Flashpoint API grants the ability to search across our intelligence reports, technical data, and conversations derived from illicit online communities.


Flashpoint API offers near real-time access to existing datasets through a RESTful API in JSON and HTML.


Flashpoint API grants the ability to search across datasets; including Finished Intelligence, Forums, Technical Data and more


  • Near real-time access to Flashpoint data and intelligence

  • Seamless access to technical data to further help mitigate risk to your organization, and identify malicious internal activity

  • Intuitive, easy-to-use developer tools powered by OpenAPI

  • RESTful access to expansive historic illicit online community data archive

  • Flexible filtering and search operators with extraction in industry-preferred JSON format

  • Access to targeted data acquired by Flashpoint intelligence analysts

Endpoints Available via API


Finished Intelligence:

Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats.



Access to signal-rich discussions from illicit threat actor communities. Supplement internal data with targeted data from highly curated sources.

Chat Services:

Access to around-the-clock conversations within threat-actor channels to monitor and gain insights across threat-actor communities.

Paste Sites:

Enables access to openly shared research, data leaks, and other plain-text files frequently used by both anonymous sources and threat actors to share malicious activity, providing a broader view into open web data.


Provides a broader view into open web data by providing online sources of news and information related to threat actors and collectives, allowing users to monitor activity in malicious communities more comprehensively, as well as risks impacting the organization or brand.

4chan & 8chan:

Provides access to the anonymous 4chan and 8chan message boards, enabling users to monitor malicious content and discussions ranging from hacktivism to physical threats.

Social News Aggregation & Discussion Sites:

Collections from social news aggregation and discussion websites leveraged by both open and deep & dark web communities where illicit actors discuss malicious activities, including malware developments, cyber threats, and physical threats


Technical Indicators:

Enables users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets and those included in Finished Intelligence Reports, allowing for seamless integration into users’ workflows and automated tools.

Risk Intelligence Observables (RIOs):

Flashpoint leverages its unique access to underground communities to collect and deliver a near real-time stream of cyber observables that can identify illicit activity from inside forums and file-sharing communities focused on cybercrime, hacking, fraud, and extremism/terrorism. These high-fidelity observables include IP address, location (city / country), hosting provider, timestamp, and user-agent string.


Access to the latest CVEs within Flashpoint collection, including access to MITRE and NVD data, as well as CVEs discussed by threat actors as observed by Flashpoint Intelligence Analysts.


Compromised Credentials Monitoring - Enterprise (CCM - E):

Enables organizations to search and monitor Flashpoint’s unique collections for compromised enterprise accounts and passwords in order to flag accounts, reset employee passwords, and restrict permissions to prevent actors from accessing confidential or personally identifiable information (PII).

Compromised Credentials Monitoring - Data Package: Access to the complete raw collection of Flashpoint's compromised credentials via API; enables users to

combat account takeover and fraud by directly integrating the data into internal workflows


Card Shops:

Collection of stolen credit card data found in illicit high-end credit card shops, compromised from a variety of operations - including dumps from Point-of-Sale (POS) compromises, or credit cards from Card Not Present transactions. Users are provided credit card data including BIN numbers and various card details including country location and expiration dates.

Account Shops:

Customers can identify their organization's compromised accounts found for sale in illicit account shops, further providing an ability to reduce the risk of employees' or customers' login details being used in credential stuffing attacks.


Access to top-tier marketplaces, where threat actors buy and sell items such as stolen credentials and personally identifiable information (PII).


Automated Alerting: Matches conversations from illicit online communities with a client’s areas of concern, and automatically provides these matches directly to the user.

Did this answer your question?