/integrations
TAXII 2.1 & STIX 2.1 Feed
Subscribe to RansomScope intelligence directly from MISP, OpenCTI, Anomali, ThreatConnect, EclecticIQ, or any TAXII 2.1 client. The feed is public, anonymous, and marked TLP:CLEAR.
Endpoints
Discovery URL
https://ransomscope.com/api/public/taxii2/API Root
https://ransomscope.com/api/public/taxii2/api/STIX 2.1 bulk bundle
https://ransomscope.com/api/public/stix/bundle?collection=everythingCollections
Python (taxii2-client)
# pip install taxii2-client
from taxii2client.v21 import Server, as_pages
server = Server("https://ransomscope.com/api/public/taxii2/")
api_root = server.api_roots[0]
for collection in api_root.collections:
print(collection.title, "→", collection.id)
iocs = next(c for c in api_root.collections if c.id == "iocs")
for envelope in as_pages(iocs.get_objects, per_request=500):
for obj in envelope["objects"]:
print(obj["type"], obj["id"])curl
curl -H "Accept: application/taxii+json;version=2.1" \
https://ransomscope.com/api/public/taxii2/
# list collections
curl https://ransomscope.com/api/public/taxii2/api/collections/
# pull the IOC bundle
curl 'https://ransomscope.com/api/public/taxii2/api/collections/iocs/objects/?limit=500'In MISP / OpenCTI
- MISP: Administration → Servers → Add TAXII feed. Server URL:
https://ransomscope.com/api/public/taxii2/. No auth. - OpenCTI: Data → Ingestion → TAXII 2.1 connector. URL:
https://ransomscope.com/api/public/taxii2/api/. Authentication:none. Pick any collection ID above. - Anything else: point any STIX 2.1 importer at the bulk bundle URL above for a one-shot export.
Notes
- All objects are TLP:CLEAR and freely redistributable.
- Pagination: pass
?limit=N(max 5,000) and follow thenextcursor in the response envelope. - Incremental sync: pass
?added_after=YYYY-MM-DDTHH:MM:SSZto get only what changed since your last poll. - STIX IDs are deterministic — re-imports update existing objects rather than duplicating.