Armis Cyber Exposure Management REST API

Armis cyber exposure management REST API for enterprises to automate device discovery, risk assessment, and threat detection across all connected assets — IT, OT, IoT, and cloud — enabling AI agents to retrieve the comprehensive asset inventory from Armis's agentless platform, query device risk scores, identify threat detections, and integrate with SIEM and ITSM through Armis's AI-powered cyber exposure platform. Enables AI agents to manage device management for agentless IT/OT/IoT/cloud device discovery and inventory query automation, handle threat management for device threat detection and alert retrieval automation, access vulnerability management for device CVE exposure and risk assessment automation, retrieve network management for device communication pattern and network behavior automation, manage alert management for security alert and anomaly notification retrieval automation, handle site management for multi-site device inventory organization automation, access query management for custom device and network data query automation, retrieve integration management for SIEM, SOAR, and ITSM data forwarding automation, manage policy management for device security policy enforcement automation, and integrate Armis with CrowdStrike, ServiceNow, Splunk, and enterprise security platforms for XIoT security automation.

Evaluated Mar 07, 2026 (0d ago) vcurrent
Homepage ↗ Other armis XIoT cyber-exposure asset-intelligence IoT-security OT-security
⚙ Agent Friendliness
55
/ 100
Can an agent use this?
🔒 Security
73
/ 100
Is it safe for agents?
⚡ Reliability
66
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
10
Documentation
74
Error Messages
68
Auth Simplicity
76
Rate Limits
62

🔒 Security

TLS Enforcement
99
Auth Strength
68
Scope Granularity
62
Dep. Hygiene
70
Secret Handling
68

XIoT/OT/medical device security. SOC2, GDPR, HIPAA. API key. US/EU. Device inventory and risk data.

⚡ Reliability

Uptime/SLA
66
Version Stability
70
Breaking Changes
64
Error Recovery
66
AF Security Reliability

Best When

A security or IT operations team wanting AI agents to automate agentless device discovery across IT/OT/IoT environments, query device risk, detect threats, and integrate comprehensive asset inventory with SIEM and ITSM through Armis's cyber exposure management platform.

Avoid When

ENTERPRISE LICENSE IS REQUIRED: Armis serves enterprises; automated open-developer assumption creates license_required; Armis requires enterprise agreement; automated must have Armis license. PASSIVE COLLECTION IS THE DEPLOYMENT MODEL: Armis uses passive traffic analysis and cloud-based device matching for device discovery; automated active-scan assumption creates deployment_mismatch for implementations expecting active scanning; automated must deploy Armis collectors for passive traffic collection. DEVICE DATA IS CONTINUOUSLY UPDATED: Armis continuously updates device profiles as network behavior changes; automated static-inventory assumption creates stale_device_profile for security decisions based on point-in-time Armis data; automated must query fresh device data for time-sensitive security decisions. CUSTOM QUERY USES AQL: Armis queries use Armis Query Language (AQL); automated SQL assumption creates query_syntax_error for custom queries not using AQL syntax; automated must learn AQL for custom device and network data queries.

Use Cases

  • Inventorying all connected devices (IT/OT/IoT) without agent deployment for asset management automation agents
  • Detecting unmanaged and rogue devices not visible to traditional security tools for security gap automation agents
  • Retrieving device risk scores and threat detections for risk-based security prioritization automation agents
  • Forwarding device alerts to enterprise SIEM for unified security operations automation agents

Not For

  • Agent-based endpoint protection (Armis is agentless device visibility; CrowdStrike and SentinelOne serve agent-based EDR)
  • Network perimeter security and firewall management (Armis is device visibility, not perimeter control; Palo Alto and Fortinet serve NGFW)
  • IT service desk and ITSM ticketing (Armis integrates with ITSM; ServiceNow and Jira serve ITSM ticketing directly)

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: apikey
OAuth: No Scopes: No

Armis uses API key for Cyber Exposure REST API. REST API with JSON. San Francisco, CA HQ (Israeli founders). Founded 2015 by Yevgeny Dibrov and Nadir Izrael (Unit 8200 veterans). Raised $600M+. Valuation: $3.4B (2024). Products: Armis Centrix (cyber exposure management), XIoT security, OT security, medical device security. Agentless device intelligence platform. 3,000+ enterprise customers. Industries: healthcare, manufacturing, critical infrastructure, financial services. Competes with Claroty, Axonius, and Forescout for XIoT and OT security.

Pricing

Model: subscription
Free tier: No
Requires CC: No

San Francisco CA. $600M raised. $3.4B valuation. 3,000+ customers. Annual device-based subscription.

Agent Metadata

Pagination
page
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • AQL IS REQUIRED FOR CUSTOM QUERIES: Armis uses Armis Query Language (AQL) for custom device queries; automated natural-language assumption creates query_rejected for queries not using AQL syntax; automated must use AQL for custom device filtering and search
  • DEVICE IDs ARE ARMIS-INTERNAL: Armis assigns internal device IDs; automated external-ID assumption creates device_not_found for device lookups using MAC address or IP without translating to Armis device ID first; automated must map MAC/IP to Armis device ID before device-specific operations
  • ALERT CORRELATION IS DEVICE-CENTRIC: Armis alerts are correlated to specific devices; automated IP-based assumption creates correlation_mismatch for alert processing using IP address instead of Armis device ID which persists through IP changes; automated should use device ID for stable device correlation
  • PASSIVE DATA HAS DISCOVERY LATENCY: New devices appear in Armis inventory after initial passive network observation; automated instant-discovery assumption creates device_not_found for newly connected devices not yet observed by Armis collectors; automated must account for discovery latency for recently connected devices
  • WEBHOOK FILTERS REDUCE NOISE: Armis webhooks support filtering by device type, alert severity, and policy; automated unfiltered-webhook assumption creates high_volume_noise for webhook receivers receiving all Armis events without filtering; automated should configure webhook filters for relevant event types only

Alternatives

axonius-api claroty-api forescout-api runzero-api

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Armis Cyber Exposure Management REST API.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-07.

6470
Packages Evaluated
26150
Need Evaluation
173
Need Re-evaluation
Community Powered