SwarmHawk API
The SwarmHawk API gives you programmatic access to 23 automated security checks plus 3,000+ active nuclei CVE templates — SSL, DNS, CVEs with active exploit confirmation, breach exposure, typosquats, AI threat analysis and more — for any domain. Use it to build security workflows, automate due diligence, or wire SwarmHawk into your AI assistant via MCP.
Content-Type: application/json.Quick Start — scan a domain in 30 seconds
# 1. Create a free API key at www.swarmhawk.com → Account → API Keys # 2. Run your first scan: curl -X POST https://swarmhawk.com/api/api/v2/scan \ -H "X-API-Key: swh_your_key_here" \ -H "Content-Type: application/json" \ -d '{"domain": "example.com"}'
import requests API_KEY = "swh_your_key_here" resp = requests.post( "https://swarmhawk.com/api/api/v2/scan", headers={"X-API-Key": API_KEY}, json={"domain": "example.com"} ) data = resp.json() print(f"Risk score: {data['risk_score']} · {data['critical']} critical findings")
const res = await fetch("https://swarmhawk.com/api/api/v2/scan", { method: "POST", headers: { "X-API-Key": "swh_your_key_here", "Content-Type": "application/json" }, body: JSON.stringify({ domain: "example.com" }) }); const data = await res.json(); console.log(`Risk: ${data.risk_score} — ${data.critical} critical`);
Authentication
SwarmHawk uses two authentication methods depending on the endpoint:
| Method | Header | Used for |
|---|---|---|
| API Key | X-API-Key: swh_… | /api/v2/* developer endpoints |
| Session Token | Authorization: Bearer <token> | User dashboard, account management |
| None | — | /public-scan, /health |
API Key format
swh_3f8a2b1c4d5e6f7a8b9c0d1e2f3a4b5c
Errors & Rate Limits
HTTP status codes
| Code | Meaning |
|---|---|
| 200 | Success |
| 400 | Bad request — check your request body |
| 401 | Missing or invalid API key / session token |
| 403 | Forbidden — feature requires a paid plan |
| 429 | Rate limit exceeded |
| 500 | Server error — retry after 30 seconds |
Error response shape
{
"detail": "Invalid API key"
}Rate limits
| Plan | Limit |
|---|---|
| Free API key | 10 calls / month |
| Professional ($49/mo, billed yearly) | Higher limits — contact us |
| /public-scan | No key required · throttled by IP |
POST /api/v2/scan
Run a full 22-check security scan on any domain. Returns a risk score, detailed findings, and (for paid users) AI threat analysis. Results are saved to your account.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
| domain | string | required | Domain to scan, e.g. "example.com" |
Response
{
"domain": "example.com",
"risk_score": 42,
"critical": 1,
"warnings": 3,
"scanned_at": "2025-03-10T09:15:00Z",
"checks": [
{
"check": "ssl",
"status": "ok",
"title": "SSL valid for 84 days",
"detail": "Certificate issued by Let's Encrypt. Expires 2025-06-02.",
"score_impact": 0
},
{
"check": "breach",
"status": "critical",
"title": "4,200 breached accounts found",
"detail": "Found in LinkedIn 2021 breach. Rotate all credentials.",
"score_impact": 25
}
]
}curl -X POST https://swarmhawk.com/api/api/v2/scan \ -H "X-API-Key: swh_your_key" \ -H "Content-Type: application/json" \ -d '{"domain":"example.com"}'
resp = requests.post(
"https://swarmhawk.com/api/api/v2/scan",
headers={"X-API-Key": API_KEY},
json={"domain": "example.com"}
)
data = resp.json()
# data["risk_score"], data["checks"]const r = await fetch("https://swarmhawk.com/api/api/v2/scan", { method:"POST", headers:{"X-API-Key":key,"Content-Type":"application/json"}, body:JSON.stringify({domain:"example.com"}) }); const d = await r.json();
POST /public-scan
Anonymous scan — no API key required. Returns a subset of checks with some results locked. Use this for demos or embeds. Results are not saved.
| Field | Type | Description |
|---|---|---|
| domain | string | Domain to scan |
{
"domain": "example.com",
"risk_score": 42,
"critical": 1,
"warnings": 3,
"locked_count": 8,
"checks": [/* 7 free checks visible, 8 locked */],
"scanned_at": "2025-03-10T09:15:00Z"
}GET /scan/passive
Fast fingerprint scan — detects software stack and checks for known CVEs without a full scan. Response in ~3 seconds. No result saved.
