Articles on: Features & Tools

APIs

Malanta API


Imminent Threats, Exposures, IoPA Cluster APIs & STIX/TAXII Feed API


Version 1.0 | January 2026



Overview


The Malanta API provides access to pre-attack intelligence and exposure data for monitored organizations and scopes.


  • Imminent Threats — Retrieve imminent pre-attack threats targeting your organization
  • Exposures — Retrieve exposed assets and attacker behavior prior to exploitation
  • Prevented — Retrieve threats and exposures that have been prevented
  • IoPA Cluster — Submit indicators for cluster analysis and retrieve results
  • STIX/TAXII Feed — Retrieve general and targeted attack infrastructure clusters in STIX 2.1 format via TAXII 2 protocol



Authentication


All API requests require a valid Malanta API key supplied via request headers.


Header: x-api-key: malanta_xxxxxxxxxxxxx


Base URL: https://app.malanta.ai/api



Threats API


Returns paginated list of imminent pre-attack threats for a specific organization and scope.


Endpoint


GET /v1/organizations/{organization_id}/scopes/{scope_id}/threats/page


Path Parameters


  • organization_id — Unique identifier of the organization
  • scope_id — Identifier of the monitored scope


Query Parameters


  • PageSize — Number of items per page (e.g., 30)
  • PageNumber — Page number (1-indexed)


Example Request


curl --request GET \
  --url 'https://app.malanta.ai/api/v1/organizations/{organization_id}/scopes/{scope_id}/threats/page?PageSize=30&PageNumber=1' \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: malanta_xxxxxxxxxxxxx'


Example Response


{
  "data": [
    {
      "exposure_id": "855eb38b-a9e0-402f-8cd6-186ee0b81481",
      "root_domain": "acme.com",
      "exposed_asset_name": "https://short.url/acme_com impersonates acme.com using a short URL service, redirecting to malicious-site.com and possibly used for malware delivery or phishing.",
      "exposed_asset_type": "Registered domain",
      "exposed_asset_identifier": "acme.com",
      "exposed_asset_status_timeline": [
        {
          "timestamp": 1767537152,
          "status": "Impersonated"
        }
      ],
      "exposure_type": "Malicious Domain",
      "exposure_scenario_category": "Domain Infrastructure Abuse",
      "exposure_scenario": "Short Url",
      "exposure_root_cause_name": "Short URL domain registration",
      "exposure_root_cause_identifier": "https://short.url/acme_com",
      "exposure_root_cause_metadata": {},
      "exposure_timeline": [],
      "business_impact": {
        "impact_category": "Reputation Damage",
        "impact_summary": "..."
      },
      "attack_analysis": "...",
      "attack_infrastructure": {
        "clusters_ids": ["0474355E-6816-178C-4335-6556B264623F"],
        "status": "completed"
      },
      "exposure_attack_indicators": ["192.0.2.100"]
    }
  ],
  "total_count": 46,
  "page_size": 30,
  "page_number": 1,
  "has_next": true,
  "has_previous": false,
  "next_page": 2,
  "previous_page": null
}


Response Fields


  • data — Array of threat items
  • total_count — Total number of threats
  • page_size — Items per page
  • page_number — Current page number
  • has_next — Whether more pages exist
  • has_previous — Whether previous pages exist
  • next_page — Next page number (or null)
  • previous_page — Previous page number (or null)


Threat Item Fields


  • exposure_id — Unique identifier
  • root_domain — Primary organizational domain being targeted
  • exposed_asset_name — Description of the exposed asset
  • exposed_asset_type — Type: Registered domain, Subdomain, IP Address
  • exposed_asset_identifier — The specific asset identifier
  • exposed_asset_status_timeline — Array of status changes with timestamps
  • exposure_type — Classification (e.g., Malicious Domain)
  • exposure_scenario_category — Category (e.g., Domain Infrastructure Abuse)
  • exposure_scenario — Specific scenario (e.g., Short Url)
  • exposure_root_cause_name — Root cause description
  • exposure_root_cause_identifier — Root cause identifier
  • exposure_root_cause_metadata — Additional root cause metadata
  • exposure_timeline — Lifecycle state transitions
  • business_impact — Impact category and summary
  • attack_analysis — Threat analysis narrative
  • attack_infrastructure — Associated cluster IDs and status
  • exposure_attack_indicators — Array of attack indicators (IPs, domains)


Use attack_infrastructure.clusters_ids to pivot from a threat into Malanta's pre-attack infrastructure clusters for deeper investigation and correlation.



Exposures API


Returns paginated list of exposed assets for a specific organization and scope.


Endpoint


GET /v1/organizations/{organization_id}/scopes/{scope_id}/exposures/page


Path Parameters


  • organization_id — Unique identifier of the organization
  • scope_id — Identifier of the monitored scope


Query Parameters


  • PageSize — Number of items per page (e.g., 30)
  • PageNumber — Page number (1-indexed)


Example Request


curl --request GET \
  --url 'https://app.malanta.ai/api/v1/organizations/{organization_id}/scopes/{scope_id}/exposures/page?PageSize=30&PageNumber=1' \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: malanta_xxxxxxxxxxxxx'


