List Threat Indicators
Retrieve paginated lists of threat indicators from the OrbGuard intelligence database, with specialized endpoints for Pegasus and mobile threats.
List All Indicators
Retrieve a paginated list of threat indicators from the OrbGuard intelligence database. Use query parameters to filter by type, severity, and search terms.
GET
/api/v1/intelligenceList threat indicators with filtering and pagination
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
limit | integer | Optional | Number of results to return per page. Default: 100, maximum: 1000 |
offset | integer | Optional | Number of results to skip for pagination. Default: 0 |
type | string | Optional | Filter by indicator type. Can be repeated for multiple types. Values: domain, ip, hash |
severity | string | Optional | Filter by severity level. Can be repeated for multiple levels. Values: critical, high, medium, low, info |
search | string | Optional | Free-text search across indicator values, descriptions, and tags |
Repeatable Parameters
The type and severity parameters can be repeated to filter for multiple values. For example: ?type=domain&type=ip&severity=critical&severity=high returns domains and IPs with critical or high severity.
# List all indicators with default pagination
curl -X GET "https://guard.orbai.world/api/v1/intelligence" \
-H "Authorization: Bearer YOUR_API_KEY"
# Filter by type and severity
curl -X GET "https://guard.orbai.world/api/v1/intelligence?type=domain&type=ip&severity=critical&severity=high&limit=50" \
-H "Authorization: Bearer YOUR_API_KEY"
# Search for specific indicators
curl -X GET "https://guard.orbai.world/api/v1/intelligence?search=pegasus&limit=25" \
-H "Authorization: Bearer YOUR_API_KEY"200Paginated list of threat indicators
{
"data": [
{
"id": "ioc_7f8a9b2c3d4e",
"value": "malicious-c2.example.com",
"type": "domain",
"severity": "critical",
"confidence": 98,
"description": "Pegasus C2 domain used for iOS zero-click exploit delivery.",
"tags": ["pegasus", "c2", "zero-click", "nso-group"],
"platforms": ["ios"],
"source_name": "orbguard-crawlers",
"first_seen": "2025-06-10T08:00:00Z",
"last_seen": "2026-02-07T14:30:00Z",
"mitre_techniques": ["T1566.002", "T1190"],
"cve_ids": ["CVE-2023-41064", "CVE-2023-41061"],
"report_count": 156
},
{
"id": "ioc_3a4b5c6d7e8f",
"value": "198.51.100.45",
"type": "ip",
"severity": "high",
"confidence": 91,
"description": "IP hosting Predator spyware command-and-control infrastructure.",
"tags": ["predator", "cytrox", "c2"],
"platforms": ["android", "ios"],
"source_name": "partner-intel",
"first_seen": "2025-09-20T12:00:00Z",
"last_seen": "2026-02-06T22:15:00Z",
"mitre_techniques": ["T1071.001", "T1573.002"],
"cve_ids": [],
"report_count": 83
}
],
"total": 24589,
"limit": 50,
"offset": 0,
"has_more": true,
"next_cursor": "eyJvZmZzZXQiOjUwfQ=="
}400Invalid query parameters
{
"success": false,
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid severity value. Must be one of: critical, high, medium, low, info"
}
}List Pegasus Indicators
Retrieve indicators specifically related to NSO Group's Pegasus spyware. This endpoint returns domains, IPs, and hashes associated with Pegasus infrastructure, exploits, and payloads.
