Skip to main content
Get live ICS/OT threat indicators from Reyhford in under five minutes.

Prerequisites

  • A Reyhford API key (machine/TAXII) from app.reyhford.com
  • curl or any TAXII 2.1 client
TAXII discovery is public. Collections and objects require a valid API key in the Authorization header.

Step 1 — Discover the server

curl -s https://api.reyhford.com/taxii2/ \
  -H "Accept: application/taxii+json;version=2.1" | jq
Expected response includes title, versions (2.1), and API roots.

Step 2 — List collections

export REYHFORD_API_KEY="your-api-key"

curl -s https://api.reyhford.com/taxii2/collections/ \
  -H "Authorization: Bearer $REYHFORD_API_KEY" \
  -H "Accept: application/taxii+json;version=2.1" | jq
The primary collection is reyhford-global-feed.

Step 3 — Poll for STIX objects

curl -s "https://api.reyhford.com/taxii2/collections/reyhford-global-feed/objects/?limit=10" \
  -H "Authorization: Bearer $REYHFORD_API_KEY" \
  -H "Accept: application/taxii+json;version=2.1" | jq
Use the added_after query parameter for incremental polling:
curl -s "https://api.reyhford.com/taxii2/collections/reyhford-global-feed/objects/?added_after=2026-07-01T00:00:00Z&limit=100" \
  -H "Authorization: Bearer $REYHFORD_API_KEY" \
  -H "Accept: application/taxii+json;version=2.1"

Step 4 — Search via REST (optional)

For programmatic filtering, use the Indicators REST API:
curl -s -X POST https://api.reyhford.com/v1/indicators/search \
  -H "Authorization: Bearer $REYHFORD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "filter": {
      "min_confidence": 70,
      "protocols": ["PROTOCOL_MODBUS"]
    },
    "page_size": 10
  }' | jq

Next steps

Authentication

API keys, WorkOS JWT, and TAXII bearer tokens.

Splunk integration

Ingest the TAXII feed into Splunk ES.