{
"domain": "example.com",
"software": [
{"product": "nginx", "version": "1.18.0"},
{"product": "WordPress", "version": "6.3.1"}
],
"cves": [
{"id": "CVE-2023-39320", "cvss": 9.8, "severity": "CRITICAL"}
]
}GET /api/v2/domains
List all domains in your account with their latest risk scores and checks.
{
"domains": [
{
"id": "uuid",
"domain": "example.com",
"country": "DE",
"status": "active",
"paid": true,
"risk_score": 42,
"scanned_at": "2025-03-10T09:15:00Z",
"checks": [/* latest check array */],
"scan_history": [{"date":"…","risk":42}]
}
]
}POST /api/v2/domains
Add a domain to your account and queue a background scan.
| Field | Type | Description |
|---|---|---|
| domain | string | Domain to add, e.g. "mycompany.cz" |
| country | string | ISO country code (optional — auto-detected from TLD) |
{
"id": "uuid",
"domain": "mycompany.cz",
"status": "scanning",
"message": "Domain added — scan starting now"
}GET /api/v2/domains/{domain_id}/report
Retrieve the latest full scan report for a domain. Free users see a subset; paid users see all 23 checks including nuclei active CVE validation and AI summary.
{
"domain": "example.com",
"risk_score": 42,
"scanned_at": "2025-03-10T09:15:00Z",
"paid": true,
"critical": 1,
"warnings": 3,
"informational": 2,
"locked_count": 0,
"verified_at": "2026-04-08T10:00:00Z",
"auth_scanned_at": "2026-04-08T11:00:00Z",
"auth_scan": { /* authenticated scan result object, null if not run */ },
"checks": [
{
"check": "ssrf",
"status": "info",
"confidence": "informational",
"title": "A10: 3 SSRF surface indicator(s)",
"detail": "Surface area detected (not confirmed vulnerabilities)…",
"score_impact": 0
}
]
}Each check object now includes a confidence field: "confirmed" (scored) or "informational" (zero penalty, surface indicator only). Informational findings are never counted in warnings or critical.
GET /domains/{domain_id}/verify-token
Return the domain ownership verification token for the authenticated user. Use one of the three provided methods to publish the token, then call POST /verify to confirm.
{
"domain": "example.com",
"token": "a3f7b2c1d4e5f6a7b8c9d0e1f2a3b4c5",
"verified_at": null,
"methods": {
"dns_txt": { "value": "swarmhawk-verify=a3f7b2c1…" },
"well_known":{ "url": "https://example.com/.well-known/swarmhawk-verify.txt" },
"meta_tag": { "tag": "<meta name=\"swarmhawk-verify\" content=\"a3f7b2c1…\">" }
}
}POST /domains/{domain_id}/verify
Check whether the domain ownership token is present via DNS TXT record, /.well-known/swarmhawk-verify.txt file, or HTML <meta> tag. On success, verified_at is written to the domain and returned in all subsequent report responses.
Success response:
{ "verified": true, "method": "dns_txt" }Not yet found response:
{ "verified": false, "message": "Verification token not found via DNS TXT, .well-known file, or HTML meta tag" }POST /domains/{domain_id}/scan/authenticated
Run a targeted scan using a real session cookie. Detects cookie security flag gaps (HttpOnly/Secure/SameSite), authenticated page header issues (Cache-Control, clickjacking), and IDOR surface at common API paths. Runs in the background — results are stored in scans.auth_scan and returned in the domain report's auth_scan field.
