API Documentation

Programmatic access to Security Intel Hub threat intelligence. Integrate with your SIEM, SOAR, Slack, or custom tools.

Quick Start

RSS Feed: Subscribe to /feed.xml in any RSS reader for the latest 50 articles.

Search: GET /api/search?q=ransomware — no auth needed.

Ingest: POST /api/ingest with Authorization: Bearer KEY to pull fresh articles.

Authentication

Public endpoints (search, subscribe, RSS) require no authentication. Write endpoints (ingest, classify, digest) require a Bearer token.

Authorization: Bearer YOUR_INGEST_API_KEY

Set INGEST_API_KEY as an environment variable on your deployment.

Endpoints

GET/feed.xml

RSS 2.0 feed of the latest 50 articles. Subscribe in any RSS reader, SIEM, or Slack RSS bot.

Example

curl https://your-site.vercel.app/feed.xml

GET/api/search?q={query}

Search articles, CVEs, and threat actors. Returns grouped results.

Parameters

qstringrequiredSearch query (min 2 chars)

Example

curl "https://your-site.vercel.app/api/search?q=fortinet"

Response

{
  "articles": [{ "title": "...", "slug": "...", "threat_level": "critical", "source": "..." }],
  "actors": [{ "id": "unc3886", "name": "UNC3886", "origin": "China" }],
  "cves": [{ "cve": "CVE-2026-48788", "articleTitle": "...", "slug": "..." }]
}

POST/api/ingest Auth

Trigger feed ingestion from all 10+ sources. Deduplicates automatically. Sends Slack alerts for critical/zero-day articles.

Example

curl -X POST https://your-site.vercel.app/api/ingest \
  -H "Authorization: Bearer YOUR_INGEST_API_KEY"

Response

{
  "success": true,
  "ingested": { "BleepingComputer": 5, "CISA KEV": 2, "NIST NVD": 8 },
  "total": 15,
  "sources_checked": 10,
  "errors": []
}

POST/api/classify Auth

Submit raw threat intelligence text. Claude AI classifies it (severity, category, CVEs, actors, industries) and publishes as a structured article.

Parameters

raw_textstringrequiredRaw threat intel text to classify

sourcestringSource name (default: Manual Submission)

source_urlstringURL of original source

Example

curl -X POST https://your-site.vercel.app/api/classify \
  -H "Authorization: Bearer YOUR_INGEST_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"raw_text": "Fortinet has disclosed a critical...", "source": "Fortinet PSIRT"}'

Response

{
  "success": true,
  "article": { "id": "...", "slug": "fortinet-critical-rce-..." },
  "classification": {
    "threat_level": "critical",
    "category": "vulnerability",
    "cves": ["CVE-2026-48788"],
    "threat_actors": ["UNC3886"],
    "industries": ["government", "finance"]
  }
}

POST/api/subscribe

Subscribe an email to the daily threat briefing newsletter.

Parameters

emailstringrequiredEmail address to subscribe

Example

curl -X POST https://your-site.vercel.app/api/subscribe \
  -H "Content-Type: application/json" \
  -d '{"email": "soc@company.com"}'

Response

{ "success": true, "message": "Subscribed to daily briefing" }

POST/api/digest Auth

Trigger sending of daily email digest to all active subscribers. Includes articles from the last 24 hours.

Example

curl -X POST https://your-site.vercel.app/api/digest \
  -H "Authorization: Bearer YOUR_INGEST_API_KEY"

Data Sources

CISA KEVNIST NVDBleepingComputerThe Hacker NewsKrebs on SecurityDark ReadingSecurityWeekCyberScoopThe RecordThreatpost

Integrations

Slack: Set SLACK_WEBHOOK_URL for automatic critical threat alerts.
Email: Set RESEND_API_KEY for daily digest emails.
Cron: External cron hits GET /api/ingest-cron with Authorization: Bearer KEY every 5 min.