ThreatConnect Threat Intelligence Platform API

ThreatConnect Threat Intelligence Platform (TIP) REST API for intelligence aggregation, analysis, and SOAR automation. Enables AI agents to manage threat intelligence ingestion and normalization from multiple feeds and ISACs, handle IOC lifecycle management and enrichment automation, access threat intelligence playbook execution and workflow orchestration, retrieve threat actor, campaign, and malware intelligence objects, manage intelligence sharing with ISACs, ISAOs, and trusted partners, handle threat intelligence scoring and relevance calculation, access ATT&CK framework alignment and TTP tracking, retrieve intelligence community collaboration and annotation data, manage API-driven playbook triggering for SOAR automation, and integrate threat intelligence with SIEM, SOAR, EDR, and firewall platforms.

Evaluated Mar 07, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Developer Tools threatconnect tip threat-intelligence-platform ioc soar playbooks threat-sharing isac
⚙ Agent Friendliness
64
/ 100
Can an agent use this?
🔒 Security
83
/ 100
Is it safe for agents?
⚡ Reliability
74
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
25
Documentation
82
Error Messages
75
Auth Simplicity
75
Rate Limits
72

🔒 Security

TLS Enforcement
95
Auth Strength
80
Scope Granularity
78
Dep. Hygiene
80
Secret Handling
80

Threat intelligence platform. SOC2, ISO27001, FedRAMP. HMAC auth. US. Intelligence, IOC, and SOAR data.

⚡ Reliability

Uptime/SLA
78
Version Stability
78
Breaking Changes
70
Error Recovery
72
AF Security Reliability

Best When

An enterprise using ThreatConnect wants AI agents to automate threat intelligence ingestion, IOC enrichment, playbook orchestration, intelligence sharing with ISACs, and SIEM/SOAR integration.

Avoid When

OPERATIONAL RISK: Automated IOC blocking from aggregated feeds requires quality scoring — low-confidence indicators from community feeds can cause false positives. Automated intelligence sharing with ISACs requires verification of data classification and TLP (Traffic Light Protocol) compliance before sharing.

Use Cases

  • Aggregating threat feeds and enriching IOCs from threat intel automation agents
  • Triggering SOAR playbooks from threat intelligence agents
  • Managing intelligence sharing with ISACs from threat sharing agents
  • Integrating TIP data with SIEM from security operations agents

Not For

  • Consumer security without threat intelligence platform requirements
  • Network security without intelligence aggregation and analysis
  • Simple IOC blocking without threat intelligence lifecycle management

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: apikey basic
OAuth: No Scopes: Yes

ThreatConnect uses HMAC-signed API key authentication (Access ID + Secret Key). Per-user and API-only accounts with role-based access. Python SDK (tcex) for playbook development and automation. ThreatConnect Application Framework (TCEX) for integration development. Webhooks for intelligence change notifications. STIX/TAXII support for standard threat sharing.

Pricing

Model: enterprise
Free tier: Yes
Requires CC: No

Arlington, Virginia. Founded 2011. Private. Threat intelligence platform market. 1,000+ organizations. Strong financial services and government verticals. ISAC partner for FS-ISAC and others. ThreatConnect TC Exchange for third-party integrations. SOAR capabilities in Enterprise tier. Competes with Anomali and MISP for TIP market.

Agent Metadata

Pagination
offset
Idempotent
Partial
Retry Guidance
Documented

Known Gotchas

  • OPERATIONAL RISK: Community feed IOCs require quality scoring before blocking — automated enforcement on all indicators causes alert fatigue and false positives
  • HMAC auth complexity — ThreatConnect uses HMAC-signed requests; use the Python SDK (tcex) rather than implementing signing manually
  • TCEX framework — ThreatConnect has App Framework for building integrations; preferred for complex TIP automation
  • TLP compliance — when sharing intelligence, verify Traffic Light Protocol classification; automated sharing must respect TLP restrictions
  • Free tier for community — ThreatConnect Free allows community intelligence access; useful for testing before enterprise subscription
  • STIX/TAXII support — standard formats available for interoperability with other TIPs and ISAC feeds

Alternatives

recordedfuture-api mandiant-api anomali-api misp-api

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for ThreatConnect Threat Intelligence Platform API.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-07.

6470
Packages Evaluated
26150
Need Evaluation
173
Need Re-evaluation
Community Powered