Threat library: actors, malware, and vulnerabilities.
The threat library holds the entities your account tracks: the threat actors, malware families, vulnerabilities, and threat clusters that events get linked to. The API gives you the same library programmatically, which is handy for syncing watchlists, resolving names to IDs before an event ingest, or wiring threat context into internal tooling.
Both endpoints require the threats.read scope.
List entities
GET /api/v1/threats/{entity_type}/ where entity_type is one of:
threat-actorsmalwarevulnerabilitiesclusters
curl "https://api.liberty91.com/api/v1/threats/threat-actors/?active=true" \
-H "X-API-Key: $LIBERTY91_API_KEY"Two filters are available alongside the usual pagination parameters:
| Filter | Meaning |
|---|---|
name | Case-insensitive exact-name match, for resolving a known name to an ID |
active | true or false, limits to entities you are actively tracking |
Entity detail
GET /api/v1/threats/{entity_type}/{id}/ returns the full record:
{
"id": "3e2d1c0b-...",
"name": "Scattered Spider",
"description": "...",
"criticality": "HIGH",
"active": true,
"cpe": "",
"enrichment_status": "complete",
"created_at": "2026-01-19T10:00:00Z",
"last_updated": "2026-07-06T04:12:00Z"
}All four entity types share this shape. The cpe field is populated for
vulnerabilities where a CPE identifier applies and is empty for the other types.
last_updated moves whenever the platform's agents refresh the entity from new
reporting, so it doubles as a cheap change-detection signal for sync jobs.
Resolving names before ingest pays off. If you are about to ingest a report that
mentions a known actor, look the actor up by name first and pass its id in the
ingest call. An ID link is unambiguous, where a name still has to be matched.
Frequently asked questions
What entity types does the threat library API expose?
Four: threat actors, malware, vulnerabilities, and threat clusters. Each is a path segment on the same pair of list and detail endpoints.
Can I look up a threat actor by name?
Yes. The list endpoint accepts a name filter that matches the exact name
case-insensitively, which is the reliable way to resolve a name to an ID.
Is the threat library shared across customers?
The endpoints return your account's view of each entity, including your own tracking status and enrichment state. Your key only ever sees your tenant's data.