Ot-intel-api.onrender.com

Threat actor profiles from Telegram. Filters: name, nation_state(kp|ru|cn|ir), motivation(financial|espionage|hacktivism), ttp, severity, limit. Returns items[] with actor{}, ttps[], target{sectors,countries}.

Breach disclosures from Telegram. Filters: sector, country, organization, severity, min_confidence, since, limit. Returns items[] with target{sectors,countries,organizations}, leak iocs[], confidence.

C2 infrastructure from Telegram. Filters: framework(cobalt_strike|sliver|havoc|brute_ratel), severity, min_confidence, since, tag, limit, offset. Returns items[] with C2 IPs/domains, MITRE TTPs, confidence.

Full intel feed across all categories. Filters: category(ioc|c2|actor|breach|intent), severity, min_confidence, since, tag, tlp, limit, offset. Returns all record types newest first. Use for SIEM ingestion.

Pre-attack intent signals from Telegram: access sales, 0days, ransomware targeting. Filters: sector, country, organization, intent_type(access_sale|0day|ransomware|exploit), limit. Signals appear before attacks.

IOC feed from Telegram CTI channels. Filters: type(ip|domain|url|hash|cve), severity, min_confidence, since, tlp, tag, channel, limit, offset. Returns items[] with iocs[], ttps[], confidence, severity, tlp, tags[].

ICS threat actor profile lookup. Pass ?name=SANDWORM. Fetches live data from MITRE ATT&CK for ICS (STIX bundle) + CISA ICS advisories, enriched by DeepSeek. Returns: MITRE technique mappings (ICS-specific T-codes), known malware/tools, related groups, recommended OT detections, attribution, physical impact assessment, and last known activity. Works for any known ICS threat actor — not limited to a fixed list. Alias lookup supported (e.g. Volt Typhoon → VOLTZITE, APT44 → SANDWORM).

ICS threat actors by sector. Pass ?sector=energy. Returns all known ICS threat groups targeting that sector from MITRE ATT&CK for ICS, filtered and enriched by DeepSeek. Sectors: energy, water, manufacturing, oil-and-gas, chemical, transportation, nuclear.

Latest CISA ICS-CERT security advisories filtered by vendor or sector. Pass ?vendor=siemens or ?sector=energy (or both). Pulls live from the CISA ICS advisories RSS feed, parses advisory IDs, CVSS scores, CVE lists, severity, and vendor match. Returns up to 25 results. Use limit= to control count.

OT-contextualised CVE triage for ICS/SCADA environments. Pass ?id=CVE-XXXX-XXXX. Returns OT-adjusted severity (recalculated from NVD CVSS for the affected ICS layer), cyber-physical impact category, patch feasibility without downtime, CISA KEV status, and a prioritised recommended action. Enriched by DeepSeek LLM for ICS-specific context. Every call returns fresh data from NVD, CISA-KEV, and DeepSeek.

Internet-exposed OT device lookup by vendor and model. Pass ?vendor=siemens&model=s7-1200. Returns default credential risk with exploitation notes (e.g. Unitronics password 1111 actively exploited by IRGC), at-risk OT protocols with port numbers, and a prioritised hardening action. Covers Siemens, Schneider, Rockwell, Honeywell, GE, Unitronics, Beckhoff.

IOC enrichment with ICS/OT campaign context. Pass ?value=1.2.3.4&type=ip (or type=domain). Queries AlienVault OTX (reputation, pulse count, OT-tagged feeds) + AbuseIPDB (abuse confidence score, ISP, Tor node detection) + DeepSeek CTI analysis for known ICS threat actor association and campaign context. Returns structured verdict on whether the IOC is linked to OT-targeting campaigns. Cheapest endpoint at $0.01.

OT/ICS patch feasibility assessment for a CVE ID. Pass ?id=CVE-XXXX-XXXX. Returns patch availability (from NVD references), vendor advisory URLs, OT-safe workarounds, patch complexity for the affected ICS layer, estimated downtime in minutes, whether safe to patch live, recommended maintenance window, deployment strategy, CISA KEV status, and a risk-vs-disruption score (1–10 with rationale). DeepSeek-enriched.