Trust Center

Indicator-of-Compromise feed

Public, machine-readable feed of indicators AEGIS surfaces from the Protection Network. Returned as a STIX 2.1 Bundle so it slots into existing threat-intel pipelines.

Endpoint
GET https://api-staging.mnemom.ai/v1/trust/iocs

No authentication required. Rate-limited at the gateway plus a best-effort in-handler check (1 req/min/IP). Pagination via ?after=<ISO-8601 timestamp> on the previous response's next_after field.

Calm-at-GA contract

At GA the feed may be empty. That's the system telling the truth: when AEGIS has no closed campaigns and no live indicators, the feed surfaces an empty STIX bundle rather than theatre.

Consumption examples

curl + jq
curl -sS 'https://api-staging.mnemom.ai/v1/trust/iocs' | jq '.objects[] | {id, type, indicator_types, pattern}'
Python (requests)
import requests

resp = requests.get("https://api-staging.mnemom.ai/v1/trust/iocs")
bundle = resp.json()
for obj in bundle.get("objects", []):
    if obj.get("type") == "indicator":
        print(obj.get("id"), obj.get("pattern"))

# Pagination — pass next_after as ?after=
next_cursor = bundle.get("next_after")

Indicator extensions

Indicators with canonical STIX patterns (sha256 hashes, domains, URLs) emit those patterns directly. Mnemom-internal indicator classes (substrate fingerprints, MITRE ATT&CK technique IDs) carry the value inside a Mnemom property-extension on the STIX indicator SDO. The extension also carries the Traffic Light Protocol class, a synthetic-fixture marker, and the related advisory id when present.

Featured on There's An AI For That