Skip to main content
GET
/
api
/
explore.php
curl "https://pulsedive.com/api/explore.php?q=ioc%3Dpulsedive.com%20or%20threat%3Dryuk"
{
  "results": [
    {
      "iid": 123,
      "indicator": "pulsedive.com",
      "type": "domain",
      "risk": "none",
      "stamp_added": "2020-01-15 10:30:00",
      "stamp_updated": "2025-05-19 14:23:45",
      "stamp_seen": "2025-05-19 14:23:45",
      "stamp_retired": null,
      "summary": {
        "properties": {
          "geo": {
            "country": "United States",
            "countrycode": "US"
          },
          "dns": {
            "a": "142.250.190.14"
          }
        }
      }
    },
    {
      "iid": 456,
      "indicator": "malicious-domain.com",
      "type": "domain",
      "risk": "high",
      "stamp_added": "2024-03-20 08:15:00",
      "stamp_updated": "2025-05-18 12:00:00",
      "stamp_seen": "2025-05-18 12:00:00",
      "stamp_retired": null,
      "summary": {
        "threats": [
          {
            "name": "Ryuk",
            "category": "ransomware"
          }
        ]
      }
    }
  ],
  "query": "ioc=pulsedive.com or threat=ryuk"
}

Query Parameters

key
string

Your Pulsedive API key.

API key authentication is optional. However, requests without a key have stricter rate limits. We recommend including an API key for better performance and reliability.

q
string
required

Explore query string using the Explore query language syntax. The query is URI-encoded.

Query syntax supports:

  • Field searches: ioc=example.com, type=domain, risk=high
  • Boolean logic: ioc=pulsedive.com or threat=ryuk
  • Wildcards: ioc=*.pulsedive.com, feed=*malware*
  • Negation: not risk=none
  • Combinations: (type=domain or type=ip) and risk=critical

Common searchable fields include ioc, type, risk, threat, feed, seen, added, updated, retired, port, protocol, and technology.

Some examples:

For detailed query syntax and more examples, visit Query Language.

type
enum<string>
default:indicators

Search mode, which determines the dataset you are querying and filters that are available. Options include:

  • indicators: Search for indicators by value, type, risk, attributes, properties, and associated threats or feeds.
  • threats: Search for threats by name, alias, category, or associated indicator attributes.
Available options:
indicators,
threats
limit
integer

Maximum number of results to return per query.

If you don't specify a limit, Pulsedive applies your account tier's default:

  • Visitor (not logged in): 10
  • Free: 50
  • Pro: 250
  • Team: 1000
  • Business/Custom: 10000
Required range: x >= 1
Example:

10

format
enum<string>
default:json

Output format for results.

Available formats:

  • json: JSON format (default)
  • csv: Comma-separated values with headers
  • stix: STIX 2.1 format (requires authentication)

CSV exports include a header with query information and result limit. STIX exports require a registered user account.

Available options:
json,
csv,
stix
pretty
enum<integer>
default:0

Indicates whether to format returned JSON results.

For pretty-printed output, set to 1. For compact output, set to 0.

Available options:
0,
1

Response

Successful request. Returns search results in the specified format.

Response from an indicator search query. Contains an array of matching indicators and the effective query that was executed.

results
object[]

Array of indicators matching the search query. Each indicator includes core identification, risk assessment, and summary information.

The structure of each indicator object varies based on available data. Common fields include indicator value, type, risk, timestamps, and associated threats/feeds.

query
string

The effective query string that was executed. This reflects the parsed and processed version of your original query.

Useful for debugging query syntax and understanding how Pulsedive interpreted your search.

Example:

"ioc=pulsedive.com or threat=ryuk"