API docs by Redocly

Cypho API (1.0.9)

Download OpenAPI specification:

Cypho Team: [email protected] URL: https://cypho.io License: Commercial

Cypho External API provides access to our platform for customers to retrieve security insights, manage detected issues, and integrate threat intelligence into their systems. It offers endpoints for issue management, status updates, and category exploration to enhance security operations.

Issues

IssuesAPI provides endpoints for managing security issues, including retrieving issue details, listing all issues, and updating their statuses.

Retrieve a list of detected security issues. Supports filters for issue type, severity, status, and detection date.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

alert_statuses
string <string>
Example: alert_statuses=Open,In-progress

List of issue statuses, seperated by comma. List of valid statuses: [Open, In-progress, Closed, Risk accepted, False positive, Out of scope, Candidate]

severities
string <string>
Example: severities=Critical,Moderate

List of issue severities, seperated by comma. List of valid severities: [Critical, Moderate, Low]

categories
string <string>
Example: categories=Phishing Monitoring,PII Exposure Monitoring

List of issue category names, seperated by comma.

since
string
Example: since=2006-01-02T15:04:05Z

Issue detection start date, can be either RFC3339 date time or relative time format.

until
string
Example: until=2 months 2 days ago

Issue detection end date, can be either RFC3339 date time or relative time format.

page
integer
Default: 1
limit
integer
Default: 50
Request Body schema: application/json
object (Filter)
Array of objects (FilterField)
candidate
boolean

Responses

Request samples

Content type
application/json
{
  • "filter": {
    },
  • "categories_filter": [
    ],
  • "candidate": true
}

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Create a new security issue

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Request Body schema: multipart/form-data
required
name
string

Optional issue name

title
required
string

Issue title (must match an existing issue title template)

description
required
string <json>

Issue description in JSON format

asset
required
string

Asset value (e.g. domain name, IP address)

category
required
string

Category name for the issue

user_email
string <email>

Email of the user creating the issue. Used for access validation within the company hierarchy. When provided, the user must belong to the target company or be an admin/superadmin of a parent company.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Update issue severity and/or status

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

ticket_id
required
string
Example: ticket_id=some_company-PM-000001

Issue ticket id

user_email
required
string <email>

Email address of the user performing the action. Used for user access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company to access child company resources. Users with a viewer role can only perform read operations. Admin and superadmin users of a parent company can perform operations on all child company resources.

alert_status
string <string>
Enum: "Open" "In-progress" "Closed" "Risk accepted" "False positive" "Out of scope" "Candidate"
Example: alert_status=Open

Issue status, can be one of: [Open, In-progress, Closed, Risk accepted, False positive, Out of scope, Candidate]

status_reason
string

Issue status change reason

severity
string <string>
Enum: "Critical" "Moderate" "Low"
Example: severity=Critical

Issue severity, can be one of: [Critical, Moderate, Low]

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Approve or dismiss issue

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

ticket_id
required
string
Example: ticket_id=some_company-PM-000001

Issue ticket id

user_email
required
string <email>

Email address of the user performing the action. Used for user access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company to access child company resources. Users with a viewer role can only perform read operations. Admin and superadmin users of a parent company can perform operations on all child company resources.

approve
required
boolean
Example: approve=true

Approve or dismiss issue. For this endpoint to work, issue must be in Candidate status. When set to true, the issue status will become open; otherwise, if set to false, the issue and all related objects will be deleted

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Approve or dismiss issues

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

user_email
required
string <email>

Email address of the user performing the action. Used for user access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company to access child company resources. Users with a viewer role can only perform read operations. Admin and superadmin users of a parent company can perform operations on all child company resources.

ticket_ids
required
Array of strings

issue ticket_ids to approve or dismiss

approve
required
boolean
Example: approve=true

Approve or dismiss issues. For this endpoint to work, issues must be in Candidate status. When set to true, the issues' statuses will become open; otherwise, if set to false, the issues and all related objects will be deleted

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

List compacted issue groups. Issues with the same title, category, and company that are detected within a 30-minute window are grouped into a single compaction.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

user_email
required
string <email>

Email address of the user performing the action. Used for user access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company to access child company resources. Users with a viewer role can only perform read operations. Admin and superadmin users of a parent company can perform operations on all child company resources.

