Liberty91

Threat library: actors, malware, and vulnerabilities.

Last updated 8 Jul 20262 min read

The threat library holds the entities your account tracks: the threat actors, malware families, vulnerabilities, and threat clusters that events get linked to. The API gives you the same library programmatically, which is handy for syncing watchlists, resolving names to IDs before an event ingest, or wiring threat context into internal tooling.

Both endpoints require the threats.read scope.

List entities

GET /api/v1/threats/{entity_type}/ where entity_type is one of:

  • threat-actors
  • malware
  • vulnerabilities
  • clusters
curl "https://api.liberty91.com/api/v1/threats/threat-actors/?active=true" \
  -H "X-API-Key: $LIBERTY91_API_KEY"

Two filters are available alongside the usual pagination parameters:

FilterMeaning
nameCase-insensitive exact-name match, for resolving a known name to an ID
activetrue or false, limits to entities you are actively tracking

Entity detail

GET /api/v1/threats/{entity_type}/{id}/ returns the full record:

{
  "id": "3e2d1c0b-...",
  "name": "Scattered Spider",
  "description": "...",
  "criticality": "HIGH",
  "active": true,
  "cpe": "",
  "enrichment_status": "complete",
  "created_at": "2026-01-19T10:00:00Z",
  "last_updated": "2026-07-06T04:12:00Z"
}

All four entity types share this shape. The cpe field is populated for vulnerabilities where a CPE identifier applies and is empty for the other types. last_updated moves whenever the platform's agents refresh the entity from new reporting, so it doubles as a cheap change-detection signal for sync jobs.

Tip

Resolving names before ingest pays off. If you are about to ingest a report that mentions a known actor, look the actor up by name first and pass its id in the ingest call. An ID link is unambiguous, where a name still has to be matched.

Frequently asked questions

What entity types does the threat library API expose?

Four: threat actors, malware, vulnerabilities, and threat clusters. Each is a path segment on the same pair of list and detail endpoints.

Can I look up a threat actor by name?

Yes. The list endpoint accepts a name filter that matches the exact name case-insensitively, which is the reliable way to resolve a name to an ID.

Is the threat library shared across customers?

The endpoints return your account's view of each entity, including your own tracking status and enrichment state. Your key only ever sees your tenant's data.

Was this page helpful?