api documentation

api-first threat intelligence. every data point accessible via REST or MCP.

interactive docs (swagger) openapi schema

agent integration

Native MCP server with 40 tools for AI agents. CVE intelligence, exploit tracking, detection rules, threat feeds, vendor search, and GitHub activity. Works with Claude, Cursor, Windsurf, and any MCP-compatible client.

mcp config

{
  "mcpServers": {
    "rdintel": {
      "command": "docker",
      "args": ["compose", "--profile", "mcp", "run", "mcp-server"],
      "env": { "RDINTEL_API_KEY": "your_key" }
    }
  }
}

tool categories

cve lookup & search 6 tools

cve intelligence 11 tools

detection rules 5 tools

threat feeds 9 tools

github activity 2 tools

vendor & product 7 tools

see full mcp documentation for all 40 tools with parameters and example prompts.

authentication

All /api/v1/ endpoints require an API key. Pass it via header or query parameter:

curl -H "Authorization: Api-Key YOUR_KEY" https://ssh0.com/api/v1/cve/stats/

curl "https://ssh0.com/api/v1/cve/stats/?api_key=YOUR_KEY"

all responses are JSON. errors return {"error": "message"}. unauthenticated requests return HTTP 401.

cve data

Core CVE records. 330,000+ CVEs with CVSS scores, severity, and affected products.

GET /api/v1/cve/

List CVEs with filters: severity, cvss_min, cvss_max, published_after, published_before, modified_after, cwe, product, search, exploit_status, has_sigma, has_yara, has_poc, has_kev, min_threat_score, limit, offset

results include: threat_score, epss_score, exploit_status, in_kev, poc_count, sigma_count, yara_forge_count

GET /api/v1/cve/search/?q={query}

Full-text search across CVE IDs and descriptions. Filters: exploit_status, has_sigma, has_yara, has_poc, has_kev, min_threat_score

GET /api/v1/cve/{CVE-ID}/

Single CVE with full metadata, raw NVD/MITRE data, and parsed description

GET /api/v1/cve/stats/

Database statistics: total CVEs, severity breakdown, source coverage

GET /api/v1/cve/ingestion/

Data ingestion pipeline status and recent runs

example: /api/v1/cve/?search=log4j&limit=1

{"count":76,"limit":1,"offset":0,"results":[{"cve_id":"CVE-2021-44228","severity":"HIGH",
 "cvss_v3_score":10.0,"published_date":"2021-12-10T...","cwe_ids":["CWE-20","CWE-502","CWE-917"],
 "threat_score":79.87,"epss_score":0.9436,"exploit_status":"Exploited","in_kev":true,
 "poc_count":68,"sigma_count":2,"yara_forge_count":1,...}]}

cve intelligence

Deep enrichment for individual CVEs: threat scores, exploit code, detection templates, news, community discussions, timelines, and threat actor attribution.

GET /api/v1/cve/{CVE-ID}/intel/

Full intelligence report: threat score, EPSS, KEV status, exploits, nuclei templates, news, advisories, timeline

GET /api/v1/cve/{CVE-ID}/enriched/

CVE with computed threat score and enrichment summary

GET /api/v1/cve/{CVE-ID}/timeline/

Unified timeline from all sources: commits, PoC publications, news, discussions, KEV, EPSS, advisories

GET /api/v1/cve/{CVE-ID}/github-activity/

Commits, stars, forks on exploit repos. Includes first_seen_on_github timestamp

GET /api/v1/cve/{CVE-ID}/exploits/

Known exploits: PoC repos and ExploitDB entries

GET /api/v1/cve/{CVE-ID}/poc-archives/

Archived PoC repos: preserved even if original repo is deleted or modified

GET /api/v1/cve/{CVE-ID}/nuclei/

Nuclei detection templates for vulnerability scanning

GET /api/v1/cve/{CVE-ID}/hackerone/

Disclosed bug bounty reports with severity and bounty amounts

GET /api/v1/cve/{CVE-ID}/news/

News articles and security media coverage

GET /api/v1/cve/{CVE-ID}/reddit/

Community discussions from security subreddits

GET /api/v1/cve/{CVE-ID}/enisa/

ENISA EUVD data: EU regulatory classification and relevance

GET /api/v1/cve/{CVE-ID}/threat-actors/

Threat actors and APT groups exploiting this vulnerability

GET /api/v1/cve/{CVE-ID}/sigma/

SIEM detection rules: severity level, logsource, MITRE ATT&CK mapping, and full rule content