alert_statuses
string
Example: alert_statuses=Open,In-progress

List of issue statuses, separated by comma. List of valid statuses: [Open, In-progress, Closed, Risk accepted, False positive, Out of scope, Candidate]

severities
string
Example: severities=Critical,Moderate

List of issue severities, separated by comma. List of valid severities: [Critical, Moderate, Low]

categories
string
Example: categories=Phishing Monitoring,PII Exposure Monitoring

List of issue category names, separated by comma.

since
string
Example: since=2006-01-02T15:04:05Z

Issue detection start date, can be either RFC3339 date time or relative time format.

until
string
Example: until=2 months 2 days ago

Issue detection end date, can be either RFC3339 date time or relative time format.

candidate
boolean
Example: candidate=false

When true, returns only compactions whose issues are in Candidate status. When false, excludes Candidate issues. When omitted, both are returned.

page
integer
Default: 1
limit
integer
Default: 50
Request Body schema: application/json
object (Filter)
Array of objects (CategoryFilterField)

Responses

Request samples

Content type
application/json
{
  • "filter": {
    },
  • "categories": [
    ]
}

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

List individual issues that belong to a given compaction.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

compact_id
required
string <uuid>
Example: compact_id=00000000-0000-0000-0000-000000000000

Compaction id returned by /issues/compact/list. A compaction groups issues that share the same title, category, and company and were detected within a 30-minute window. Use this id to drill into the compaction's issues or to apply a status/severity update across every issue in the group.

user_email
required
string <email>

Email address of the user performing the action. Used for user access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company to access child company resources. Users with a viewer role can only perform read operations. Admin and superadmin users of a parent company can perform operations on all child company resources.

alert_statuses
string
Example: alert_statuses=Open,In-progress

List of issue statuses, separated by comma. List of valid statuses: [Open, In-progress, Closed, Risk accepted, False positive, Out of scope, Candidate]

severities
string
Example: severities=Critical,Moderate

List of issue severities, separated by comma. List of valid severities: [Critical, Moderate, Low]

categories
string
Example: categories=Phishing Monitoring,PII Exposure Monitoring

List of issue category names, separated by comma.

since
string
Example: since=2006-01-02T15:04:05Z

Issue detection start date, can be either RFC3339 date time or relative time format.

until
string
Example: until=2 months 2 days ago

Issue detection end date, can be either RFC3339 date time or relative time format.

candidate
boolean
Example: candidate=false

When true, returns only issues in Candidate status. When false, excludes Candidate issues. When omitted, both are returned.

page
integer
Default: 1
limit
integer
Default: 50
Request Body schema: application/json
object (Filter)
Array of objects (CategoryFilterField)

Responses

Request samples

Content type
application/json
{
  • "filter": {
    },
  • "categories": [
    ]
}

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Update status, status_reason and/or severity for every issue under a compaction in a single transaction. At least one of alert_status, status_reason, or severity must be supplied.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

compact_id
required
string <uuid>
Example: compact_id=00000000-0000-0000-0000-000000000000

Compaction id returned by /issues/compact/list. A compaction groups issues that share the same title, category, and company and were detected within a 30-minute window. Use this id to drill into the compaction's issues or to apply a status/severity update across every issue in the group.

user_email
required
string <email>

Email address of the user performing the action. Used for user access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company to access child company resources. Users with a viewer role can only perform read operations. Admin and superadmin users of a parent company can perform operations on all child company resources.

alert_status
string <string>
Enum: "Open" "In-progress" "Closed" "Risk accepted" "False positive" "Out of scope" "Candidate"
Example: alert_status=Closed

Issue status, can be one of: [Open, In-progress, Closed, Risk accepted, False positive, Out of scope, Candidate]. Applied to every issue in the compaction.

status_reason
string

Issue status change reason. Applied to every issue in the compaction.

severity
string <string>
Enum: "Critical" "Moderate" "Low"
Example: severity=Critical

Issue severity, can be one of: [Critical, Moderate, Low]. Applied to every issue in the compaction.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Retrive issue by given ticket_id

Authorizations:
APIKeyAuth
path Parameters
ticket_id
required
string
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Categories

Categories API provides endpoints for accessing and managing issue categories, enabling better organization and classification of detected security events.