Request body:
{
"cookie": "sessionid=abc123; csrftoken=xyz456",
"user_agent": "Mozilla/5.0 …" // optional
}Immediate response:
{ "status": "scanning", "message": "Authenticated scan started for example.com" }Poll GET /domains/{id}/report after ~30s — the auth_scan field will be populated with findings.
GET /api/v2/domains/{domain_id}/history
Risk score trend over time — useful for building dashboards or alerting on score increases.
{
"domain": "example.com",
"scans": [
{"risk_score":42,"critical":1,"warnings":3,"scanned_at":"2025-03-10T09:15:00Z"},
{"risk_score":38,"critical":0,"warnings":4,"scanned_at":"2025-02-10T08:00:00Z"}
]
}GET /api/v2/domains/{domain_id}/nis2
Map scan findings to NIS2 Directive articles. Returns a compliance score and per-article status — suitable as audit evidence for regulators.
{
"domain": "example.com",
"risk_score": 42,
"nis2_score": 71,
"articles": [
{
"article": "Art.21(2)(i)",
"requirement": "Secure communications",
"status": "met"
},
{
"article": "Art.21(2)(h)",
"requirement": "Supply chain security",
"status": "warning"
}
]
}POST /intel
Generate an AI-powered threat briefing for your domain portfolio using Claude. Returns a structured briefing with executive summary, critical findings, and remediation priorities.
| Field | Type | Description |
|---|---|---|
| domains | string | Comma-separated: "example.com (risk:42), other.cz (risk:18)" |
| date | string | Today's date, e.g. "10 March 2025" |
{
"text": "## Executive Summary\n\nYour domain portfolio shows...",
"briefing": "…"
}POST /api/v2/keys
Create a new API key for your account. Returns all keys including the new one.
{
"keys": [
{
"key": "swh_3f8a2b1c4d5e6f7a8b9c0d1e2f3a4b5c",
"calls_this_month": 0,
"limit_per_month": 10,
"active": true,
"created_at": "2025-03-10T09:00:00Z"
}
]
}GET /api/v2/keys
List all API keys and their usage for the current month.
curl https://swarmhawk.com/api/api/v2/keys \
-H "Authorization: Bearer YOUR_SESSION_TOKEN"DELETE /api/v2/keys/{key}
Revoke an API key immediately. All future requests with this key will be rejected.
{ "revoked": "swh_3f8a2b1c…" }MCP Server
SwarmHawk exposes a Model Context Protocol server, letting any MCP-compatible AI assistant (Claude, Cursor, Windsurf) call SwarmHawk tools directly from conversation.
Claude Desktop config
{
"mcpServers": {
"swarmhawk": {
"url": "https://swarmhawk.com/api/mcp",
"headers": { "X-API-Key": "swh_your_key" }
}
}
}Cursor / Windsurf config
{
"mcpServers": {
"swarmhawk": {
"url": "https://swarmhawk.com/api/mcp",
"headers": { "X-API-Key": "swh_your_key" }
}
}
}MCP Tools
| Tool | Description | ~Time |
|---|---|---|
| scan_domain(domain) | Full 22-check scan with risk score and all findings | ~30s |
| quick_risk_score(domain) | Fast risk score without full scan detail | ~3s |
| check_typosquats(domain) | Find registered lookalike/typosquat domains | ~5s |
| check_breach_exposure(domain) | Check HaveIBeenPwned (12B+ accounts) | ~3s |
| check_reputation(domain) | VirusTotal + Spamhaus + Google Safe Browsing | ~8s |
| batch_risk_scores(domains[]) | Score multiple domains in one call | ~10s |
| get_quota() | Check remaining API calls for this month | instant |
Python SDK
The SwarmHawk Python SDK gives security platforms a clean programmatic interface to pull findings, configure push integrations, and consume STIX 2.1 bundles — no raw HTTP required.