GET
/api/v1/intelligence/pegasusList Pegasus-specific threat indicators
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
limit | integer | Optional | Number of results to return per page. Default: 100, maximum: 1000 |
offset | integer | Optional | Number of results to skip for pagination. Default: 0 |
type | string | Optional | Filter by indicator type. Can be repeated. Values: domain, ip, hash |
severity | string | Optional | Filter by severity level. Can be repeated. Values: critical, high, medium, low, info |
search | string | Optional | Free-text search across Pegasus indicator values, descriptions, and tags |
# List all Pegasus indicators
curl -X GET "https://guard.orbai.world/api/v1/intelligence/pegasus?limit=100" \
-H "Authorization: Bearer YOUR_API_KEY"
# Filter for critical Pegasus domains
curl -X GET "https://guard.orbai.world/api/v1/intelligence/pegasus?type=domain&severity=critical" \
-H "Authorization: Bearer YOUR_API_KEY"200Paginated list of Pegasus-specific indicators
{
"data": [
{
"id": "ioc_peg_001",
"value": "pegasus-c2-node.example.net",
"type": "domain",
"severity": "critical",
"confidence": 99,
"description": "Confirmed Pegasus C2 domain used in zero-click iMessage exploit chain targeting journalists and activists.",
"tags": ["pegasus", "nso-group", "zero-click", "imessage", "c2"],
"platforms": ["ios"],
"source_name": "orbguard-research",
"first_seen": "2025-04-18T10:00:00Z",
"last_seen": "2026-02-07T16:20:00Z",
"mitre_techniques": ["T1190", "T1566.002", "T1059"],
"cve_ids": ["CVE-2023-41064"],
"report_count": 234
}
],
"total": 1847,
"limit": 100,
"offset": 0,
"has_more": true,
"next_cursor": "eyJvZmZzZXQiOjEwMH0="
}Sensitive Intelligence
Pegasus indicators are sourced from verified forensic investigations and trusted intelligence partners. Handle this data with care and follow responsible disclosure practices. Do not share raw indicators publicly without proper context.
List Mobile Threat Indicators
Retrieve indicators specifically targeting mobile platforms (iOS and Android). This includes spyware, stalkerware, mobile malware, and mobile-specific phishing infrastructure.
GET
/api/v1/intelligence/mobileList mobile-specific threat indicators
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
limit | integer | Optional | Number of results to return per page. Default: 100, maximum: 1000 |
offset | integer | Optional | Number of results to skip for pagination. Default: 0 |
type | string | Optional | Filter by indicator type. Can be repeated. Values: domain, ip, hash |
severity | string | Optional | Filter by severity level. Can be repeated. Values: critical, high, medium, low, info |
search | string | Optional | Free-text search across mobile indicator values, descriptions, and tags |
# List all mobile threat indicators
curl -X GET "https://guard.orbai.world/api/v1/intelligence/mobile?limit=50" \
-H "Authorization: Bearer YOUR_API_KEY"
# Filter for high-severity mobile hashes (malware samples)
curl -X GET "https://guard.orbai.world/api/v1/intelligence/mobile?type=hash&severity=high&severity=critical" \
-H "Authorization: Bearer YOUR_API_KEY"200Paginated list of mobile-specific indicators
{
"data": [
{
"id": "ioc_mob_001",
"value": "d41d8cd98f00b204e9800998ecf8427e",
"type": "hash",
"severity": "critical",
"confidence": 97,
"description": "SHA256 hash of Predator spyware implant targeting Android 13+ devices via zero-day exploit.",
"tags": ["predator", "cytrox", "android", "zero-day", "implant"],
"platforms": ["android"],
"source_name": "orbguard-research",
"first_seen": "2025-11-05T08:00:00Z",
"last_seen": "2026-02-04T11:30:00Z",
"mitre_techniques": ["T1398", "T1407", "T1417"],
"cve_ids": ["CVE-2024-31497"],
"report_count": 67
},
{
"id": "ioc_mob_002",
"value": "stalkerware-tracker.example.com",
"type": "domain",
"severity": "high",
"confidence": 94,
"description": "C2 domain for commercial stalkerware application marketed as 'parental control' software.",
"tags": ["stalkerware", "tracking", "privacy-violation"],
"platforms": ["android", "ios"],
"source_name": "community-feed",
"first_seen": "2025-07-12T14:00:00Z",
"last_seen": "2026-02-07T20:45:00Z",
"mitre_techniques": ["T1430", "T1512", "T1429"],
"cve_ids": [],
"report_count": 189
}
],
"total": 8932,
"limit": 50,
"offset": 0,
"has_more": true,
"next_cursor": "eyJvZmZzZXQiOjUwfQ=="
}Pagination with Cursor
For efficient pagination through large result sets, use the next_cursor value from the response. However, you can also use standard offset and limit parameters for direct page access.