Retrive issue categories.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": [
    ]
}

Comments

Comments API provides endpoints for accessing and managing issue comments, including retiving all comments of given issue, adding and updating comments and managing comment attachments.

Add new comment to given issue

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Request Body schema: multipart/form-data
comment
string
ticket_id
required
string

Issue ticket_id

parent_id
string <uuid>

When provided the new comment will be added as child to this comment

user_email
required
string <email>
has_assigned_analyst
boolean
files
Array of strings <binary> (FileField) [ items <binary > ]

Custom attachments for comment. Attachments can be in following formats:
Image formats: jpeg, jpg, png
File formats: txt, docx, pdf, doc, mp4, xlsx, csv, avi, wmv, rar, zip
You must at least provide comment text (comment field) or an attachment.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Update comment and/or add new attachment

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Request Body schema: multipart/form-data
comment_id
required
string <uuid>
comment
string
user_email
required
string <email>
has_assigned_analyst
boolean
files
Array of strings <binary> (FileField) [ items <binary > ]

Custom attachments for comment. Attachments can be in following formats:
Image formats: jpeg, jpg, png
File formats: txt, docx, pdf, doc, mp4, xlsx, csv, avi, wmv, rar, zip
You must at least provide comment text (comment field) or an attachment.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Get list of comments

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

ticket_id
required
string
Example: ticket_id=some_company-PM-000001

Issue ticket id

has_assigned_analyst
boolean
Example: has_assigned_analyst=false
cursor
string

User must set next request's cursor query to this value to retrive next 10 comments.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Delete specified comment's attachments

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Request Body schema: application/json
required
comment_id
required
string <uuid>
attachment_ids
required
Array of strings <uuid> [ items <uuid > ]
user_email
required
string <email>

Responses

Request samples

Content type
application/json
{
  • "comment_id": "00000000-0000-0000-0000-000000000000",
  • "attachment_ids": [
    ],
  • "user_email": "[email protected]"
}

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Assets

Assets API provides endpoints for managing monitored assets, including listing, retrieving details, and updating asset statuses.

Retrieve a list of monitored assets with filtering options

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Request Body schema: application/json
type
string
Enum: "Ip" "Domain" "MobileApp" "CreditCard" "Company" "Person"

Filter by asset type

statuses
Array of strings
Items Enum: "Monitored" "Unmonitored" "Pending" "Irrelevant" "Unverified" "Inactive"

Filter by asset statuses

keyword
string

Search keyword to match against asset value

start_date
string <date-time>

Filter assets created after this date

end_date
string <date-time>

Filter assets created before this date

limit
integer [ 1 .. 100 ]
Default: 10
page
integer >= 1
Default: 1

Responses

Request samples

Content type
application/json
{
  • "type": "Domain",
  • "statuses": [
    ],
  • "keyword": "string",
  • "start_date": "2019-08-24T14:15:22Z",
  • "end_date": "2019-08-24T14:15:22Z",
  • "limit": 10,
  • "page": 1
}

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Retrieve asset details and child assets by asset ID

Authorizations:
APIKeyAuth
path Parameters
id
required
string <uuid>

Asset UUID

query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

limit
integer [ 1 .. 100 ]
Default: 10
page
integer >= 1
Default: 1

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Retrieve the active DNS records of an asset

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

user_email
required
string <email>

Email address of the user performing the action. Used for user access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company to access child company resources. Users with a viewer role can only perform read operations. Admin and superadmin users of a parent company can perform operations on all child company resources.

id
required
string

Asset UUID

limit
integer [ 1 .. 100 ]
Default: 10
page
integer >= 1
Default: 1

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Create a single asset

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Request Body schema: application/json
required
user_email
required
string <email>

Email of the user performing the action. Used for access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company.

type
required
string
Enum: "Ip" "Domain" "MobileApp" "CreditCard" "Company" "Person" "Product" "CloudStorage" "CodeRepository" "CollaborationPlatform"
value
required
string
vendor
string

Required when type is Product. Lower-cased on save.

version
string

Optional for Product.

