A read-only HTTP feed of the indicators extracted from cyfar.ca posts — built for plugging into a threat-hunting tool, a SIEM lookup, or a TIP. No key required; the data is already public on the IOC index.
GET https://cyfar.ca/api/iocsReturns JSON by default. Add ?format=txt for one live indicator per line. Responses are cached for 60s and allow cross-origin requests.
type — restrict to one indicator type (see the list below).q — case-insensitive substring match on the value.since / until — ISO date or datetime; filters on when an indicator was last seen. Use sincefor incremental pulls (“everything new since my last fetch”).post— a post slug; returns only that report’s indicators (this is what the per-post download buttons use).format — json (default) or txt.limit / offset — paging; limit is 1–5000 (default 1000).# every IP seen since the start of the month, one per line
curl "https://cyfar.ca/api/iocs?type=ip&since=2026-05-01&format=txt"# full JSON records (with source posts) for a single recap
curl "https://cyfar.ca/api/iocs?post=weekly-recap-2026-w21"ipdomainurlsha256sha1md5emailcvepypi_packagenpm_packageregistry_keymutexnamed_pipefilenameuser_agentyara_rulessdeeptlshssh_keyOnly indicators from published posts are served — drafts never appear. Values are leads, not verdicts: verify against the originating post before acting. The feed is rate-limited per IP; a scheduled pull won’t notice, a tight scrape loop will.