The Security API Directory Every SOC Engineer Should Bookmark
Hook
While developers maintain awesome lists for every programming language and framework, the security community has been quietly building one of the most pragmatic resources for security automation: a comprehensive directory of public security APIs with the metadata that actually matters.
Context
Security automation is no longer optional. SOC teams deal with thousands of alerts daily, threat intelligence feeds multiply by the quarter, and manual investigation workflows don’t scale. Yet discovering which APIs exist for malware sandboxing, threat intelligence enrichment, or vulnerability lookups remains surprisingly difficult. Commercial API marketplaces bury security tools among thousands of unrelated services, vendor documentation is scattered, and Google searches return outdated blog posts.
The jaegeral/security-apis repository solves this discovery problem by maintaining a community-curated directory of public security APIs. Created by Alexander Jaeger and supported by an active contributor community, this awesome-list focuses exclusively on APIs useful for security workflows—from real-time threat intelligence lookups to passive DNS queries and CVE searches. With 967 stars and active maintenance, it’s become a go-to reference for security engineers building integrations, automating investigations, or evaluating new data sources.
Technical Insight
The repository’s architecture is deliberately simple: a single README.md file containing markdown tables organized by category. Each entry provides five critical metadata fields that security engineers need during initial API evaluation: authentication type, HTTPS support, free/commercial status, documentation link, and a brief description.
The Online category dominates with 50+ entries covering threat intelligence providers and search engines. Here you’ll find everything from free services like CIRCL’s CVE Search and hashlookup to commercial platforms like CrowdStrike and Domaintools. The metadata format immediately reveals integration requirements:
| CIRCL hashlookup | File hash lookup | `none` | Yes | [Link!](https://hashlookup.circl.lu/) |Free|
| GreyNoise | Internet-wide scanner data | `apiKey` | Yes | [Link!](https://github.com/GreyNoise-Intelligence/api.greynoise.io) |Free/Commercial|
| CrowdStrike API | TI | `apiKey` | Yes | [Link!](https://developer.crowdstrike.com/docs/openapi/) |NO|This tabular format enables rapid comparison. Need to enrich file hashes without authentication overhead? CIRCL hashlookup requires no API key. Building a prototype before budget approval? GreyNoise offers a free tier. Already paying for CrowdStrike? Their API documentation is one click away.
The repository categorizes APIs into four sections: Online (web-based services), Tools (software with APIs), SIEM (security information and event management integrations), and Various (miscellaneous resources). The Online section reveals interesting patterns in the security API ecosystem. Free, keyless APIs cluster around standard data formats: CIRCL provides CVE lookups, file hash searches, and passive SSH without authentication. Abuse.ch’s MalwareBazaar similarly offers malware sample access with simple API key registration.
Commercial providers follow a different pattern. Entries like Domaintools, Fireeye iSight, and Dragos WorldView all require API keys and paid subscriptions, but the repository links directly to their developer portals. This saves the tedious navigation through marketing pages to find actual technical documentation.
Several entries highlight specialized use cases that demonstrate the directory’s depth. The caprivacy.github.io entry points to California Privacy Directory APIs—highly specific but invaluable when building CCPA compliance workflows. CIRCL’s Passive SSH API serves security teams investigating SSH infrastructure. IP ASN History from the D4 Project provides BGP intelligence for network security analysis.
The repository also surfaces newer services that might not appear in traditional security tool roundups. Focsec provides proxy and VPN detection APIs. EmailRep offers free email reputation queries specifically for phishing investigations. These niche APIs often solve specific automation problems that generic threat intelligence platforms don’t address.
From an integration perspective, the authentication metadata proves immediately actionable. The none value indicates APIs you can call directly for prototyping:
# Example: Query CIRCL CVE Search without authentication
curl https://cve.circl.lu/api/cve/CVE-2021-44228
# Returns JSON with CVE details for Log4ShellThe apiKey designation tells you to expect registration and token-based authentication, while entries marked with ? signal incomplete metadata requiring manual verification. This transparency about data quality is refreshingly honest—the maintainers mark unknowns rather than guessing.
Based on the repository’s apparent focus on JSON APIs (as indicated by the description referencing ‘public (JSON) APIs’), most modern security APIs likely default to JSON responses, though the explicit format details would require verification through individual API documentation.
Gotcha
The repository’s greatest strength—comprehensive coverage—also reveals its limitations. Roughly 30% of entries have incomplete metadata marked with question marks. Authentication requirements, pricing models, and even current availability often require manual verification by clicking through to vendor documentation. This isn’t negligence; the security API landscape changes constantly as services shut down, pivot to commercial-only models, or update authentication schemes.
The static markdown format means no programmatic access beyond parsing the README file. You can’t filter for “free APIs with no authentication” or “threat intelligence providers with freemium tiers” without manual scanning. GitHub’s search functionality helps somewhat, but the repository doesn’t offer structured data export, OpenAPI specifications, or machine-readable metadata. If you’re building tooling that programmatically discovers security APIs, you’ll need to parse markdown tables yourself.
There’s also no quality assessment or community feedback mechanism. An API with documented endpoints might return stale data, have unreliable uptime, or poor documentation. The list treats a mature, well-supported API like Shodan equally with obscure services that might disappear next quarter. API versioning information is absent—critical when integration code needs to handle breaking changes. Rate limits, response time expectations, and data freshness aren’t captured, yet these factors often determine whether an API works for production security workflows versus one-off investigations.
Verdict
Use if: You’re in the discovery phase of security automation projects and need to quickly survey available APIs for threat intelligence enrichment, malware analysis, vulnerability data, or network reconnaissance. This directory excels at exposing options you didn’t know existed and providing fast access to documentation. It’s particularly valuable for security engineers evaluating multiple vendors, building proof-of-concept integrations, or researching free alternatives to commercial platforms. The categorization by use case (Online, Tools, SIEM) maps directly to common security workflows. Skip if: You need detailed API comparisons, integration examples, or quality assessments before committing to an implementation. The repository provides discovery, not evaluation. If you’re looking for code samples, client libraries, or tutorials on using specific security APIs, vendor documentation or dedicated integration guides will serve you better. Also skip if your workflow requires programmatic API discovery—the markdown table format isn’t designed for machine consumption beyond basic parsing.