platform
string
Enum: "Google Play Store" "Apple App Store"

Required when type is MobileApp. Drives the store the package id is verified against.

provider
string

Required when type is CloudStorage, CodeRepository, or CollaborationPlatform. Allowed values depend on the type:

  • CloudStorage: AWS S3, OneDrive, Google Drive
  • CodeRepository: GitHub, GitLab, Bitbucket, Microsoft Azure DevOps
  • CollaborationPlatform: SharePoint

Responses

Request samples

Content type
application/json
{
  • "user_email": "[email protected]",
  • "type": "Domain",
  • "value": "example.com",
  • "vendor": "wordpress",
  • "version": "6.4.2",
  • "platform": "Google Play Store",
  • "provider": "GitHub"
}

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Update asset status

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Request Body schema: application/json
required
id
required
string <uuid>

Asset UUID

status
required
string
Enum: "Monitored" "Unmonitored" "Pending" "Irrelevant" "Unverified" "Inactive"

New asset status. Valid transitions:

  • Monitored → Unmonitored
  • Unmonitored → Monitored, Inactive
  • Pending → Unmonitored, Monitored, Irrelevant, Inactive
status_reason
string

Reason for status change

user_email
required
string <email>

Email of the user performing the update. Used for access validation within the company hierarchy. The user must belong to the target company or be an admin/superadmin of a parent company.

Responses

Request samples

Content type
application/json
{
  • "id": "00000000-0000-0000-0000-000000000000",
  • "status": "Monitored",
  • "status_reason": "string",
  • "user_email": "[email protected]"
}

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully"
}

Issue Titles

Issue Titles API provides endpoints for listing and retrieving issue title templates used for issue creation.

Retrieve a list of issue title templates

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

category
string

Filter by category name

keyword
string

Search keyword for issue title name

limit
integer [ 1 .. 100 ]
Default: 10
page
integer >= 1
Default: 1

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Retrieve issue title detail with field definitions

Authorizations:
APIKeyAuth
path Parameters
id
required
string <uuid>

Issue title UUID

query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

IOC Feeds

IOC Feeds API exposes Cypho's threat-intelligence indicator (IOC) feeds in JSON, STIX 2.1 and CSV formats. The same indicator dataset is served across formats — clients pick the format with the format query parameter. A separate TAXII 2.1 route group is also available for clients that prefer the TAXII protocol.

List IOC indicators in JSON, STIX 2.1, or CSV format

Returns the IOC indicator dataset in the requested format.

  • format=json (default) — Cypho's standard JSON envelope ({status, msg, data: {items, nextCursor}}).
  • format=stix — a STIX 2.1 bundle containing one indicator SDO per item and a Cypho identity SDO so created_by_ref references resolve when imported. Content-Type: application/stix+json;version=2.1.
  • format=csv — RFC 4180 CSV. Content-Type: text/csv; charset=utf-8. Content-Disposition: attachment; filename="indicators.csv". Next-page cursor is surfaced via the X-Next-Cursor response header (CSV has no envelope).

Pagination uses the cursor query parameter; the next page's cursor is returned via the nextCursor field (JSON), or the X-Next-Cursor header (CSV / STIX). When the dataset is exhausted, no cursor is returned.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

format
string
Default: "json"
Enum: "json" "stix" "csv"

Output format. Defaults to json.

type
string
Enum: "ip" "domain" "hostname" "url" "hash" "all"
Example: type=ip

Filter by IOC type. Omit (or use all) to return any type.

search
string
Example: search=example.com

Case-insensitive substring match against the indicator value.

limit
integer [ 1 .. 1000 ]
Default: 50

Page size. Defaults to 50.

cursor
string
Example: cursor=100:1.15.100.187

Pagination cursor returned by a previous response (nextCursor JSON field or X-Next-Cursor header).

Responses

Response samples

Content type
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Retrieve a single IOC indicator in JSON, STIX 2.1, or CSV format

Authorizations:
APIKeyAuth
path Parameters
ioc
required
string
Example: 1.15.100.187

The indicator value (IP, domain, URL, or hash).

query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

format
string
Default: "json"
Enum: "json" "stix" "csv"

Output format. Defaults to json.