Example Response


{
  "data": [
    {
      "exposure_id": "feb6b8fa-28b2-4c51-81f2-5fdcadf5a2f4",
      "root_domain": "example.org",
      "exposed_asset_name": "Device 198.51.100.50 (example.org) is internet-facing and lacks a proper SNMP access control list (ACL), leaving it exposed to brute-force attacks, unauthorized access, and potential data leakage.",
      "exposed_asset_type": "IP Address",
      "exposed_asset_identifier": "198.51.100.50",
      "exposed_asset_status_timeline": [
        {
          "timestamp": 1768679512,
          "status": "Exposed"
        }
      ],
      "exposure_type": "Exposed SNMP Device",
      "exposure_scenario_category": "Weak or Default Authentication",
      "exposure_scenario": "Brute Force Guessable Credentials",
      "exposure_root_cause_name": "Missing ACL",
      "exposure_root_cause_identifier": "SNMP 3",
      "exposure_root_cause_metadata": {},
      "exposure_timeline": [],
      "business_impact": {
        "impact_category": "Operational Disruption",
        "impact_summary": "..."
      },
      "attack_analysis": "...",
      "attack_infrastructure": null,
      "exposure_attack_indicators": ["198.51.100.50"]
    }
  ],
  "total_count": 73,
  "page_size": 30,
  "page_number": 1,
  "has_next": true,
  "has_previous": false,
  "next_page": 2,
  "previous_page": null
}


Response Fields


Same pagination and item structure as the Threats API.



Prevented API


Returns paginated list of threats and exposures that have been prevented.


Endpoint


GET /v1/organizations/{organization_id}/scopes/{scope_id}/prevented/page


Path Parameters


  • organization_id — Unique identifier of the organization
  • scope_id — Identifier of the monitored scope


Query Parameters


  • PageSize — Number of items per page (e.g., 30)
  • PageNumber — Page number (1-indexed)


Example Request


curl --request GET \
  --url 'https://app.malanta.ai/api/v1/organizations/{organization_id}/scopes/{scope_id}/prevented/page?PageSize=30&PageNumber=1' \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: malanta_xxxxxxxxxxxxx'


Response Fields


Same pagination and item structure as the Threats and Exposures APIs. Items represent threats or exposures that have been successfully remediated or prevented.


Count Endpoint


To retrieve only the total count of prevented items without fetching the full list:


GET /v1/organizations/{organization_id}/scopes/{scope_id}/prevented/count



IoPA Cluster API


Submit indicators (domains, IPs, email addresses) for pre-attack cluster analysis and retrieve results. This is a two-step asynchronous flow: submit an indicator, then poll for results.


Step 1: Submit Indicator


POST /v1/clusters/scan_iopa


Request Body:


{
  "indicator": "example.it"
}


  • indicator — A domain, IP address, or email address to analyze


Example Request


curl --request POST \
  --url 'https://app.malanta.ai/api/v1/clusters/scan_iopa' \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: malanta_xxxxxxxxxxxxx' \
  --data '{ "indicator": "example.it" }'


Step 2: Poll for Results


GET /v1/clusters/iopa/?indicator={indicator}


  • indicator — The indicator submitted in Step 1 (URL-encoded)


Example Request


curl --request GET \
  --url 'https://app.malanta.ai/api/v1/clusters/iopa/?indicator=example.it' \
  --header 'Accept: application/json' \
  --header 'x-api-key: malanta_xxxxxxxxxxxxx'


Example Response


{
  "clusters": [
    {
      "cluster_id": "A1B2C3D4-E5F6-7890-ABCD-EF1234567890",
      "presigned_url": "https://s3.amazonaws.com/..."
    }
  ],
  "raw_data": {
    "nodes": [],
    "relations": []
  },
  "version": "1.0",
  "status": "completed"
}


Response Fields


  • clusters — Array of cluster objects with cluster_id and presigned_url
  • raw_data — Graph data containing nodes and relations arrays
  • version — API version
  • status — Processing status: in_progress or completed


Polling


When status is in_progress, poll the GET endpoint at 10-second intervals until status changes to completed.


Downloading Cluster Data


Download full cluster data using the presigned_url from each cluster object in the response. These are pre-signed S3 URLs that do not require additional authentication.


curl --request GET \
  --url '{presigned_url}'



STIX/TAXII Feed API


Retrieve general and targeted attack infrastructure clusters in STIX 2.1 format via the TAXII 2 protocol.


The STIX/TAXII Feed API uses Bearer token authentication (not the x-api-key header used by other endpoints).


Base URL


https://app.malanta.ai/feeds/taxii2


Authentication


Authorization: Bearer malanta_xxxxxxxxxxxxx


Endpoints


  • DiscoveryGET /feeds/taxii2/default
  • CollectionsGET /feeds/taxii2/default/collections
  • Get ObjectsGET /feeds/taxii2/default/collections/{collection_id}/objects


Query Parameters


  • next — Cursor for pagination (base64-encoded, returned in previous response)


Example Request


curl -s \
  -H "Authorization: Bearer malanta_xxxxxxxxxxxxx" \
  -H "Accept: application/json" \
  "https://app.malanta.ai/feeds/taxii2/default/collections/targeting-pre-attack-indicators/objects"


Paginated Request


curl -s \
  -H "Authorization: Bearer malanta_xxxxxxxxxxxxx" \
  -H "Accept: application/json" \
  "https://app.malanta.ai/feeds/taxii2/default/collections/targeting-pre-attack-indicators/objects?next=eyJwYWdlX251bSI6MiwicGFnZV9zeiI6MTAwfQ"


STIX Object Types


The Malanta STIX/TAXII feed contains multiple STIX 2.1 object types representing pre-attack infrastructure and threat intelligence:


  • indicator — Pre-attack indicators (IoPA) with pattern expressions
  • infrastructure — Attack infrastructure elements (domains, IPs, certificates)
  • relationship — Links between indicators, infrastructure, and threat actors
  • identity — Targeted organizations and threat actor identities
  • grouping — Attack infrastructure clusters grouping related objects

Updated on: 09/04/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!