Hunt.io

Product

Features

OEM

Pricing

About

Blog

Login

Get a Demo

To embed a website or widget, add it to the properties panel.

Hunt.io

Product

Features

OEM

Pricing

About

Blog

Login

Get a Demo

To embed a website or widget, add it to the properties panel.

Hunt.io

Product

Features

OEM

Pricing

About

Blog

Login

Get a Demo

To embed a website or widget, add it to the properties panel.

Hunt.io

To embed a website or widget, add it to the properties panel.

Trusted By Industry Leaders

Trusted By Industry Leaders

Trusted By Industry Leaders

Trusted By Industry Leaders

Trusted By Industry Leaders

Structured threat intelligence for IP addresses

Structured threat intelligence for IP addresses

Structured threat intelligence for IP addresses

Structured threat intelligence for IP addresses

The Threat Enrichment API provides structured intelligence for IP addresses observed across the internet. Instead of simple reputation scores, it delivers infrastructure-level context built from live scanning, validation, and ongoing monitoring.


Each response combines multiple intelligence layers into a single, automation-ready result.

Threat Enrichment Data Included

Threat Enrichment Data Included

Threat Enrichment Data Included

Threat Enrichment Data Included

Certificates & Cryptography

TLS certificates, serial numbers, issuers, fingerprints, and observed usage patterns.

Malware & Tooling Signals

Malware families, tooling indicators, and infrastructure linked to known threats.

Network & Protocol Fingerprinting

JA4 and protocol-level fingerprints revealing behavioral patterns across infrastructure.

Exposed Infrastructure

Open directories, exposed services, and misconfigured assets observed in the wild.

Honeypots & Deception Signals

Indicators showing interaction with honeypots or research infrastructure.

Phishing & Abuse Indicators

Infrastructure associated with phishing or abuse campaigns when observed.

 {


  "certificate_uuid": "2308568BF69FA6EDAD031AA7A732D59EDA9A6B2490C30CC9E665BD15B946DAFE",

  "subject_details": {

    "common_name": "Major Cobalt Strike",

    "country": null

  },


  "validity_period": {

    "not_before": "2024-03-11T08:16:35",

    "not_after": "2024-06-09T08:16:35" 

  },


  "timestamps": {

    "first_seen": "2024-03-17T07:36:49",

    "last_seen": "2024-06-23T07:36:24"

  },


  "identifiers": {

    "serial_number": "971914974",

    "hash_sha256": "D3D5759DFB5CC168DBF64F79D5F7006025C0AAA9BBF390B54DC1F125A358EF03",

    "hash_sha1": "026F22DC7A8DB69B730EA4359A3569FE783E1768",

    "hash_md5": "0DA94C4DEC96C6E378DD6D02BE885B64",

    "ja4x_fingerprint": "2166164053c1_2166164053c1_30d204a01551"

  }


Certificates & Cryptography

TLS certificates, serial numbers, issuers, fingerprints, and observed usage patterns.

Malware & Tooling Signals

Malware families, tooling indicators, and infrastructure linked to known threats.

Network & Protocol Fingerprinting

JA4 and protocol-level fingerprints revealing behavioral patterns across infrastructure.

Exposed Infrastructure

Open directories, exposed services, and misconfigured assets observed in the wild.

Honeypots & Deception Signals

Indicators showing interaction with honeypots or research infrastructure.

Phishing & Abuse Indicators

Infrastructure associated with phishing or abuse campaigns when observed.