Responses

Response samples

Content type
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

List the available IOC types, categories, and sources

Returns metadata describing the indicator dataset Cypho exposes: the supported IOC types, the categories an indicator can carry, and the upstream sources along with their tier/reliability scores and the categories each source contributes to.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

Aggregate counts for the IOC dataset

Returns aggregate counts: total number of indicators, counts grouped by type, by category, by source, and the number of currently active sources.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/json
{
  • "status": true,
  • "msg": "Request processed successfully",
  • "data": {
    }
}

TAXII

TAXII 2.1 endpoints expose the same IOC indicator dataset using the OASIS TAXII 2.1 protocol envelope (application/taxii+json;version=2.1). All endpoints are read-only; Cypho is the publisher. A single collection (indicators) is exposed in v1.

TAXII 2.1 Server Discovery

TAXII 2.1 Discovery document. Returns server metadata and the URL of the API root. Conforms to OASIS TAXII 2.1 §4.1 (Server Discovery).

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/taxii+json;version=2.1
{}

TAXII 2.1 API Root metadata

Returns metadata about the TAXII API root (title, description, supported protocol versions, max content length). Conforms to OASIS TAXII 2.1 §4.2.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/taxii+json;version=2.1
{
  • "title": "Cypho IOC Feeds",
  • "description": "Cypho TAXII 2.1 API Root",
  • "versions": [
    ],
  • "max_content_length": 10485760
}

List TAXII collections

Returns the list of TAXII collections exposed by Cypho. In v1, a single collection (indicators) is exposed and contains every published IOC. Conforms to OASIS TAXII 2.1 §5.1.

Authorizations:
APIKeyAuth
query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/taxii+json;version=2.1
{
  • "collections": [
    ]
}

TAXII collection metadata

Returns metadata for a single TAXII collection. Cypho exposes one collection (indicators) in v1. Conforms to OASIS TAXII 2.1 §5.2.

Authorizations:
APIKeyAuth
path Parameters
id
required
string
Example: indicators

TAXII collection id. Cypho exposes the indicators collection.

query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/taxii+json;version=2.1
{
  • "id": "indicators",
  • "title": "Cypho IOC Indicators",
  • "description": "All Cypho-published IOC indicators (IPs, domains, URLs, hashes).",
  • "can_read": true,
  • "can_write": false,
  • "media_types": [
    ]
}

TAXII objects envelope (STIX 2.1 indicators)

Returns the STIX 2.1 indicator objects belonging to the collection, wrapped in a TAXII 2.1 envelope ({more, next, objects}). The same filtering parameters as /ioc-feeds/ioc/indicators are accepted. Conforms to OASIS TAXII 2.1 §5.3.

Authorizations:
APIKeyAuth
path Parameters
id
required
string
Example: indicators

TAXII collection id (indicators).

query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

type
string
Enum: "ip" "domain" "hostname" "url" "hash" "all"

Filter by IOC type.

search
string

Substring match against the indicator value.

limit
integer [ 1 .. 1000 ]
Default: 50

Page size. Defaults to 50.

cursor
string

Pagination cursor from a previous response's next field.

Responses

Response samples

Content type
application/taxii+json;version=2.1
{
  • "more": true,
  • "next": "100:1.15.100.187",
  • "objects": [
    ]
}

Fetch a single STIX object from a TAXII collection

Returns a TAXII envelope containing the single STIX object identified by object_id. Conforms to OASIS TAXII 2.1 §5.4.

Authorizations:
APIKeyAuth
path Parameters
id
required
string
Example: indicators

TAXII collection id (indicators).

object_id
required
string
Example: indicator--ad57c1a4-2b3d-5d62-9c46-cba1d8a5d6f7

STIX object id (UUID-prefixed indicator id, e.g. indicator--...).

query Parameters
tenant
string
Example: tenant=ChildCompanyName

Name of a child company to target for this operation. When provided, the API resolves the child company within the authenticated parent company's hierarchy. The authenticated API token must belong to a parent company of the specified tenant. If omitted, the operation targets the company that owns the API token.

Responses

Response samples

Content type
application/taxii+json;version=2.1
{
  • "more": true,
  • "next": "100:1.15.100.187",
  • "objects": [
    ]
}