TAXII Server
Introduction
TAXII (Trusted Automated eXchange of Intelligence Information) is a protocol used to exchange cyber threat intelligence over HTTP. TAXII 2.1 is the latest version of this protocol.
Structured Threat Information Expression (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI). We use STIX version 2.1.
Base URL
BforeAI's TAXII server is available at https://vm-opentaxii-prd.bfore.ai
PreCrime Intelligence collection id: 365fed99-08fa-fdcd-a1b3-fb247eb41d01
Returns information about the TAXII server, including the API roots available
Basic Authentication using Base64 encoded username:password.
In the request Headers, the Authorization header passes the API a Base64 encoded string
representing your username and password values, appended to the text Basic.
Server discovery information
Authentication failed or missing credentials
Internal server error
GET /taxii2/ HTTP/1.1
Host: vm-opentaxii-prd.bfore.ai
Authorization: Basic username:password
Accept: */*
{
"api_roots": [
"https://vm-opentaxii-prd.bfore.ai/apibfore/"
],
"default": "https://vm-opentaxii-prd.bfore.ai/apibfore/",
"description": "This TAXII Server contains a listing of URL",
"title": "Bfore AI Taxii Server"
}Headers
A valid Accept header is required. The client must specify a media type supported by the TAXII 2.1 server. These include the following:
application/taxii+json;version=2.1
TAXII version 2.1 in JSON
Authentication
Our TAXII implementation currently supports Basic Authentication. We plan to add Bearer Tokens with API Keys authentication in the near future.
In the request headers, the Authorization header passes the API a Base64 encoded string representing your username and password values, appended to the text Basic as follows:
Basic <Base64 encoded username:password>Getting your credentials
Credentials for TAXII server are generated upon request, please get in touch with us in order to manage the access to our TAXII server.
Error Handling
If an error occurs, the server will return a HTTP status code in the 400 or 500 range, along with a JSON object containing more information about the error.
Filtering
TAXII Clients can request specific content from the TAXII Server by specifying a set of filters included in the request to the server. If no URL query parameter is specified then the TAXII Server returns all content for that endpoint.
added_after, A single timestamp that filters objects to only include those objects added after the specified timestamp. The value of this parameter is a timestamp. Theadded_afterparameter is not in any way related to dates or times in a STIX object or any other CTI object. Example:?added_after=2022-01-01match[<field>], The match parameter defines filtering on the specified field. The list of fields that MUST be supported is defined per endpoint. The match parameter can be specified any number of times, where each match instance specifies an additional filter to be applied to the resulting data and each MUST NOT occur more than once in a request. Said another way, all match fields are ANDed together.
Supported Fields for Match:
id
The STIX ID of the object(s) that are being requested.
Examples: ?match[id]=indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffb
type
The type of the object(s) that are being requested.
Examples: ?match[type]=indicator, ?match[type]=indicator,sighting
version
The version(s) of the object(s) that are being requested from either an object or manifest endpoint. If no version parameter is provided, the server will return only the latest version for each object matching the remainder of the request.
Examples: ?match[version]=all, ?match[version]=last,first, ?match[version]=first,2018-03-02T01:01:01.123Z,last, ?match[version]=2016-03-23T01:01:01.000Z,2018-03-02T01:01:
Endpoints
Returns information about the API root, including the collections available
Basic Authentication using Base64 encoded username:password.
In the request Headers, the Authorization header passes the API a Base64 encoded string
representing your username and password values, appended to the text Basic.
The API root identifier
apibforeAPI root information
Authentication failed or missing credentials
The requested resource was not found
Internal server error
GET /{api-root}/ HTTP/1.1
Host: vm-opentaxii-prd.bfore.ai
Authorization: Basic username:password
Accept: */*
{
"description": "A repo for URL STIX data.",
"max_content_length": 9765625,
"title": "Bfore.ai URL STIX 2.1 Collections",
"versions": [
"application/taxii+json;version=2.1"
]
}Returns a list of the collections available at the API root
Basic Authentication using Base64 encoded username:password.
In the request Headers, the Authorization header passes the API a Base64 encoded string
representing your username and password values, appended to the text Basic.
