Get live ICS/OT threat indicators from Reyhford in under five minutes.
Prerequisites
- A Reyhford API key (machine/TAXII) from app.reyhford.com
curl or any TAXII 2.1 client
TAXII discovery is public. Collections and objects require a valid API key in the Authorization header.
Step 1 — Discover the server
curl -s https://api.reyhford.com/taxii2/ \
-H "Accept: application/taxii+json;version=2.1" | jq
Expected response includes title, versions (2.1), and API roots.
Step 2 — List collections
export REYHFORD_API_KEY="your-api-key"
curl -s https://api.reyhford.com/taxii2/collections/ \
-H "Authorization: Bearer $REYHFORD_API_KEY" \
-H "Accept: application/taxii+json;version=2.1" | jq
The primary collection is reyhford-global-feed.
Step 3 — Poll for STIX objects
curl -s "https://api.reyhford.com/taxii2/collections/reyhford-global-feed/objects/?limit=10" \
-H "Authorization: Bearer $REYHFORD_API_KEY" \
-H "Accept: application/taxii+json;version=2.1" | jq
Use the added_after query parameter for incremental polling:
curl -s "https://api.reyhford.com/taxii2/collections/reyhford-global-feed/objects/?added_after=2026-07-01T00:00:00Z&limit=100" \
-H "Authorization: Bearer $REYHFORD_API_KEY" \
-H "Accept: application/taxii+json;version=2.1"
Step 4 — Search via REST (optional)
For programmatic filtering, use the Indicators REST API:
curl -s -X POST https://api.reyhford.com/v1/indicators/search \
-H "Authorization: Bearer $REYHFORD_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"filter": {
"min_confidence": 70,
"protocols": ["PROTOCOL_MODBUS"]
},
"page_size": 10
}' | jq
Next steps
Authentication
API keys, WorkOS JWT, and TAXII bearer tokens.
Splunk integration
Ingest the TAXII feed into Splunk ES.