GET /api/v1/cve/{CVE-ID}/yara-forge/

YARA detection rules: file-level detection signatures with quality scores and full rule content

GET /api/v1/cve/{CVE-ID}/msrc/

Microsoft patch data: KB articles, fixed builds, exploitation assessment, CVSS scores, affected products

GET /api/v1/cve/{CVE-ID}/products/

Affected products: software/hardware with vendor details and version info

GET /api/v1/cve/{CVE-ID}/trends/

Platform trends: mention counts, engagement scores, sentiment across multiple platforms

threat ranking

Prioritized vulnerability feeds ranked by exploitability, real-world evidence, and risk. Built for SOC dashboards and morning briefings.

GET /api/v1/threats/

Top threats by computed risk score. Params: limit, min_score, year

GET /api/v1/threats/daily/

Daily digest: hot in news, discussed on social media, new KEV, new exploits. Param: days

GET /api/v1/threats/weaponized/

CVEs in CISA KEV and with public exploit code. Highest priority for patching.

GET /api/v1/threats/high-epss/

CVEs most likely to be exploited (EPSS >= 50%). Param: min_epss

GET /api/v1/threats/trending/

CVEs trending in news and social media. Params: days, limit

GET /api/v1/threats/recent-kev/

Recently added to CISA KEV (confirmed exploited). Params: days, limit

GET /api/v1/threats/recent-exploits/

Recently published public exploits and PoC code. Params: days, limit

GET /api/v1/threats/eu-relevant/

CVEs classified as EU-relevant (ENISA EUVD, European vendors, GDPR, ICS/SCADA)

GET /api/v1/threats/suspicious-pocs/

Suspicious PoCs: repos flagged as potentially malicious/backdoored. Params: min_score, limit

github activity

Real-time exploit development tracking. Monitor new PoC repos, stars, commits, and forks across all CVEs. Early indicator of weaponization.

GET /api/v1/github/activity/

Recent events across all CVEs. Params: hours (default 24), limit

GET /api/v1/github/trending/

Trending CVEs on GitHub: most activity in recent hours. Params: hours, limit

GET /api/v1/cve/{CVE-ID}/github-activity/

Events for a specific CVE with first_seen_on_github timestamp

software search

Find CVEs by vendor or product. Full CPE-based taxonomy with 25,000+ vendors and products.

GET /api/v1/vendors/

List all vendors with CVE counts. Params: search, limit

GET /api/v1/vendors/{vendor}/

Vendor details: metadata, website, industry, security contact, bug bounty, product breakdown

GET /api/v1/vendors/{vendor}/cves/

All CVEs affecting this vendor, ranked by threat score. Params: limit, offset

GET /api/v1/products/

List products with CVE counts. Params: search, vendor_id, limit

GET /api/v1/products/{product}/

Product details and CVEs. Params: vendor, limit, offset

GET /api/v1/products/{product}/cves/

CVEs affecting this product. Params: vendor, limit

network intelligence

IP, CIDR, and ASN lookups with RDAP and WHOIS data. These endpoints do not require API key authentication.

GET /api/ip/{ip}

IPv4 or IPv6 address lookup with RDAP, geo, ASN data

GET /api/cidr/{cidr}

CIDR range lookup

GET /api/search?q={query}

Search by IP, ASN, or keyword

rate limits

rate limits are per API key. burst rate applies per minute.

plan	requests	burst
free	20/day	5/min
pro	5,000/mo	30/min
team	20,000/mo	60/min
enterprise	custom	custom

interactive docs get api key