SDK Methods
| Method | Description | Returns |
|---|---|---|
domains(min_risk, country, limit, offset) | Paginated scan results | list[dict] |
domain(name) | Single domain full detail | dict |
alerts(min_risk, since, limit) | High-risk findings, optional since datetime | list[dict] |
iter_alerts(min_risk, page_size) | Generator — auto-paginates through all results | Iterator[dict] |
stix_bundle(min_risk, limit) | STIX 2.1 bundle from /taxii endpoint | dict |
integrations() | List configured push integrations | list[dict] |
configure_integration(service, config) | Save integration credentials | dict |
test_integration(service, config) | Test connectivity without saving | {ok, message} |
Integration API
Configure push integrations so SwarmHawk automatically sends critical findings to your security platforms the moment they're detected (risk ≥ 70).
GET /integrations
List all configured integrations for the authenticated user. Secrets are masked.
POST /integrations/{service}
Save or update integration config. service is one of: splunk · sentinel · crowdstrike · gravityzone · cortex · jira · servicenow · webhook · stix
POST /integrations/{service}/test
Test connectivity without saving. Returns {"ok": true, "message": "..."}
DEL /integrations/{service}
Remove an integration config.
Supported services
| Service | Auth method | Trigger | Payload type |
|---|---|---|---|
| splunk | HEC token | risk ≥ 70 | CIM-aligned JSON event |
| sentinel | Workspace SharedKey HMAC | risk ≥ 70 | Flat KQL-ready fields (_s/_d/_b) |
| crowdstrike | OAuth2 client credentials | risk ≥ 70 | IOC (type=domain, action=detect/prevent) |
| gravityzone | Bearer access key | risk ≥ 70 | JSON-RPC createCustomRule |
| cortex | SHA-256 HMAC (api_key_id/nonce/ts) | risk ≥ 70 | External alert with MITRE tags |
| jira | Basic (email:api_token) | risk ≥ 70 AND cvss ≥ 7 | ADF-formatted issue with CVE/software tables |
| servicenow | Basic (user:password) | risk ≥ 70 | Incident with urgency/impact/SLA mapping |
| webhook | Optional HMAC-SHA256 signature | risk ≥ 70 | Enriched JSON payload |
| stix | Bearer (read via /taxii) | Pull-based | STIX 2.1 DomainName + Vulnerability objects |
STIX / TAXII 2.1
SwarmHawk exposes a TAXII 2.1-compliant endpoint. Connect any threat intelligence platform (OpenCTI, MISP, ThreatConnect, Anomali) to pull SwarmHawk findings as STIX 2.1 objects.
GET /taxii/collections/
TAXII discovery endpoint — returns collection metadata.
GET /taxii/collections/swarmhawk/objects/
Returns a STIX 2.1 bundle of your high-risk domains as domain-name, vulnerability, and relationship objects.
| Param | Default | Description |
|---|---|---|
| min_risk | 70 | Minimum risk score (0–100) |
| limit | 100 | Max objects (1–500) |
STIX object types returned
| Type | Content |
|---|---|
| domain-name | Domain value, risk score, priority, country |
| vulnerability | CVE ID, CVSS score, description |
| relationship | domain-name → related-to → vulnerability |
All object IDs are deterministic (UUID5) — the same domain always produces the same STIX ID across bundle generations, enabling proper deduplication in downstream TIPs.
Real-Time Alerts — SSE
Subscribe to a live stream of new high-risk findings as they're detected. Uses standard Server-Sent Events (no WebSocket library needed).
