Ot Intel Api
OT Intel API delivers real-time threat intelligence and vulnerability monitoring for industrial operational technology systems.
Trust signal
3 of 4 pillars
coverage 75%
Pillars
Signals
Evidence tiers, not an endorsement · trust model v0.1.0 (provisional) · CDP-lane settlement only (D3) · Trust API coming soon
On-chain traction
ERC-8004 agent registry
Not found in the ERC-8004 agent registry. This is the default state — absence is not a negative signal.
Identity & classification
Settlement volume
USDC settled on-chain · monthly
as of Jul 12, 2026
Endpoints(21)
IOC enrichment with ICS campaign context. Pass ?value=1.2.3.4&type=ip or type=domain. Queries AlienVault OTX, AbuseIPDB, and DeepSeek CTI for OT campaign association. Returns verdict on whether the IOC is linked to ICS-targeting campaigns.
Live CISA ICS-CERT advisories filtered by vendor or sector. Pass ?vendor=siemens or ?sector=energy. Returns advisory IDs, CVSS scores, CVE lists, OT severity, and sector tags. Up to 25 results.
OT-contextualised CVE triage for ICS/SCADA. Pass ?id=CVE-XXXX-XXXX. Returns OT-adjusted severity, cyber-physical impact, patch feasibility, CISA KEV status, and prioritised action. DeepSeek-enriched with live NVD and CISA-KEV data.
ICS malware encyclopedia. Pass ?name=PIPEDREAM. Returns capabilities, targeted OT protocols, attributed actor, affected vendors, detection signatures, and MITRE ATT&CK ICS techniques. Covers PIPEDREAM, TRITON, INDUSTROYER2, CRASHOVERRIDE, FROSTYLOOP, BLACKENERGY.
ICS threat actor profile. Pass ?name=SANDWORM. Returns MITRE ATT&CK ICS techniques, known malware, attribution, physical impact, targeted sectors, and OT detection recommendations. Alias lookup supported: Volt Typhoon→VOLTZITE, APT44→SANDWORM. Covers all Dragos Activity Groups.
ICS threat actors by sector. Pass ?sector=energy. Returns all groups targeting that sector from live MITRE ATT&CK ICS STIX data. Covers energy, water, manufacturing, oil-and-gas, chemical, transportation, nuclear.
ICS threat actor ASN infrastructure profiling. Pass ?asn=AS215540. Returns ICS actor associations (SANDWORM, VOLTZITE, XENOTIME), phishing kit links (Tycoon2FA, EvilProxy, NakedPages), bulletproof hosting indicators, abuse categories (c2, staging, phishing), and an OT-specific blocking recommendation with WAF rule hint. ASN analysis reveals infrastructure clustering that survives IP/domain rotation — critical for OT defenders tracking persistent actor infrastructure.
ICS sector change feed — only what is NEW in the last N days. Pass ?sector=water&days=7. Returns new CVEs, new CISA advisories, and new actor activity since the last call. Designed for cron-based monitoring agents. Eliminates redundant reprocessing.
NERC CIP and IEC 62443 compliance gap mapping for a CVE or threat actor. Pass ?cve_id=CVE-2023-38802 or ?actor=SANDWORM&framework=nerc_cip. Returns triggered controls by framework (CIP-007-6 R2, SR 5.1, etc.), status (NON_COMPLIANT_IF_UNMITIGATED / REVIEW_REQUIRED), required action, and compensating controls. Designed for automated compliance reporting agents running on cron: call when a new advisory drops, generate gap report, route to compliance team.
Active ICS campaign tracker. Pass ?sector=electric&status=active. Returns campaigns currently targeting a sector with actor attribution, start date, targeted geography, TTPs in use, and CVEs being exploited. No free equivalent for live campaign status.
ICS detection artifact retrieval. Pass ?target=PIPEDREAM or ?target=SANDWORM&format=sigma. Returns YARA/Sigma rules for the target malware or actor, sourced from public corpus (Florian Roth signature-base, CISA advisories) with validated:true, or DeepSeek-synthesised with validated:false. Designed for automated threat hunting pipelines that commit rules to SIEMs and EDRs — validated:true rules are safe to deploy; validated:false require lab testing first.
ICS/OT device exposure lookup. Pass ?vendor=siemens&model=s7-1200. Returns default credential risk, exposed OT protocols (Modbus/502, S7comm/102, DNP3/20000), exploitation notes, and hardening steps. Covers Siemens, Schneider, Rockwell, Honeywell, GE, Unitronics, Beckhoff.
OT asset risk verdict. Pass ?vendor=siemens&model=s7-1500§or=energy&network=internet-facing. Returns risk_score (0-100), risk_level, escalate (boolean), recommended_action, active CVEs, and threat actors. Optional firmware param enables firmware-specific CVE matching. Cached 1 hour.
OT/ICS patch feasibility for a CVE. Pass ?id=CVE-XXXX-XXXX. Returns patch availability, OT-safe workarounds, patch complexity per ICS layer, estimated downtime, safe-to-patch-live flag, deployment strategy, and risk-vs-disruption score 1-10.
Sector threat brief for ICS/OT. Pass ?sector=energy&period=30. Returns active actors, new CVE counts, active campaigns, top advisories, and risk_trend (increasing/stable/decreasing). One call replaces 5+ chained calls. Ideal for weekly reporting and compliance dashboards.
X/Twitter thread (5-7 posts) for an ICS actor or CVE. Pass ?actor=XENOTIME or ?cve=CVE-XXXX-XXXX. Fans out to actor or cve. Returns thread array: hook post, intel posts with ATT&CK IDs and affected OT systems, mitigation post, hashtag post. Each post under 280 characters.
LinkedIn post for CTI/ICS security audience. Pass ?actor=VOLTZITE or ?cve=CVE-XXXX-XXXX. Fans out to actor or cve + advisory. Returns hook line, 3-5 intelligence bullets, call to action, hashtags. Ready to publish. Ideal for security practitioners and threat intelligence teams sharing findings.
Synthesised Markdown threat actor report for ICS/OT. Pass ?actor=CHERNOVITE§or=energy. Fans out to actor, campaign, malware, advisory, detection primitives internally (no extra charge) and synthesises via DeepSeek. Returns executive summary, TTPs, campaigns, malware, recommended actions. TLP: WHITE.
Deep actor intelligence dossier. Pass ?actor=SANDWORM. Fans out to actor, campaign, malware, ioc, asn, detection primitives and synthesises via DeepSeek. Returns full profile, infrastructure, IOC table, detection rules, kill chain mapping. Most comprehensive single-call artifact available.
Sector situation report. Pass ?sector=energy&period=30. Fans out to actor/sector, advisory, campaign, delta, compliance primitives. Returns 30-day threat landscape, top actors, new advisories, what changed, compliance posture, recommended priorities. Designed for weekly security briefing automation.
Publication-ready CTI article ~700 words. Pass ?actor=CHERNOVITE or ?cve=CVE-XXXX-XXXX. Fans out to actor/cve + campaign + malware + advisory. DeepSeek writes journalist-style: headline, lede, body with ATT&CK context, defanged IOCs, analyst assessment, TLP. Ready for threat intel blog or advisory publication.