Threat Intelligence Feed

Blacklist Malware Threats

OPSWAT's threat intelligence feed enables organizations to leverage real-time malware data collected by the MetaDefender Cloud platform from all around the world. Organizations integrate our up-to-date threat intelligence into their existing tools or solutions to protect their infrastructure against threats.

Why Threat Intelligence?

Threat Intelligence starts with the collection of information. Since 2012, OPSWAT gathers malware data from a wide range of sources: free users, customers, our OEM community, and other cybersecurity vendors. The result is a massive online database of malware hashes and malware-related information that can be cross-referenced. 

Threat Intelligence Benefits

  • Prevention & Mitigation - Threat Intelligence provides info about the newest threats, in order to identify, prevent and mitigate them
  • UpToDate - The feed is continuously updated to make sure your organization is protected from the latest threats
  • Fortified Infrastructure - “Security products leverage threat intelligence capabilities to harden security measures

How Do SecOps Benefit from the Threat Intelligence Feed

  • Adding context and priority to global threats in order to see beyond the typical attack lifecycle
  • Enhance security and risk management infrastructure, by building proactive defenses, prioritizing alerts, and improving incident response
  • Qualify threats disrupting business, based on file category, malware family and type

Getting Started

The Threat Intelligence Feed contains the latest detected malware hash signatures, including MD5, SHA1, and SHA256. Our feed is updated instantly with malware to provide actionable threat intelligence. Data is delivered in JSON format using REST API calls and is configurable using query parameters:

Integration example – consume our threat intelligence feed programmatically:

curl -X GET \
'' \
-H 'apikey: ${APIKEY}'

var request = require("request");

var options = { method: 'GET',
url: '',
qs: { page: '1'},
headers: {
apikey: process.env.APIKEY

request(options, function (error, response, body) {

import requests
import os

url = ""
querystring = {"page":"1"}
headers = {'apikey': os.environ["APIKEY"]}

response = requests.request("GET", url, headers=headers, params=querystring)


require 'uri'
require 'net/http'

url = URI("")

http =, url.port)

request =
request["apikey"] = ENV['APIKEY']

response = http.request(request)
puts response.read_body

package main

import (

func main() {
url := ""
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("apikey", os.Getenv("APIKEY") )

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)


$uri = ''

$headers = @{}
$headers.Add('apikey', $env:APIKEY)

$result = Invoke-WebRequest -Uri $uri -Headers $headers -UseBasicParsing
Write-Output $result.content

Available query parameters (all optional):

  • page – selects the page of the feed to be retrieved, containing 1,000 threats. If omitted, defaults to the first page
  • category - only include files of a certain category, like documents or APKs. See the documentation for a full list of categories
  • date - the feed can be queried to return hashes from up to one year. Defaults to today

Threat Intelligence Feed Versions

Threat Name
File Type
Historical DataUp to one year
Malware Signatures1,000Unlimited

Log into your portal account or register if you don’t have an account to receive a MetaDefender Cloud API key. For more developer options, please see the API documentation here.

Contact our sales team and choose the proper plan for your organization.