security.ioc-reputation
Threat-intelligence reputation for an indicator of compromise (IOC) — pass ioc as an IP, domain, URL, or file hash (md5/sha1/sha256) and the type is auto-detected. Returns a malicious boolean plus a per-source breakdown: abuse.ch ThreatFox (IOC→malware/threat mapping), URLhaus (malicious URLs on a host/URL), MalwareBazaar (known malware samples by hash), Feodo Tracker (active botnet C2 IPs), Tor exit-node membership, and Spamhaus DROP (hijacked/criminal netblocks). Each source reports listed + a detail. Sourced from live, hourly-rotating threat feeds an LLM cannot know — a ground-truth liveness check for SOC alert triage, log enrichment, and blocklist decisions. Absence of a match is not proof of safety.
price
$0.0022 USDC per call
method
GET
/api/security/ioc-reputationpayment
x402 v2 · USDC on Base (EIP-3009) or Solana (SPL transfer)
auth
None. Sign the payment, retry with
PAYMENT-SIGNATURE.tier
Tier 0 — no paid upstream
Parameters
| Name | Type | Description |
|---|---|---|
iocrequired | string | min 3 chars · max 2048 chars |
Code samples
cURLbash
# 1. Probe with no auth → 402 envelope with PaymentRequirements curl -sS 'https://2s.io/api/security/ioc-reputation?ioc=xxx' # 2. Sign + retry with PAYMENT-SIGNATURE: curl -sS 'https://2s.io/api/security/ioc-reputation?ioc=xxx' \ -H 'PAYMENT-SIGNATURE: <base64-json-payload>' # Or use the canonical runner (handles probe → sign → retry): # EVM_PRIVATE_KEY=0x... node --env-file=.env.local \ # --experimental-strip-types scripts/x402-pay.ts \ # 'https://2s.io/api/security/ioc-reputation?ioc=xxx'
TypeScript / Node — @2sio/sdktypescript
import { TwoS } from '@2sio/sdk'
const client = new TwoS({
privateKey: process.env.EVM_PRIVATE_KEY as `0x${string}`,
})
const result = await client.security.iocReputation({
"ioc": "xxx"
})
console.log('endpoint:', result.endpoint)
console.log('cost:', result.costUsd, 'USDC')
console.log('tx:', result.settlement?.txHash)
console.log('data:', result.data)Python — 2siopython
import os
from twosio import TwoS
client = TwoS(private_key=os.environ["EVM_PRIVATE_KEY"])
result = client.security.ioc_reputation(ioc="xxx")
print("endpoint:", result.endpoint)
print("cost:", result.cost_usd, "USDC")
print("tx:", (result.settlement or {}).get("tx_hash"))
print("data:", result.data)MCP — Claude Desktop / AgentKit / any MCP hostjson
// 1. Add @2sio/mcp to your MCP host config (Claude Desktop example below).
// EVM_PRIVATE_KEY funds x402 payments per call.
// claude_desktop_config.json
{
"mcpServers": {
"2sio": {
"command": "npx",
"args": ["-y", "@2sio/mcp"],
"env": { "EVM_PRIVATE_KEY": "0x..." }
}
}
}
// 2. Once the server is running, agents call this tool via standard MCP:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "security.ioc-reputation",
"arguments": {
"ioc": "xxx"
}
}
}Response
| Field | Type | Description |
|---|---|---|
ok | boolean | one of: true |
items | array | |
total | integer | Total matching rows upstream; null when unknown. |
source | object |
Example response datajson
{
"ok": true,
"items": [
{
"ioc": "example",
"type": "example",
"malicious": false,
"sourcesChecked": 1,
"hits": 1,
"results": [
{
"source": "example",
"listed": false,
"detail": "example"
}
],
"note": "example"
}
],
"total": 1,
"source": {
"provider": "example",
"url": "example",
"license": "example"
}
}Discovery
- /api/directory — full catalog of every endpoint
- /openapi.json — OpenAPI 3.1 spec (per-op x-payment-info, x402Payment security)
- /.well-known/x402 — machine-readable service descriptor for x402-aware crawlers
- /.well-known/mcp/server-card.json — MCP SEP-1649 server card
- /llms.txt — plain-text manifest for LLM ingestion
2s.io is x402-native. Every call is paid per-request from a USDC-funded EVM wallet on Base — no signup, no API keys, no monthly fees. Source code: github.com/2s-io/sdk.