Know Every Attacker
Before They Reach You
A single API call aggregates crowd-sourced Crime Score, STIX 2.1 indicators, MITRE ATT&CK techniques, geolocation and cross-sector reporting from 180+ alliance members — ready for automated enforcement in under 200ms.
Authorization: Bearer <token>
# Returns: score · stix · mitre · geo · sectors
Why Consolidated CTI Matters
Threat actors share infrastructure, TTPs and 0-day information across criminal networks. Defenders are still querying five different feeds, running manual enrichment, and writing their own STIX parsers. That gap costs hours. Attacks take minutes.
The old way — fragmented
- 4–6 separate API calls to different feeds to enrich one IP
- Manual STIX transformation before SIEM ingestion
- No MITRE ATT&CK context — you see the IP, not the behaviour
- No sector context — is this IP targeting finance, cloud, or governments?
- Stale data — feeds updated hours or days behind real attacks
OneFirewall CTI API — unified
- One call returns score, STIX objects, MITRE IDs, geo, sectors and agent context
- STIX 2.1 objects ready for direct SIEM and TIP ingestion — no transformation
- MITRE ATT&CK mapping tells you how the actor operates, not just that it is malicious
- Sector telemetry reveals who else in your industry is being targeted right now
- Crowd-sourced from 180+ members — updated as attacks happen, not hours later
The Crime Score
A numerical reputation metric from 0 to 1000 assigned to every IPv4 address. Calculated continuously from reports contributed by Alliance members worldwide — not from static blacklists or single-vendor honeypots.
How it's calculated
- Member reports: each Alliance member submitting a malicious observation increases the score proportionally
- Report volume: the
reportsfield shows total raw report count — 2,735 reports on a single IP is a strong signal - Recency decay: scores decrease over time if the IP goes quiet — preventing stale data from blocking legitimate hosts
- Threshold-based enforcement: WCF Agents block only IPs above a configurable score threshold (default 150–190)
{
"crime_score": 581, // 0–1000 risk rating
"reports": 2735, // total observations
"members": 26, // contributing orgs
"events": 61 // raw event count
}
MITRE ATT&CK Coverage
The mitre_id and intel fields map observed attacker behaviour to the
MITRE ATT&CK framework. This tells your team what the adversary is doing,
not just that the IP is malicious — enabling faster detections, better playbooks and smarter hunting hypotheses.
Active Scanning
Adversaries directly probe victim infrastructure to gather information before launching an attack.
Scanning IP Blocks
Systematic sweeping of IP ranges to identify live hosts, open services, and network topology.
Vulnerability Scanning
Probing for known CVEs, misconfigured services and exposed management interfaces at scale.
Gather Victim Network Info
Collecting network topology, IP ranges, domain names and infrastructure details to plan the attack.
Search Open Technical Databases
Leveraging Shodan, Censys, WHOIS and certificate transparency logs to enumerate exposed assets.
Phishing
Delivery of malicious payloads or credential-harvesting links via email, SMS or other communication channels.
Valid Accounts
Using legitimately obtained or compromised credentials to authenticate and bypass perimeter controls.
Exploit Public-Facing Application
Exploiting weaknesses in internet-facing web servers, APIs, VPNs or load balancers to gain an initial foothold.
External Remote Services
Abusing VPN, RDP, Citrix or SSH services exposed to the internet to establish unauthorised remote access.
Brute Force
Systematic trial of passwords or keys against authentication mechanisms to gain account access.
Password Guessing
Attempting likely passwords (e.g., default credentials, common patterns) without a pre-compiled list.
Password Spraying
Testing one common password across many accounts to avoid lockout thresholds while maximising coverage.
Credential Stuffing
Replaying breached credential pairs at scale, exploiting password reuse across services.
Network Service Scanning
Enumerating open ports and running services across a network to identify targets for exploitation.
System Network Connections Discovery
Listing active network connections and listening ports on a compromised host to map the internal environment.
Application Layer Protocol
Using standard protocols (HTTP/S, DNS, SMTP) to blend C2 traffic with legitimate network activity.
Non-Application Layer Protocol
Encapsulating C2 communication in ICMP, UDP or other non-HTTP protocols to evade proxy inspection.
Non-Standard Port
Running C2 channels over uncommon ports (e.g., 4444, 8080, 31337) to bypass port-based firewall rules.
Protocol Tunneling
Encapsulating malicious traffic inside legitimate protocols (DNS-over-HTTPS, ICMP tunneling) to bypass DPI.
Network Denial of Service
Flooding network infrastructure with traffic to exhaust bandwidth or processing capacity, causing service outages.
Endpoint Denial of Service
Targeting specific hosts or applications with resource-exhaustion attacks to render them unavailable.
Kill Chain Phases in API Response
Reconnaissance Initial Access Credential Access Discovery Command & Control ImpactSTIX 2.1 Objects
The API returns a complete set of STIX 2.1 domain objects and SCOs (Cyber Observables), ready for direct ingestion into any SIEM, TIP or TAXII 2.1 consumer without transformation.