 {


  "certificate_uuid": "2308568BF69FA6EDAD031AA7A732D59EDA9A6B2490C30CC9E665BD15B946DAFE",

  "subject_details": {

    "common_name": "Major Cobalt Strike",

    "country": null

  },


  "validity_period": {

    "not_before": "2024-03-11T08:16:35",

    "not_after": "2024-06-09T08:16:35" 

  },


  "timestamps": {

    "first_seen": "2024-03-17T07:36:49",

    "last_seen": "2024-06-23T07:36:24"

  },


  "identifiers": {

    "serial_number": "971914974",

    "hash_sha256": "D3D5759DFB5CC168DBF64F79D5F7006025C0AAA9BBF390B54DC1F125A358EF03",

    "hash_sha1": "026F22DC7A8DB69B730EA4359A3569FE783E1768",

    "hash_md5": "0DA94C4DEC96C6E378DD6D02BE885B64",

    "ja4x_fingerprint": "2166164053c1_2166164053c1_30d204a01551"

  }


Threat Enrichment API Built for Modern Security Teams

Threat Enrichment API Built for Modern Security Teams

Threat Enrichment API Built for Modern Security Teams

Threat Enrichment API Built for Modern Security Teams

Start from a single IP and uncover attacker infrastructure, tooling, 

and exposure signals before incidents escalate.

Start from a single IP and uncover attacker infrastructure, tooling, 

and exposure signals before incidents escalate.

 Start Enriching Threats

 Start Enriching Threats

 Start Enriching Threats

Why our Threat Enrichment API Is Different

Why our Threat Enrichment API Is Different

Why our Threat Enrichment API Is Different

Why our Threat Enrichment API Is Different

Built From Live Scanning

All enrichment is powered by Hunt’s own internet-wide scanning and validation.

Designed for Automation

Consistent schemas, timestamps, and structured fields designed for pipelines and integrations.

Infrastructure Context Over Raw IOCs

Understand how an IP fits into attacker's infrastructure, not just whether it appeared in a list.

Built From Live Scanning

All enrichment is powered by Hunt’s own internet-wide scanning and validation.

Designed for Automation

Consistent schemas, timestamps, and structured fields designed for pipelines and integrations.

Infrastructure Context Over Raw IOCs

Understand how an IP fits into attacker's infrastructure, not just whether it appeared in a list.

Who Uses our

Threat Enrichment API

Who Uses our

Threat Enrichment API

Who Uses our

Threat Enrichment API

Who Uses our

Threat Enrichment API

SOC & Incident Response Teams

Enrich alerts with infrastructure context to triage incidents faster.

Threat Hunters & Researchers

Pivot from a single IP into tooling, certificates, directories, and campaign signals.

Security Platforms & OEMs

Embed threat enrichment directly into products via API.

Get Started With

The Threat Enrichment API

Get Started With

The Threat Enrichment API

Get Started With

The Threat Enrichment API

Get your API key and start enriching IP addresses immediately.

Talk to Sales

Talk to Sales

Talk to Sales

faq

Frequently
asked questions

Frequently
asked questions

Frequently
asked questions

What does the Threat Enrichment API return for an IP?

Structured enrichment blocks including certificates, malware signals, network and protocol fingerprints, exposed directories, phishing indicators, and timestamps showing observed activity.

How is this different from reputation or blacklist APIs?

The API focuses on infrastructure behavior and attacker tooling rather than static reputation scores.

How do I access the Threat Enrichment API?

Access is provided via API key and standard REST requests.

What formats are supported?

Responses are available in JSON and GZ formats.

Threat Hunting Platform

©2026 Hunt Intelligence, Inc.

Explore

Product

Features

OEM Partners

Pricing

Integrations

Resources

Blog

Change log

Support Docs

Service Status

Malware Families

Glossary

Company

About Us

Use Cases

Testimonials

Branding

Contact Us

Terms and conditions

Privacy Policy

Threat Hunting Platform

©2026 Hunt Intelligence, Inc.

Explore

Product

Features

OEM Partners

Pricing

Integrations

Resources

Blog

Change log

Support Docs

Service Status

Malware Families

Glossary

Company

About Us

Use Cases

Testimonials

Branding

Contact Us

Terms and conditions

Privacy Policy

Threat Hunting Platform

Explore

Product

Features

OEM Partners

Pricing

Integrations

Resources

Blog

Change log

Support Docs

Service Status

Malware Families

Glossary

Company

About Us

Use Cases

Testimonials

Branding

Contact Us

Terms and conditions

Privacy Policy

©2025 Hunt Intelligence, Inc.