Recorded Future delivers threat intelligence via two TAXII services, making risk-scored indicators available in STIX format for automated consumption by SIEMs, TIPs, and SOAR platforms.
TAXII 1.x
- Endpoint:
https://api.recordedfuture.com/taxii - Data format: STIX 1.1.1 (XML)
- Auth: Basic Auth or
X-RFTokenheader - Collections: 280 granular collections — one per risk rule, per IOC type
- Write support: No (read-only)
TAXII 2.1
- Endpoint:
https://api.recordedfuture.com/taxii2 - Data format: STIX 2.1 (JSON)
- Auth: HTTP Basic (empty username, API token as password)
- Collections: 5 per API root — one per IOC type (IP, domain, URL, hash, vulnerability)
- Write support: No (read-only)
- Interactive docs: api.recordedfuture.com/taxii2/docs
Which version should I use?
Use TAXII 2.1 if your platform supports it. It returns structured JSON, supports pagination, and offers purpose-built API roots for different use cases (default, large, OpenCTI, test).
Use TAXII 1.x if your integration requires STIX 1.1.1 XML, or if you need per-risk-rule collections (e.g., pulling only IPs matching a single risk rule like "Actively Communicating Validated C&C Server" rather than the full aggregated risk list).
Authentication
Both services require a valid Recorded Future API token. Access is limited to clients with an Integration subscription.
TAXII 1.x accepts either:
- HTTP Basic Auth with any username and your API token as the password
- Your API token in the
X-RFTokenrequest header
TAXII 2.1 uses HTTP Basic Auth as defined by the TAXII 2.1 standard:
- Username: empty string
- Password: your API token
IOC types available
Both services provide risk-scored indicators for:
| IOC Type | Description |
|---|---|
| IP addresses | IPv4 addresses with risk scores and triggered risk rules |
| Domains | Internet domain names flagged by Recorded Future risk rules |
| URLs | Specific URLs associated with malicious activity |
| Hashes | File hashes (MD5, SHA-1, SHA-256) linked to malware or exploits |
| Vulnerabilities | CVEs with risk scores based on exploitation activity and threat intelligence |
Note: The indicator sets returned by TAXII may not be identical to risk lists downloaded from Fusion or the Connect API. The TAXII 2.1 server performs a live search upon each request, while downloadable risk list files are periodically updated snapshots.
