SpyCloud Guides
spycloud.comGet a demo
Start typing to search…

Investigations API

Empowering Analysts with Darknet Intelligence

💡LOOKING FOR API REFERENCE?

For more information about the Investigations API See API reference.

🧨 The Problem

Analysts and investigators increasingly recognize how OSINT and breached data can strengthen threat investigations. Underground forums and malware logs often contain data about the attackers themselves — allowing analysts to de-anonymize those responsible for breaches, fraud, and identity abuse.

SpyCloud collects and operationalizes data from:

  • Breaches
  • Malware logs
  • Criminal communities and forums

This enables organizations to protect users, unmask adversaries, and accelerate critical discovery workflows.

🚀 Product Overview

SpyCloud Investigations API helps investigators piece together digital breadcrumbs to reveal adversary identities, understand behavior, and prevent future abuse.

It accelerates investigations into commercial compromise, online fraud, malware infections, and insider threats.

⚡ Benefits at a Glance

  • Gain Speed & Efficiency
    Return deep results from limited selectors (email, IP, password, domain, etc.)

  • Correlate Multiple Data Sources
    Enrich with internal tools or third-party OSINT (VirusTotal, Whois, Passive DNS)

  • Discover the Undiscoverable
    Unmask alternate personas, malware infrastructure, and unknown relationships

🎯 Use Cases

Threat Actor Attribution

Uncover hidden identities and links between cybercriminal personas.

Insider Risk Analysis

Investigate employee or contractor exposure using selector correlation.

Third-Party Exposure

Assess breach impact on vendors and partners through domain lookups.

Financial Crimes Research

Track fraud networks using leaked account data and behavioral metadata.

🛠️ How It Works

SpyCloud’s REST-based API integrates seamlessly into link analysis tools like:

  • Maltego
  • Jupyter Notebooks
  • Splunk
  • Vertex
  • Synapse

Analysts can pivot on any selector — username, password, email, IP — and reveal extensive linked data for graph rendering and deep enrichment.

Investigative Capabilities

📈 High-Volume Data Analysis

Run large queries on domains, plaintext passwords, or infection records and return extensive result sets.

🔗 Associating Results

Perform pivots and link related entities to identify patterns, clusters, and anomalies.

🔁 Loop & Batch Queries

Support for iterative searches with looped/batched selectors for automation and refinement.

Key Capabilities

🕵️ Attribute Cybercrime

Reveal true identities of adversaries and alternate personas using selector correlation.

📊 Evaluate Threat Actors

Profile accounts, logins, and services tied to malicious actors.

🚨 Assess Risk

Understand internal and external exposure across users, employees, and third parties.

🧬 Understand Attacks

Trace credential stuffing and botnet activity back to source breaches and malware logs.

📡 Investigate Campaigns

Map criminal infrastructure, shared malware, and coordinated attack behaviors.

🔌 Integrations

Maltego

80+ transforms for visual link analysis.

Jupyter

Notebook workflows for enrichment and visualization.

Splunk

Query enrichment and event correlation in log data.

Vertex / Synapse

Storm commands and flexible enrichment in intelligence fusion platforms.

Updated 3 months ago