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--uuid...",
"confidence": 85,
"indicator_types": ["malicious-activity"],
"pattern_type": "stix",
"pattern":
"[ipv4-addr:value = '101.36.x.x']",
"valid_from": "2026-02-18T00:00:00Z",
"kill_chain_phases": [{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}]
}
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--uuid...",
"number_observed": 61,
"first_observed": "2025-11-03T08:12:00Z",
"last_observed": "2026-02-18T14:55:00Z",
"object_refs": [
"ipv4-addr--uuid...",
"autonomous-system--uuid..."
]
}
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--uuid...",
"name": "Network Service Scanning",
"description": "Adversaries scan victim...",
"external_references": [{
"source_name": "mitre-attack",
"external_id": "T1046",
"url": "https://attack.mitre.org/T1046"
}],
"kill_chain_phases": [{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}]
}
{
"type": "threat-actor",
"spec_version": "2.1",
"id": "threat-actor--uuid...",
"name": "OFA-CLUSTER-0219",
"threat_actor_types": ["criminal"],
"sophistication": "intermediate",
"resource_level": "organization",
"primary_motivation": "financial-gain",
"aliases": ["AS135377-cluster"],
"first_seen": "2025-11-03T08:12:00Z"
}
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--uuid...",
"relationship_type": "uses",
"source_ref":
"threat-actor--uuid...",
"target_ref":
"attack-pattern--uuid...",
"description": "Actor observed using
Network Service Scanning (T1046)
across 10+ Alliance members"
}
Object types returned
indicator
Pattern-based assertions that an IP is associated with malicious activity. Includes confidence level, kill-chain phase, and validity window.
observed-data
Factual records of what was observed: number of events, first/last seen timestamps, and references to observable objects (IPv4 addr, ASN).
attack-pattern
MITRE ATT&CK-aligned behaviour descriptions with external_references linking to the official ATT&CK technique pages.
threat-actor
Cluster-level threat actor objects grouping IPs that share infrastructure, TTPs, and observed behaviour patterns across members.
relationship
Semantic links connecting threat actors to attack patterns (uses), indicators to observed-data (based-on), enabling graph-based analysis.
Full Response Schema
Every field returned in a single 200 OK. No pagination. No additional calls.
| Field | Type | Description |
|---|---|---|
| type | string | Input classification — ip, domain, url, or sha. |
| request | string | The original IPv4 address submitted by the caller. |
| timestamp | number | Unix epoch (seconds) when the data was generated server-side. |
| timestamp_readable | string | ISO 8601 timestamp of data generation. |
| request_id | string | Unique UUID per request — use for log correlation and support tickets. |
| body | object | Core feed data: crime_score (0–1000), total reports, contributing members, and raw events. |
| ip_info | object | Geolocation and ASN: country code, continent, ASN number, and organisation name. |
| history | array | Time-series Crime Score entries — enables trend analysis and score-decay monitoring over time. |
| sectors | array | Industry verticals (Finance, Cloud, Government…) that reported malicious activity from this IP. |
| countries | array | ISO 3166-1 alpha-2 country codes of Alliance members that observed attacks from this IP. |
| reports | array | Structured report categories: phishing, DDoS, malware C2, brute force, scanning, etc. |
| members | array | Names of Alliance members who contributed intelligence on this indicator. |
| mitre_id | array | MITRE ATT&CK technique IDs (e.g., T1046, T1595.002) observed for this actor. |
| stix | array | STIX 2.1 objects: indicator, observed-data, threat-actor, relationship and SCOs. |
| intel | array | MITRE ATT&CK attack-pattern intelligence objects with technique descriptions and kill-chain phases. |
| agents | array | WCF Agent deployment context: plugin, version, blacklist size, score threshold, and sync latency. |
Cross-Sector Intelligence
The sectors field reveals which industry verticals across the Alliance
have reported this IP as malicious — letting you immediately understand whether
you're a primary target or collateral in a wider campaign.
Countries reporting this actor
Built for Every Role
The consolidated response structure is designed to serve the entire security team — from real-time triage to boardroom reporting.
SOC Analyst
- Triage any alert IP in one lookup — no tool-switching
- MITRE ATT&CK context accelerates alert categorisation
- Historical score graph shows if an IP is escalating
- STIX objects flow directly into SIEM cases
Security Engineer
- Ingest STIX 2.1 objects into your TIP via TAXII 2.1
- Use
agents[]to audit WCF Agent deployments at scale - Build score-threshold automation: block >250, alert 100–250
- Feed
mitre_id[]directly into detection rule tagging
Threat Hunter
- Pivot on sector reporting to find cross-vertical campaigns
- STIX
relationshipobjects map threat-actor infrastructure clusters - Kill-chain phases surface lateral movement and C2 patterns
- ASN data helps cluster adversary-owned IP ranges
CISO / Risk
- Crime Score provides a quantified, board-ready risk metric
- Sector telemetry shows if your industry is under active attack
- 180+ member network provides proof of collective defence value
- MITRE ATT&CK mapping supports cyber insurance reporting
From Telemetry to Enforcement
Alliance member telemetry flows through validation, enrichment and standards mapping before reaching your firewall — all in under 200ms.
Start Using the CTI API
The Consolidated Intel API is available to all OneFirewall Alliance members. Join the Alliance or contact us to request trial access and start querying live, crowd-sourced threat intelligence at scale.