GET /stream/alerts
| Field | Type | Description |
|---|---|---|
| type | string | alert | heartbeat | connected |
| domain | string | Newly detected high-risk domain |
| risk_score | integer | 0–100 |
| priority | string | CRITICAL / HIGH / MEDIUM |
| max_cvss | float | Highest CVSS among detected CVEs |
| kev_cves | array | CVEs in CISA KEV (actively exploited) |
| epss_max | float | Highest exploit probability (0–1) |
| timestamp | ISO 8601 | Detection timestamp |
Adapter Scripts
Standalone Python scripts for platforms where you prefer a scheduled pull (cron / Lambda / Azure Function) over the always-on push connector. Each script fetches SwarmHawk alerts and pushes them into the target platform in one run.
pip install httpx and accept both CLI flags and environment variables.| Platform | Script | Min risk default | Download |
|---|---|---|---|
| Splunk SIEM | splunk_ta.py |
70 | ↓ splunk_ta.py |
| Microsoft Sentinel | sentinel_connector.py |
70 | ↓ sentinel_connector.py |
| CrowdStrike Falcon | crowdstrike_adapter.py |
80 | ↓ crowdstrike_adapter.py |
| Bitdefender GravityZone | gravityzone_adapter.py |
80 | ↓ gravityzone_adapter.py |
| Palo Alto Cortex XDR | cortex_adapter.py |
75 | ↓ cortex_adapter.py |
| Jira | jira_adapter.py |
70 + cvss ≥ 7 | ↓ jira_adapter.py |
| ServiceNow | servicenow_adapter.py |
70 | ↓ servicenow_adapter.py |
sdk/adapters/.Splunk TA Adapter
| Flag | Env var | Description |
|---|---|---|
| --api-key | SWARMHAWK_API_KEY | SwarmHawk API key |
| --min-risk | SWARMHAWK_MIN_RISK | Minimum risk score (default: 70) |
| --base-url | SWARMHAWK_BASE_URL | API base URL |
| --index | SWARMHAWK_SPLUNK_INDEX | Splunk index name (default: main) |
Emits sourcetype=swarmhawk:scan events with CIM-aligned fields: dest, vendor_product, category, severity.
Microsoft Sentinel Adapter
| Flag | Env var | Description |
|---|---|---|
| --workspace-id | AZURE_WORKSPACE_ID | Log Analytics workspace ID |
| --shared-key | AZURE_SHARED_KEY | Primary or secondary shared key |
| --log-type | AZURE_LOG_TYPE | Custom table name (default: SwarmHawk) |
| --min-risk | SWARMHAWK_MIN_RISK | Minimum risk score (default: 70) |
Data lands in SwarmHawk_CL custom table. KQL example: SwarmHawk_CL | where RiskScore_d >= 80 | sort by TimeGenerated desc
CrowdStrike Falcon Adapter
| Flag | Env var | Description |
|---|---|---|
| --cs-client-id | CS_CLIENT_ID | Falcon API client ID |
| --cs-client-secret | CS_CLIENT_SECRET | Falcon API client secret |
| --cs-base-url | CS_BASE_URL | Falcon base URL (default: api.crowdstrike.com) |
| --min-risk | SWARMHAWK_MIN_RISK | Minimum risk score (default: 80) |
Pushes domains as IOCs (type=domain) in batches of 200. Action is prevent for confirmed malware/phishing, detect for CVE exposure.
Bitdefender GravityZone Adapter
| Flag | Env var | Description |
|---|---|---|
| --gz-api-url | GZ_API_URL | GravityZone JSON-RPC endpoint |
| --gz-access-key | GZ_ACCESS_KEY | GravityZone API access key |
| --gz-company-id | GZ_COMPANY_ID | Company/tenant ID |
| --min-risk | SWARMHAWK_MIN_RISK | Minimum risk score (default: 80) |
Creates custom network rules via createCustomRule. Action is block for malware/phishing, report for CVE exposure.
Palo Alto Cortex XDR Adapter
| Flag | Env var | Description |
|---|---|---|
| --xdr-api-key | XDR_API_KEY | Cortex XDR API key |
| --xdr-api-key-id | XDR_API_KEY_ID | API key numeric ID |
| --xdr-fqdn | XDR_FQDN | Your tenant FQDN (without https://api-) |
| --min-risk | SWARMHAWK_MIN_RISK | Minimum risk score (default: 75) |
Sends external alerts with MITRE ATT&CK technique tags (T1566, T1190, T1046, T1557…). Batches of 100 per API call.
