API Access
Enterprise-grade threat intelligence API for public-sector organizations, journalists, security teams, researchers, and analysts requiring programmatic access to dark web monitoring data.
Cited by leading publications
Production-Ready Intelligence API
Direct integration into SIEM platforms, threat intelligence tools, security dashboards, and automated enrichment workflows.
30+
API Endpoints
Real-time
Threat Updates
24/7
Data Collection
$3,000/year
One-time annual payment • No auto-renewal • Monthly plans not available • Contact for multi-year pricing
Reminder emails are sent at 30 and 7 days before expiration , no surprise charges, ever.
Payment button below ↓
Common Use Cases
Ingest threat actor alerts directly into Splunk, Sentinel, or QRadar for correlation and alerting
Query IOC history and ransomware victim data to identify targeting patterns and infrastructure overlaps
Build real-time executive dashboards showing active threat actors, victim statistics, and trending groups
Export bulk datasets for academic research, threat landscape analysis, and model training
Built for your security stack
JSON-native REST API, compatible with any platform that accepts external data sources
Sample Response: /get_latest
{
"uuid": "POST-D5C03F94D492D60A",
"title": "Alleged data breach of Apex Hospitals",
"category": "Data Breach",
"content": "The threat actor claims to have breached data from Apex Hospitals,
allegedly containing Employee PII, payroll records, Social Security
numbers, complete patient medical records, clinical documentation,
doctor and nurse notes, mental health records and more.",
"date": "2026-02-24T10:47:37Z",
"network": "openweb",
"threat_actors": "██████████",
"victim_country": "India",
"victim_industry": "Hospital & Health Care",
"victim_organization": "apex hospitals",
"victim_site": "apexhospitals.com",
"published_url": "https://██████████.██/Thread-██████████",
"screenshots": [
"https://██████████/██████████.png"
]
}
Live data from the Dark Web Informer threat feed, updated in real time as threat actors publish new content. Screenshot URLs are included where available for threat feed and ransomware feed entries.
API Capabilities
- Live threat intelligence feed with endpoints for latest alert, recent alerts, and per-actor timelines
- Full raw unredacted feed access, including a PLUS view that excludes ransomware for safer enrichment pipelines
- Searchable archive for titles and descriptions to pivot on keywords across the dataset
- Aggregated stats for threat actors, categories, victim countries, industries, networks, and organizations
- IOC (Indicator of Compromise) history with JSON and CSV export options
- Ransomware victim intelligence with per-group feeds, statistics, and exportable JSON
- Bulk JSON and CSV exports for threat feed, IOC history, and ransomware data
- Screenshots are included for threat feed and ransomware feed entries only; no screenshot data is provided for other data types (e.g. IOCs, stats endpoints)
- Access to more than 30 production-grade endpoints built for automation, dashboards, and research
- Commercial Use License: API access includes commercial internal use for security operations, monitoring, research, and defensive cybersecurity within your organization. Resale, redistribution, or third-party access is prohibited without a separate agreement.
Technical Details
- Authentication requires X-API-Key and X-Nonce headers for all requests
- Nonce system: 120-second window, single-use per request to prevent replay attacks
- Rate limits: 5 requests per minute (per IP and per API key), 2 per minute for exports, 8 per minute for upstream/R2 operations
- Daily quota: 50 requests per day (resets at 00:00 UTC). Higher limits and enterprise access are available upon request; please contact for custom plans.
- Ransomware screenshot rate limit: 60 requests per 20 minutes per API key. Screenshots are served via a proxied endpoint. This separate rate limit applies to ransomware feed screenshots only; threat feed screenshots are not separately rate limited. Screenshots are available for threat feed and ransomware feed entries only.
- Standard rate-limit headers included in all responses (RateLimit-* and X-RateLimit-Day-*)
- Full endpoint documentation, examples, and schema descriptions provided automatically after purchase
- Screenshots served via the API are delivered without watermarks; this may be subject to change at Dark Web Informer's discretion
- Image content may be redacted at Dark Web Informer's discretion for compliance or safety reasons
⚠️ Important: Website subscription access is not included with API Access. API Access is a separate product and is not included with website subscriber plans.
Frequently Asked Questions
How quickly will I receive API access after purchase?
API credentials and full documentation are automatically sent to your email within 5 minutes of payment confirmation. If you don't receive access within 15 minutes, contact support immediately.
What is your refund policy?
Due to the immediate access nature of digital API credentials, all sales are final. No refunds are provided after credentials are issued.
What happens when my annual subscription expires?
API access automatically terminates at the end of your 365-day period. We do not auto-renew subscriptions. You'll receive email reminders at 30 days and 7 days before expiration with instructions to renew if desired.
Do you offer monthly plans?
No. API access is offered on an annual basis only.
Do you offer free trials or discounts?
No. API access is offered at a flat annual rate with no trials, discounts, or promotional pricing. The rate is the same for all customers.
Can I share my API key with team members?
No. API keys are licensed for single-organization internal use only. Credential sharing, reselling data, or providing access to third parties violates the Terms of Service and will result in immediate termination without refund. Send a message for multi-seat enterprise licensing.
What constitutes API abuse or excessive usage?
Abuse includes: exceeding rate limits through distributed requests, credential sharing, scraping for resale, automated bulk downloading beyond normal operational needs, or any activity that degrades service for other users. Normal security operations, SIEM ingestion, and research queries are fully permitted within rate limits.
Do you provide technical support for API integration?
Yes. The email support address is available within the email that provides you with your API key. Typical response times under 24 hours for technical questions, integration assistance, and troubleshooting. While we're happy to help clarify API usage and expected behavior, support does not extend to building or maintaining custom scripts or application-specific code.
How far back does the historical data go?
The API provides access to a broad and continuously expanding Dark Web Informer intelligence dataset, offering a searchable collection of threat actor activity, ransomware disclosures, and related intelligence tracked by the platform. The dataset currently includes over 64,300+ threat feed alerts and 26,200+ ransomware feed alerts, updated in real time as threat actors publish new content. Screenshots are available for threat feed and ransomware feed entries where captured; no screenshot data is provided for other data types. It also includes a comprehensive historical repository of more than 178,300+ indicators of compromise (IOCs) sourced from a trusted third-party vendor. Additional capabilities include exports to most major intelligence feeds, an expanding curated cybersecurity news feed from reliable outlets, and more.
What is your service availability?
The API is actively maintained and monitored. While we don't guarantee specific uptime percentages, the service is designed for 24/7 operation with redundancy built in. Any extended outages or maintenance windows are communicated via all socials and via the uptime page.
API access is governed by Dark Web Informer's Terms of Service and Acceptable Use Policy. API data may be used within your own internal tools, platforms, and security infrastructure but may not be resold, republished, or shared with third parties outside your organization. Violations including fraud, abuse, excessive scraping, or credential sharing will result in immediate termination without refund. By purchasing, you agree to use this intelligence exclusively for lawful security research, threat detection, and defensive cybersecurity purposes.
Latest
