ThreatPulse - API Documentation

Quick Start

Get a threat into the pipeline in under 30 seconds. No API key required.

1

Send a Threat

POST a JSON payload to /api/threats with at minimum a title field.

2

Watch it Appear

Open the dashboard and see it in the live feed within seconds.

3

Run AI Triage

Click "Run AI Triage" or POST to /api/threats/:id/triage for analysis.

4

Track Incidents

Critical threats auto-escalate to incidents with response plans.

Quick test

curl -X POST "/api/threats" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Test: Suspicious outbound connection",
    "threat_type": "c2_beacon",
    "severity": "high",
    "source": "network_ids",
    "source_ip": "10.0.3.99",
    "destination_ip": "203.0.113.50",
    "affected_asset": "WS-TEST-01"
  }'

Authentication

The ThreatPulse API is currently open with no authentication required. This makes it easy to integrate with any SIEM, EDR, or custom tooling without managing API keys.

For production deployments, we recommend placing ThreatPulse behind a reverse proxy or VPN to control access at the network level.

Ingest a Threat

POST /api/threats

Submit a new threat event for triage. This is the primary ingestion endpoint for SIEM/EDR/IDS integrations.

Request Body (JSON)

Field	Type	Description
title Required	string	Human-readable alert title
severity Optional	string	`critical`, `high`, `medium` (default), `low`, or `info`
threat_type Optional	string	Category: `malware`, `ransomware`, `c2_beacon`, `phishing`, `brute_force`, `data_exfiltration`, `port_scan`, `dos`, `unauthorized_access`, `vulnerability`, `anomalous_traffic`, `policy_violation`, or `unknown` (default)
source Optional	string	Where the alert came from: `siem`, `edr`, `network_ids`, `waf`, `cloud_monitor`, `email_gateway`, `dlp`, or `api` (default)
description Optional	string	Detailed description of the threat event
source_ip Optional	string	Originating IP address
destination_ip Optional	string	Target IP address
affected_asset Optional	string	Hostname, service name, or asset identifier
raw_data Optional	object	Any additional structured data (stored as JSONB)

Response

                            201 Created
                        

                            {
  "success": true,
  "threat": {
    "id": 42,
    "title": "Cobalt Strike C2 beacon detected",
    "severity": "critical",
    "threat_type": "c2_beacon",
    "source": "network_ids",
    "status": "open",
    "source_ip": "10.0.3.47",
    "destination_ip": "185.220.101.34",
    "affected_asset": "WS-0347",
    "created_at": "2026-04-09T20:51:07.000Z"
  }
}
                        

Status Codes

201 Threat created successfully

400 title field is missing

500 Internal server error

List Threats

GET /api/threats

Retrieve threats with optional filters. Returns newest first.

Query Parameters

Parameter	Type	Description
severity	string	Filter by severity level
status	string	Filter by status (`open`, `investigating`, etc.)
threat_type	string	Filter by threat type
search	string	Search in title and description (case-insensitive)
limit	number	Max results (default: 50)
offset	number	Pagination offset (default: 0)

Get Single Threat

GET /api/threats/:id

Retrieve full details for a specific threat, including AI triage results if available.

Update Threat

PATCH /api/threats/:id

Update a threat's status or severity.

Request Body

Field	Type	Description
status	string	New status (e.g. `investigating`, `resolved`)
severity	string	Updated severity level

Run AI Triage

POST /api/threats/:id/triage

Trigger AI-powered triage analysis on a specific threat. Returns MITRE ATT&CK mapping, IOC extraction, confidence scoring, and prioritized response actions. Automatically escalates critical threats to incidents.

Response (triage object)

                            200 OK
                        

                            {
  "success": true,
  "threat": { /* updated threat object */ },
  "triage": {
    "recommended_severity": "critical",
    "category": "Command And Control",
    "confidence": 0.92,
    "summary": "High-confidence C2 beacon activity...",
    "ioc_indicators": ["10.0.3.47", "185.220.101.34"],
    "mitre_tactics": ["TA0011 - Command and Control"],
    "response_actions": [
      { "priority": 1, "action": "Isolate host", "type": "containment" }
    ],
    "escalation_needed": true,
    "escalation_reason": "Critical severity threat"
  }
}
                        

Dashboard Stats

GET /api/threats/stats

Returns aggregate statistics: total threats, breakdowns by severity, status, type, and a 24-hour timeline. Powers the dashboard stat cards.

List Incidents

GET /api/incidents

Retrieve all incidents. Incidents are auto-created when AI triage identifies critical threats requiring escalation. Each incident includes a response plan and timeline.

Query Parameters

Parameter	Type	Description
status	string	Filter: `investigating`, `contained`, `resolved`
severity	string	Filter by severity level
limit	number	Max results (default: 25)
offset	number	Pagination offset (default: 0)

curl Examples

Copy-paste ready commands for common threat types. Replace the base URL if running locally.

