# OT Intel API — ICS/SCADA Threat Intelligence ## What This API Does OT Intel monitors and enriches threat intelligence specifically for Operational Technology (OT) and Industrial Control System (ICS) environments: SCADA, PLC, HMI, DCS, RTU, historian, and safety instrumented systems (SIS). All data is AI-enriched by DeepSeek with OT-adjusted severity scoring, cyber-physical impact assessment, MITRE ATT&CK for ICS technique mapping, and CISA KEV status. Pay per call in USDC on Base mainnet via x402. No API key. No account. No subscription. Data sources: MITRE ATT&CK for ICS, CISA ICS-CERT, NVD, AlienVault OTX, AbuseIPDB, DeepSeek LLM. Use cases: industrial SOC automation, OT vulnerability management, ICS threat intelligence pipelines, NERC CIP compliance, IEC 62443 lifecycle management, critical infrastructure protection. ## Base URL https://ot-intel-api.onrender.com ## Authentication x402 micropayment protocol. Include a valid X-PAYMENT header with each request. Payment: USDC on Base mainnet (eip155:8453). Facilitator: CDP (api.cdp.coinbase.com). --- ## Endpoints ### GET /ot/cve — OT-Contextualised CVE Triage ($0.02 USDC) CVE lookup enriched for ICS/SCADA environments. Returns OT-adjusted severity, cyber-physical impact, affected ICS layer, compensating controls that avoid downtime, patch feasibility, and CISA KEV status. Covers PLCs, DCS, HMI, RTU, engineering workstations, and safety instrumented systems (SIS). **Query parameters:** - id (string, required) — CVE identifier, e.g. CVE-2023-38802 **Response fields:** - cve_id (string) — CVE identifier - summary (string) — NVD description - cvss_score (number) — base CVSS score (NVD) - severity (string) — critical | high | medium | low - ot_severity (string) — OT-adjusted severity (may differ from IT baseline) - ot_layer (string) — field_device | hmi | scada_server | historian | dcs | rtu | safety_system - cyber_physical_impact (string) — process_disruption | physical_damage | safety_system_bypass | none - kev_status (string) — in_kev | not_in_kev - kev_due_date (string) — CISA KEV remediation deadline (if applicable) - patch_feasibility (string) — feasible | risky | not_recommended - compensating_controls[] (array) — OT-safe mitigations that avoid downtime - recommended_action (string) — prioritised action for OT operators - affected_vendors[] (array) — vendor names - references[] (array) — NVD and vendor advisory URLs **Example call:** GET https://ot-intel-api.onrender.com/ot/cve?id=CVE-2023-38802 **Example response:** { "cve_id": "CVE-2023-38802", "summary": "FRR BGP daemon crash via malformed BGP UPDATE packet", "cvss_score": 7.5, "severity": "high", "ot_severity": "critical", "ot_layer": "scada_server", "cyber_physical_impact": "process_disruption", "kev_status": "not_in_kev", "patch_feasibility": "feasible", "compensating_controls": ["network segmentation", "BGP route filtering", "disable unused BGP peers"], "recommended_action": "Apply vendor patch during next maintenance window; apply network controls immediately.", "affected_vendors": ["FRR Project"], "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-38802"] } --- ### GET /ot/device — Internet-Exposed OT Device Lookup ($0.05 USDC) Returns exposure data for OT devices by vendor and model. Includes default credential risk with exploitation notes, at-risk OT protocols with ports, and hardening recommendations. **Query parameters:** - vendor (string, required) — siemens | schneider | rockwell | honeywell | ge | unitronics | beckhoff | abb | emerson - model (string, required) — device model, e.g. s7-1200 | modicon-m340 | controllogix | vision **Response fields:** - vendor (string) — normalised vendor name - model (string) — device model - device_type (string) — plc | hmi | dcs | rtu | historian | engineering_workstation - default_credential_risk (string) — critical | high | medium | low - default_credentials (object) — known default username/password pairs and exploitation notes - exposed_protocols[] (array) — OT protocols with port numbers: Modbus TCP/502, S7comm/102, EtherNet/IP/44818, DNP3/20000, BACnet/47808, PCOM/20256 - shodan_exposure (object) — estimated internet-facing count, top countries - hardening_recommendations[] (array) — actionable steps to reduce attack surface **Example call:** GET https://ot-intel-api.onrender.com/ot/device?vendor=unitronics&model=vision **Example response:** { "vendor": "Unitronics", "model": "Vision Series", "device_type": "plc", "default_credential_risk": "critical", "default_credentials": {"username": "admin", "password": "", "notes": "Blank password enabled by default — exploited in CISA ICS advisory 2023"}, "exposed_protocols": [ {"name": "PCOM", "port": 20256, "risk": "high"}, {"name": "Modbus TCP", "port": 502, "risk": "high"} ], "shodan_exposure": {"estimated_count": 1800, "top_countries": ["US", "IL", "DE"]}, "hardening_recommendations": ["Change default credentials immediately", "Restrict PCOM port 20256 to engineering VLAN", "Enable VPN for remote access"] } --- ### GET /ot/actor — ICS Threat Actor Profile ($0.03 USDC) ICS/APT threat actor profiles. Fetches live from MITRE ATT&CK for ICS STIX bundle and CISA ICS advisories, enriched by DeepSeek. Returns MITRE ATT&CK for ICS technique mappings, known ICS malware, targeted sectors, attribution, physical impact assessment, and OT-specific detection recommendations. **Query parameters:** - name (string, required) — actor name or alias, e.g. SANDWORM | VOLTZITE | XENOTIME | Volt+Typhoon Alias lookup supported: Volt Typhoon -> VOLTZITE | APT44 -> SANDWORM | TEMP.Veles -> XENOTIME Seashell Blizzard -> SANDWORM | Kamacite -> SANDWORM subgroup Known actors: SANDWORM, VOLTZITE, XENOTIME, KAMACITE, ELECTRUM, CHERNOVITE, BENTONITE, ERYTHRITE, TALONITE **Response fields:** - actor_name (string) — primary actor name - aliases[] (array) — known aliases with source citations - nation_state (string) — attributed country - motivation (string) — espionage | sabotage | financial | hacktivism - activity_status (string) — ACTIVE | DORMANT - last_known_activity (string) — date or period of last confirmed activity - physical_impact (string) — CONFIRMED DESTRUCTIVE | LIKELY | POSSIBLE | UNKNOWN - targeted_sectors[] (array) — industrial sectors targeted - known_malware[] (array) — ICS malware: INDUSTROYER, TRITON/TRISIS, CRASHOVERRIDE, PIPEDREAM/INCONTROLLER - ics_techniques[] (array) — MITRE ATT&CK for ICS technique mappings - id (string) — e.g. T0816 - name (string) — technique name - tactic (string) — tactic name - url (string) — MITRE ATT&CK URL - detections[] (array) — OT-specific SIEM/SOC detection recommendations **Example call:** GET https://ot-intel-api.onrender.com/ot/actor?name=SANDWORM **Example response:** { "actor_name": "SANDWORM", "aliases": ["APT44", "Seashell Blizzard", "Voodoo Bear"], "nation_state": "Russia (GRU Unit 74455)", "motivation": "sabotage", "activity_status": "ACTIVE", "last_known_activity": "2024", "physical_impact": "CONFIRMED DESTRUCTIVE", "targeted_sectors": ["energy", "water", "manufacturing"], "known_malware": ["INDUSTROYER", "CRASHOVERRIDE", "INDUSTROYER2"], "ics_techniques": [ {"id": "T0816", "name": "Device Restart/Shutdown", "tactic": "Inhibit Response Function", "url": "https://attack.mitre.org/techniques/T0816"} ], "detections": ["Alert on unexpected MMS traffic to RTUs", "Monitor for unauthorised firmware writes to field devices"] } --- ### GET /ot/actor/sector — Actors by Industrial Sector ($0.03 USDC) All ICS threat actors targeting a specific industrial sector. Live from MITRE ATT&CK for ICS. Each actor includes attribution, physical impact level, activity status, and attack vectors. **Query parameters:** - sector (string, required) — energy | water | manufacturing | oil-and-gas | chemical | transportation | nuclear **Response fields:** - sector (string) — queried sector - total_actors (number) — count of actors targeting this sector - actors[] (array) — list of actor