Aggregated, enriched, scored threat intelligence via API.

No portal. No dashboard. Just data.

Threat Intelligence API for Security Teams

Raw threat feeds tell you an IP is "bad." Port Six tells you why — with behavioral classification, malware attribution, and risk scoring delivered via a fast REST API that integrates directly into your SIEM, firewall, and SOC workflows.

Intelligence, Not Indicators

Every observable comes with context:

Behavioral classification — C2, phishing, ransomware, cryptomining
Malware attribution — Cobalt Strike, Emotet, AsyncRAT, 100+ families
Temporal analysis — First seen, last active, freshness

Actionable Scoring

Tune your detection thresholds:

Risk Score (0-100) — How dangerous is this?
Confidence Score (0-100) — How certain are we?

Block high/high. Alert on medium.

Works With Your Stack

Export in formats your tools understand:

EDL — Palo Alto, Fortinet, Cisco
STIX/TAXII — Standard threat sharing
JSON/CSV — Bulk import anywhere

Ready to enrich your threat data?

Start with 75 free credits. No credit card required.

View Docs

The Difference

Same query. Different intelligence.

Typical Threat Intel API

GET /api/ip/185.220.101.45

{
  "ip": "185.220.101.45",
  "malicious": true,
  "threat_type": "tor",
  "last_updated": "2024-03-15"
}

Port Six

GET /v1/ip/185.220.101.45

{
  "value": "185.220.101.45",
  "status": "active",
  "risk_score": 43.74,
  "geo": {
    "country_name": "Germany",
    "city": "Berlin"
  },
  "asn": {
    "asn": 60729,
    "org_name": "TORSERVERS-NET"
  },
  "rdns": {
    "hostname": "tor-exit-45.for-privacy.net"
  },
  "threat_intel": {
    "tags": [
      "Anon: Tor", "Anon: Vpn", "Attacks",
      "Brute Force", "Protocol: SSH", "Protocol: SIP"
    ],
    "sources": [
      "alienvault_otx",
      "greensnow-blocklist",
      "ssh-bruteforce"
    ],
    "first_seen": "2025-12-01T03:14:09Z",
    "last_seen": "2025-12-30T06:44:02Z",
    "confidence": 90
  },
  "relationships": [{
    "relationship_type": "resolves_to",
    "target_value": "for-privacy.net",
    "confidence": 0.85
  }]
}

Why It Matters

A binary "malicious: true" verdict forces your team to research every alert. With enriched context, you immediately know this is a Tor exit node used for SSH brute force attacks, it's actively reported across multiple sources, and it resolves to a known privacy network domain. Your SOC can triage in seconds instead of minutes.

At a Glance

Tags per observable

Tag taxonomies

<100ms

Response time

100%

Observable coverage

IP, Domain & Hash Enrichment APIs

IP Addresses

~95% coverage

GeoIP (country, city, coordinates)
ASN and organization
Cloud provider detection
Anonymization (TOR, VPN, proxy)

Domains

~90% coverage

WHOIS data
DNS records (A, MX, NS, TXT)
Domain age
Passive DNS history

File Hashes

Threat intel lookup

Known malware tags
Risk scoring
Source attribution
Related infrastructure

SIEM & Security Tool Integrations

Works with what you already have. View integration guides →

SIEM

Splunk, QRadar, Sentinel, Elastic, Chronicle

Firewall

Palo Alto (EDL), Cisco, Fortinet, pfSense

EDR

CrowdStrike, Defender, Carbon Black

Export

JSON, CSV, STIX 2.1, TAXII

Built for Security Operations

Whether you're triaging alerts, hunting threats, or automating perimeter defense, Port Six delivers the context your team needs.

SIEM Enrichment

Enrich every firewall log and IDS alert with IP context, risk scores, and malware attribution directly in Splunk, Sentinel, or QRadar.

Threat Hunting

Pivot across related infrastructure using relationships, behavioral tags, and temporal data to uncover campaigns.

Automated Blocking

Push scored threat feeds directly to your firewall via EDL. Filter by risk threshold to block what matters most.

Get Started

5-minute quickstart. Free tier with 75 credits. No credit card required.

View Docs →See Pricing →

You already have enough dashboards. This is just an API.