Malware Detection

Malware alert

curl -X POST "/api/threats" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Emotet trojan detected on endpoint HR-PC-12",
    "threat_type": "malware",
    "severity": "critical",
    "source": "edr",
    "description": "Known Emotet hash matched in memory scan. Process: rundll32.exe loading suspicious DLL.",
    "source_ip": "10.0.5.12",
    "affected_asset": "HR-PC-12",
    "raw_data": {"hash": "a1b2c3d4e5f6", "process": "rundll32.exe"}
  }'

Phishing Campaign

Phishing alert

curl -X POST "/api/threats" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Credential harvesting page linked in employee emails",
    "threat_type": "phishing",
    "severity": "high",
    "source": "email_gateway",
    "description": "Fake Microsoft 365 login page sent to 23 employees. 5 clicked the link. Credential harvesting form on mimicked domain m1crosoft-login.com.",
    "source_ip": "198.51.100.44",
    "affected_asset": "Exchange Online"
  }'

C2 Beacon

C2 beacon alert

curl -X POST "/api/threats" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Periodic HTTPS beaconing to known C2 infrastructure",
    "threat_type": "c2_beacon",
    "severity": "critical",
    "source": "network_ids",
    "description": "Host sending HTTPS POST every 60s to 185.220.101.34:443. Traffic pattern matches Cobalt Strike malleable C2 profile.",
    "source_ip": "10.0.3.47",
    "destination_ip": "185.220.101.34",
    "affected_asset": "WS-0347"
  }'

Ransomware

Ransomware alert

curl -X POST "/api/threats" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Mass file encryption detected - LockBit 3.0 indicators",
    "threat_type": "ransomware",
    "severity": "critical",
    "source": "edr",
    "description": "3,200 files encrypted in 120 seconds across shared drives. Extension: .lockbit3. Ransom note dropped in every directory.",
    "source_ip": "10.0.1.15",
    "affected_asset": "FILE-SRV-02"
  }'

Data Exfiltration

Exfil alert

curl -X POST "/api/threats" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Large data transfer to external IP from database server",
    "threat_type": "data_exfiltration",
    "severity": "critical",
    "source": "cloud_monitor",
    "description": "200GB outbound transfer detected from DB-PROD-01 to unknown external IP. Data includes customer PII tables.",
    "source_ip": "10.0.2.50",
    "destination_ip": "45.33.32.156",
    "affected_asset": "DB-PROD-01"
  }'

Brute Force Attack

Brute force alert

curl -X POST "/api/threats" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Distributed SSH brute force against bastion host",
    "threat_type": "brute_force",
    "severity": "high",
    "source": "siem",
    "description": "20,000 failed SSH attempts in 15 minutes from 50 unique IPs. Password spray pattern detected targeting admin accounts.",
    "source_ip": "203.0.113.42",
    "destination_ip": "10.0.0.5",
    "affected_asset": "bastion-01"
  }'

DDoS Attack

DDoS alert

curl -X POST "/api/threats" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Volumetric DDoS flooding public API endpoints",
    "threat_type": "dos",
    "severity": "high",
    "source": "network_ids",
    "description": "60 Gbps UDP flood targeting port 443 on public load balancer. Origin: botnet spanning 12,000+ IPs across 30 countries.",
    "destination_ip": "203.0.113.10",
    "affected_asset": "Public LB"
  }'

Trigger AI Triage

Run triage on threat #1

curl -X POST "/api/threats/1/triage"

Integration Guide

ThreatPulse is designed as a universal threat intake. Here's how to connect common security tools:

Splunk

Use a Splunk webhook alert action pointing to POST /api/threats. Map Splunk fields to the JSON schema above in your alert configuration.

Elastic SIEM

Configure a webhook connector in Kibana Alerting. Set the URL to your ThreatPulse instance's /api/threats endpoint and map rule fields to the payload schema.

CrowdStrike / SentinelOne

Use the EDR's webhook or SOAR integration to forward detections. Set source to "edr" and map detection severity to our severity levels.

Custom Scripts

Node.js example

// Node.js - send a threat to ThreatPulse
const res = await fetch('/api/threats', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    title: 'Suspicious process spawned from Word macro',
    threat_type: 'malware',
    severity: 'high',
    source: 'edr',
    affected_asset: 'EXEC-PC-03'
  })
});
const data = await res.json();
console.log(data.threat.id); // => 42

Python example

# Python - send a threat to ThreatPulse
import requests

res = requests.post('/api/threats', json={
    'title': 'Unauthorized access to admin panel',
    'threat_type': 'unauthorized_access',
    'severity': 'high',
    'source': 'waf',
    'source_ip': '91.108.56.12',
    'affected_asset': 'admin-panel'
})
print(res.json()['threat']['id'])  # => 42