returned in a single enrichment response.
What information is provided in the malware enrichment block?
The malware block includes detected malware or tooling associated with the IP address. Each entry contains the malware name, port, malware subsystem, confidence score, and timestamps indicating first and last observation.
Malware subsystems may include categories such as C2, Management, Team Server, Red Team Tools, and others as defined in the dataset.
What information is provided in the malware enrichment block?
The malware block includes detected malware or tooling associated with the IP address. Each entry contains the malware name, port, malware subsystem, confidence score, and timestamps indicating first and last observation.
Malware subsystems may include categories such as C2, Management, Team Server, Red Team Tools, and others as defined in the dataset.
What information is provided in the malware enrichment block?
The malware block includes detected malware or tooling associated with the IP address. Each entry contains the malware name, port, malware subsystem, confidence score, and timestamps indicating first and last observation.
Malware subsystems may include categories such as C2, Management, Team Server, Red Team Tools, and others as defined in the dataset.
What fingerprinting data is included (JARM and protocol)?
The enrichment response may include JARM fingerprints observed on specific IP and port combinations, along with timestamps for first and last observation.
Protocol data includes observed ports and associated protocol fingerprints, along with a list of all fingerprints detected for that service and their observation timestamps.
What fingerprinting data is included (JARM and protocol)?
The enrichment response may include JARM fingerprints observed on specific IP and port combinations, along with timestamps for first and last observation.
Protocol data includes observed ports and associated protocol fingerprints, along with a list of all fingerprints detected for that service and their observation timestamps.
What fingerprinting data is included (JARM and protocol)?
The enrichment response may include JARM fingerprints observed on specific IP and port combinations, along with timestamps for first and last observation.
Protocol data includes observed ports and associated protocol fingerprints, along with a list of all fingerprints detected for that service and their observation timestamps.
What infrastructure exposure data is included?
The API may return open directory observations associated with an IP address, including the hostname or URL and observation timestamps.
Honeypot-related data may also be included, such as observed ports, tags describing the activity, and timestamps for when the activity was detected.
What infrastructure exposure data is included?
The API may return open directory observations associated with an IP address, including the hostname or URL and observation timestamps.
Honeypot-related data may also be included, such as observed ports, tags describing the activity, and timestamps for when the activity was detected.
What infrastructure exposure data is included?
The API may return open directory observations associated with an IP address, including the hostname or URL and observation timestamps.
Honeypot-related data may also be included, such as observed ports, tags describing the activity, and timestamps for when the activity was detected.
How is the Cyber Threat Enrichment API accessed and what formats are supported?
The Cyber Threat Enrichment API is accessed via API requests using an API token.
Responses are returned in JSON format, with GZ-compressed JSON available for efficient retrieval of larger responses.
How is the Cyber Threat Enrichment API accessed and what formats are supported?
The Cyber Threat Enrichment API is accessed via API requests using an API token.
Responses are returned in JSON format, with GZ-compressed JSON available for efficient retrieval of larger responses.
How is the Cyber Threat Enrichment API accessed and what formats are supported?
The Cyber Threat Enrichment API is accessed via API requests using an API token.
Responses are returned in JSON format, with GZ-compressed JSON available for efficient retrieval of larger responses.
Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.
©2026 Hunt Intelligence, Inc.
Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.
©2025 Hunt Intelligence, Inc.
Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.
©2026 Hunt Intelligence, Inc.