summary objects - actor_name (string) — primary name - nation_state (string) — attributed country - physical_impact (string) — CONFIRMED DESTRUCTIVE | LIKELY | POSSIBLE | UNKNOWN - activity_status (string) — ACTIVE | DORMANT - attack_vectors[] (array) — observed initial access methods **Example call:** GET https://ot-intel-api.onrender.com/ot/actor/sector?sector=energy **Example response:** { "sector": "energy", "total_actors": 4, "actors": [ { "actor_name": "SANDWORM", "nation_state": "Russia", "physical_impact": "CONFIRMED DESTRUCTIVE", "activity_status": "ACTIVE", "attack_vectors": ["spearphishing", "supply chain", "internet-exposed ICS"] } ] } --- ### GET /ot/ioc — IOC Enrichment with OT Campaign Context ($0.01 USDC) IOC enrichment with ICS/OT campaign context. Queries AlienVault OTX, AbuseIPDB, and DeepSeek in parallel. Returns verdict on whether the IOC is linked to OT-targeting campaigns (VOLTZITE, SANDWORM, XENOTIME). Cheapest endpoint — designed for high-volume SOC triage pipelines. **Query parameters:** - value (string, required) — indicator value, e.g. 185.220.101.45 | malicious-domain.com - type (string, required) — ip | domain **Response fields:** - ioc (string) — queried indicator - type (string) — ip | domain - otx (object) — AlienVault OTX data - reputation (number) — OTX reputation score - pulse_count (number) — number of OTX threat feeds referencing this IOC - ot_tagged (boolean) — true if referenced in ICS/SCADA/Modbus/DNP3 tagged feeds - abuseipdb (object) — AbuseIPDB data (IP only) - abuse_confidence_score (number) — 0-100 - isp (string) — ISP name - tor_node (boolean) — is this a known Tor exit node - total_reports (number) — total abuse reports - deepseek_cti (object) — DeepSeek CTI enrichment - known_threat_actor (string) — attributed actor or "unknown" - campaign_context (string) — description of associated campaign - confidence (string) — high | medium | low - verdict (string) — OT_TARGETED_CAMPAIGN | GENERIC_THREAT | BENIGN | UNKNOWN **Example call:** GET https://ot-intel-api.onrender.com/ot/ioc?value=185.220.101.45&type=ip **Example response:** { "ioc": "185.220.101.45", "type": "ip", "otx": {"reputation": -2, "pulse_count": 14, "ot_tagged": false}, "abuseipdb": {"abuse_confidence_score": 87, "isp": "Zwiebelfreunde e.V.", "tor_node": true, "total_reports": 412}, "deepseek_cti": {"known_threat_actor": "unknown", "campaign_context": "Tor exit node used in opportunistic scanning campaigns", "confidence": "medium"}, "verdict": "GENERIC_THREAT" } --- ### GET /ot/advisory — CISA ICS-CERT Advisories ($0.02 USDC) Latest CISA ICS-CERT advisories filtered by vendor or sector. Live RSS feed. Returns advisory IDs, CVSS scores, CVE lists, OT-adjusted severity, OT layer, sector tags, and direct triage links to /ot/cve and /ot/patch per CVE. **Query parameters:** - vendor (string, optional) — siemens | schneider | rockwell | honeywell | ge | abb | emerson | yokogawa | omron | mitsubishi - sector (string, optional) — energy | water | manufacturing | oil-and-gas | chemical | healthcare | transportation | nuclear - limit (number, optional) — page size, default 10, max 50 **Response fields:** - total (number) — total matching advisories - advisories[] (array) — list of advisory objects - id (string) — CISA advisory ID, e.g. ICSA-23-166-01 - title (string) — advisory title - published (string) — ISO 8601 publication date - cvss_max (number) — highest CVSS score in advisory - cves[] (array) — CVE IDs covered - vendor (string) — affected vendor - ot_layer (string) — affected ICS layer - sectors[] (array) — affected industrial sectors - triage_links (object) — direct links to /ot/cve and /ot/patch for each CVE **Example call:** GET https://ot-intel-api.onrender.com/ot/advisory?vendor=schneider&limit=5 GET https://ot-intel-api.onrender.com/ot/advisory?sector=water&limit=5 **Example response:** { "total": 3, "advisories": [{ "id": "ICSA-24-012-01", "title": "Schneider Electric EcoStruxure Remote Code