Threat Intelligence API

Real attack data from real production honeypots

VaultSpin Intel is crowdsourced threat intelligence derived from thousands of API key honeypots deployed across production environments. Not synthetic. Not simulated. Real attacker IPs, real payloads, real behavioral patterns.

Get API Access View API Docs
1.8M+
IPs in database
4,300+
Active honeypots
312
Attack patterns
22ms
Avg latency
vaultspin-intel-api
# Lookup an IP
curl -H "X-API-Key: vsi_live_..." \
  https://api.vaultspin.io/v1/ip/194.87.31.42

{
  "ip": "194.87.31.42",
  "risk_score": 95,
  "threat_level": "critical",
  "confidence": 0.94,
  "location": {
    "city": "Moscow",
    "country": "Russia"
  },
  "attack_vectors": [
    "credential_stuffing",
    "api_abuse"
  ],
  "targeted_services": [
    "stripe", "openai", "aws"
  ],
  "total_hits": 847,
  "contributors": 47
}
Why VaultSpin Intel
Threat data from where
attacks actually happen

Traditional threat feeds use purpose-built honeypots. Our data comes from real API keys in real production environments โ€” the exact places attackers target.

๐Ÿฏ

Production-Sourced Data

Every IP in our database was caught using a real compromised API key in a production environment. No synthetic noise.

๐Ÿงฌ

Behavioral Fingerprints

Beyond IP blocklists โ€” we capture full attack tool chains, endpoint targeting sequences, timing patterns, and payload signatures.

๐ŸŒ

Crowdsourced at Scale

2,100+ contributors run honeypots across 50+ countries. More diverse signal than any single-source honeypot network.

โšก

Real-Time Streaming

WebSocket stream for Enterprise subscribers. See threats as they happen across the entire VaultSpin network.

๐Ÿ”Œ

SIEM Integration

Native exporters for Splunk, Datadog, Elastic, and QRadar. Enrich your existing security pipeline in minutes.

๐Ÿ›ก๏ธ

Confidence Scoring

Every IP has a confidence score based on number of independent observers, recency, and behavioral consistency. No stale data.

The Data Flywheel
More users, better data,
stronger network

Every VaultSpin user who rotates their API keys contributes to the threat intelligence network. Old keys become honeypots that catch real attackers. The more users, the more traps, the richer the data.

โ†’ User rotates Stripe key
โ†’ Old key becomes honeypot trap
โ†’ Attacker uses old key
โ†’ VaultSpin serves fake response
โ†’ IP, payload, behavior logged
โ†’ Data flows to Intel API
โ†’ Your SIEM gets enriched
4,312
Active Honeypots
1.84M
Unique IPs
312
Attack Patterns
34.2K
Queries / Month
5 Providers
Stripe ยท OpenAI ยท AWS ยท Twilio ยท SendGrid
API Reference
Simple REST API,
powerful data

One API key. JSON responses. Comprehensive documentation. Start querying in under 5 minutes.

GET
/v1/ip/{address}
Look up a single IP address. Returns risk score, confidence, geolocation, attack vectors, user agents, and targeted services. Free tier: 100 queries/month.
GET
/v1/feed/ips
Bulk IP reputation feed. Paginated, filterable by confidence threshold and last-seen date. Perfect for daily SIEM ingestion. Feed plan required.
GET
/v1/patterns
Attack behavioral patterns โ€” tool chain fingerprints, endpoint targeting sequences, timing signatures. Filterable by severity and type.
GET
/v1/stats
Network statistics โ€” total IPs, average risk score, active threats in last 24h, total patterns identified. Good for dashboards.
GET
/v1/stream/threats
WebSocket real-time threat stream. See new captures across the entire network as they happen. Enterprise plan only.
POST
/v1/export/{format}
Export threat data in Splunk CIM, Datadog, Elastic Common Schema, or STIX 2.1 format. Enterprise plan only.
Pricing
Start free, scale as you need

Every plan includes IP reputation lookups. Upgrade for bulk feeds, behavioral patterns, and real-time streaming.

Lookup
$0/mo
Get started with basic IP lookups. Perfect for testing and prototyping.
  • 100 queries / month
  • IP risk score & confidence
  • Geolocation data
  • Attack vector classification
  • REST API access
Get Free Key
Feed
$199/mo
Full threat feeds plus behavioral patterns for security teams.
  • 10,000 queries / month
  • Everything in Lookup
  • Bulk IP feed (daily export)
  • Behavioral pattern access
  • Webhook notifications
  • Priority support
Start Free Trial
Enterprise
$499/mo
Real-time stream and SIEM integration for security operations centers.
  • Unlimited queries
  • Everything in Feed
  • Real-time WebSocket stream
  • SIEM native exporters
  • Custom export formats
  • STIX 2.1 support
  • Dedicated support & SLA
Contact Sales

Start protecting your infrastructure

Get your API key in seconds. 100 free lookups per month. No credit card required.

Free tier forever ยท No credit card ยท Setup in 2 minutes