The API root identifier
apibforeList of available collections
Authentication failed or missing credentials
The requested resource was not found
Internal server error
GET /{api-root}/collections/ HTTP/1.1
Host: vm-opentaxii-prd.bfore.ai
Authorization: Basic username:password
Accept: */*
{
"collections": [
{
"id": "365fed99-08fa-fdcd-a1b3-fb247eb41d01",
"can_read": true,
"can_write": false,
"title": "PreCrime Intelligence Online Feed",
"description": "PreCrime Intelligence is our predictive attack intelligence solution. Powered by behavioral AI, it goes beyond reactive blocklists to provide your team with the most extensive dataset of future malicious infrastructure. The feed is updated in real time, enabling your security stack to proactively block malicious traffic before attacks are launched.",
"media_types": [
"application/taxii+json;version=2.1"
]
}
]
}Returns information about a specific collection
Basic Authentication using Base64 encoded username:password.
In the request Headers, the Authorization header passes the API a Base64 encoded string
representing your username and password values, appended to the text Basic.
The API root identifier
apibforeThe collection identifier
365fed99-08fa-fdcd-a1b3-fb247eb41d01Collection information
Authentication failed or missing credentials
The requested resource was not found
Internal server error
GET /{api-root}/collections/{collection-id}/ HTTP/1.1
Host: vm-opentaxii-prd.bfore.ai
Authorization: Basic username:password
Accept: */*
{
"id": "365fed99-08fa-fdcd-a1b3-fb247eb41d01",
"can_read": true,
"can_write": false,
"title": "PreCrime Intelligence Online Feed",
"description": "PreCrime Intelligence is our predictive attack intelligence solution. Powered by behavioral AI, it goes beyond reactive blocklists to provide your team with the most extensive dataset of future malicious infrastructure. The feed is updated in real time, enabling your security stack to proactively block malicious traffic before attacks are launched.",
"media_types": [
"application/taxii+json;version=2.1"
]
}Returns a list of the STIX objects in a specific collection
Basic Authentication using Base64 encoded username:password.
In the request Headers, the Authorization header passes the API a Base64 encoded string
representing your username and password values, appended to the text Basic.
The API root identifier
apibforeThe collection identifier
365fed99-08fa-fdcd-a1b3-fb247eb41d01A timestamp that filters objects to only include those objects added after the specified timestamp. The added_after parameter is not in any way related to dates or times in a STIX object.
2022-01-01The STIX ID of the object(s) that are being requested
indicator--3600ad1b-fff1-4c98-bcc9-4de3bc2e2ffbThe type of the object(s) that are being requested
indicatorThe version(s) of the object(s) that are being requested from either an object or manifest endpoint. If no version parameter is provided, the server will return only the latest version for each object matching the remainder of the request.
{"value":"all","description":"All versions"}List of STIX objects
Authentication failed or missing credentials
The requested resource was not found
Internal server error
GET /{api-root}/collections/{collection-id}/objects/ HTTP/1.1
Host: vm-opentaxii-prd.bfore.ai
Authorization: Basic username:password
Accept: */*
{
"more": true,
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--708a6b3e-04c5-4e7c-885b-b826f520fe97",
"created": "2025-12-06T04:37:15.827Z",
"modified": "2025-12-06T04:37:15.827Z",
"name": "text",
"pattern": "[domain-name:value = 'lagn.online']",
"pattern_type": "stix",
"valid_from": "2025-12-06T04:37:15.827Z",
"confidence": 1,
"ANY_ADDITIONAL_PROPERTY": "anything"
}
]
}Returns a specific STIX object
Basic Authentication using Base64 encoded username:password.
In the request Headers, the Authorization header passes the API a Base64 encoded string
representing your username and password values, appended to the text Basic.
The API root identifier
apibforeThe collection identifier
365fed99-08fa-fdcd-a1b3-fb247eb41d01The STIX object identifier
indicator--708a6b3e-04c5-4e7c-885b-b826f520fe97The version(s) of the object that are being requested. If no version parameter is provided, the server will return only the latest version.
{"value":"all","description":"All versions"}STIX object
Authentication failed or missing credentials
The requested resource was not found
Internal server error
GET /{api-root}/collections/{collection-id}/objects/{object-id}/ HTTP/1.1
Host: vm-opentaxii-prd.bfore.ai
Authorization: Basic username:password
Accept: */*
{
"more": false,
"objects": [
{
"confidence": 100,
"created": "2023-01-16T14:03:31.000Z",
"id": "indicator--708a6b3e-04c5-4e7c-885b-b826f520fe97",
"modified": "2025-01-30T13:29:25.000Z",
"name": "Malicious Domain",
"pattern": "[domain-name:value = 'lagn.online']",
"pattern_type": "stix",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-01-16T14:03:31Z"
}
]
}Last updated
Was this helpful?