Execution", "published": "2024-01-12T00:00:00Z", "cvss_max": 9.8, "cves": ["CVE-2024-0001"], "vendor": "Schneider Electric", "ot_layer": "scada_server", "sectors": ["energy", "manufacturing"], "triage_links": { "CVE-2024-0001": {"cve": "/ot/cve?id=CVE-2024-0001", "patch": "/ot/patch?id=CVE-2024-0001"} } }] } --- ### GET /ot/patch — OT Patch Feasibility Assessment ($0.05 USDC) Full patch feasibility assessment for a CVE in an OT/ICS environment. Returns patch availability, vendor advisory URLs, OT-safe workarounds, patch complexity per ICS layer, estimated downtime, safe-to-patch-live flag, recommended maintenance window, deployment strategy, CISA KEV status, and risk-vs-disruption score (1-10 with rationale). **Query parameters:** - id (string, required) — CVE identifier, e.g. CVE-2021-34527 **Response fields:** - cve_id (string) — CVE identifier - patch_available (boolean) — vendor patch exists - vendor_advisory_url (string) — link to vendor patch page - kev_status (string) — in_kev | not_in_kev - kev_due_date (string) — CISA KEV remediation deadline (if applicable) - ot_layer (string) — affected ICS layer - patch_complexity (string) — low | medium | high - estimated_downtime_minutes (number) — estimated downtime to apply patch - safe_to_patch_live (boolean) — whether patch can be applied without process shutdown - recommended_window (string) — suggested maintenance window type - deployment_strategy (string) — phased | immediate | defer_with_controls - ot_safe_workarounds[] (array) — mitigations that avoid downtime - risk_vs_disruption_score (number) — 1-10 score balancing CVE risk against patching disruption - score_rationale (string) — explanation of the score **Example call:** GET https://ot-intel-api.onrender.com/ot/patch?id=CVE-2021-34527 **Example response:** { "cve_id": "CVE-2021-34527", "patch_available": true, "vendor_advisory_url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "kev_status": "in_kev", "kev_due_date": "2021-07-20", "ot_layer": "scada_server", "patch_complexity": "medium", "estimated_downtime_minutes": 30, "safe_to_patch_live": false, "recommended_window": "planned_outage", "deployment_strategy": "phased", "ot_safe_workarounds": ["Disable Print Spooler service on SCADA servers", "Block inbound SMB at industrial DMZ firewall"], "risk_vs_disruption_score": 9, "score_rationale": "PrintNightmare has confirmed exploitation in OT environments; workarounds reduce immediate risk but patch is required for NERC CIP compliance." } --- ## Pricing Summary | Endpoint | Price | Best for | |-------------------|---------|-------------------------------------------------| | /ot/ioc | $0.01 | High-volume IOC triage, SOC blocklist pipelines | | /ot/cve | $0.02 | CVE prioritisation, ICS-CERT workflows | | /ot/advisory | $0.02 | Vendor/sector advisory monitoring | | /ot/actor | $0.03 | Threat actor profiling, sector briefings | | /ot/actor/sector | $0.03 | Sector-level threat landscape | | /ot/patch | $0.05 | Patch feasibility, NERC CIP compliance | | /ot/device | $0.05 | Device exposure, default credential risk | ## Payment All endpoints return HTTP 402 if unpaid. Use any x402-compatible client: npx awal@latest x402 pay "https://ot-intel-api.onrender.com/ot/cve" -q '{"id": "CVE-2023-38802"}' npx awal@latest x402 pay "https://ot-intel-api.onrender.com/ot/actor" -q '{"name": "SANDWORM"}' npx awal@latest x402 pay "https://ot-intel-api.onrender.com/ot/ioc" -q '{"value": "185.220.101.45", "type": "ip"}' npx awal@latest x402 pay "https://ot-intel-api.onrender.com/ot/advisory" -q '{"vendor": "siemens"}' npx awal@latest x402 pay "https://ot-intel-api.onrender.com/ot/device" -q '{"vendor": "unitronics", "model": "vision"}' npx awal@latest x402 pay "https://ot-intel-api.onrender.com/ot/patch" -q '{"id": "CVE-2021-34527"}' npx awal@latest x402 pay "https://ot-intel-api.onrender.com/ot/actor/sector" -q '{"sector": "energy"}' ## Discovery Listed on: https://agentic.market/services/ot-intel-api-onrender-com