Jira Adapter
| Flag | Env var | Description |
|---|---|---|
| --jira-base-url | JIRA_BASE_URL | Atlassian Cloud URL |
| --jira-email | JIRA_EMAIL | Atlassian account email |
| --jira-token | JIRA_TOKEN | Atlassian API token (id.atlassian.com → Security) |
| --jira-project | JIRA_PROJECT | Project key (default: SEC) |
| --jira-issue-type | JIRA_ISSUE_TYPE | Issue type (default: Bug) |
| --min-cvss | SWARMHAWK_MIN_CVSS | Minimum CVSS to create ticket (default: 7.0) |
Creates structured ADF issues with risk summary table, CVE findings, software stack, failed checks, remediation bullets, and NIS2 label. Only fires when risk ≥ 70 AND cvss ≥ min_cvss to avoid ticket spam.
ServiceNow Adapter
| Flag | Env var | Description |
|---|---|---|
| --snow-instance | SNOW_INSTANCE | ServiceNow instance subdomain (no .service-now.com) |
| --snow-user | SNOW_USER | ServiceNow username |
| --snow-password | SNOW_PASSWORD | ServiceNow password |
| --snow-table | SNOW_TABLE | Target table (default: incident) |
| --min-risk | SWARMHAWK_MIN_RISK | Minimum risk score (default: 70) |
| Priority | Urgency | Impact | SLA target |
|---|---|---|---|
| CRITICAL | 1 | 1 | 4 hours |
| HIGH | 1 | 2 | 24 hours |
| MEDIUM | 2 | 2 | 7 days |
| LOW / INFO | 3 | 3 | 30 days |
Response Objects
Check object
| Field | Type | Description |
|---|---|---|
| check | string | Check identifier (see Check Names below) |
| status | string | ok · warning · critical · locked |
| title | string | One-line human-readable finding |
| detail | string | Full explanation with evidence |
| score_impact | number | Points added to risk score (0–40) |
Risk score interpretation
| Score | Level | Meaning |
|---|---|---|
| 0 – 29 | LOW RISK | Good security posture, minor issues |
| 30 – 59 | MEDIUM RISK | Notable issues requiring attention |
| 60 – 100 | HIGH RISK | Critical findings, immediate action needed |
Check Names
| check | Description |
|---|---|
| ssl | SSL/TLS validity, expiry, certificate chain |
| dns | DNS configuration — SPF, DMARC, DKIM, MX |
| headers | HTTP security headers (CSP, HSTS, X-Frame-Options…) |
| breach | HaveIBeenPwned breach exposure |
| virustotal | VirusTotal (94 AV engines) |
| safebrowsing | Google Safe Browsing |
| spamhaus | Spamhaus Domain Block List |
| urlhaus | URLhaus malicious URL database |
| shodan | Shodan — open ports and exposed services |
| whois | WHOIS / RDAP — domain age and registrant |
| cve | CVE lookup via NVD for detected software |
| nuclei | Active CVE validation via 3,000+ nuclei templates — confirmed exploit-path probing, not version inference. Returns nuclei_findings[] with matched URLs and CVSS scores. |
| typosquats | Registered lookalike domain detection |
| sast | Static analysis exposure indicators |
| sca | Software composition analysis |
| dast | Dynamic application security testing probes |
| iac | Infrastructure-as-code security check |
| email_security | Email authentication and relay configuration |
| dnssec | DNSSEC validation |
| subdomain_takeover | Dangling subdomain / takeover risk |
| open_ports | Unexpected open port exposure |
| mx | Mail exchange record analysis |
| ai_summary | AI-generated threat analysis (paid only) |
Get your free API key at www.swarmhawk.com → Sign In → Account → API Keys
Get Free API Key →Try It Live
Full interactive API explorer — execute real requests against the SwarmHawk API directly from your browser. Paste your API key into the Authorize button to unlock authenticated endpoints.