STIX TAXII: Overview

Recorded Future delivers threat intelligence via two TAXII services, making risk-scored indicators available in STIX format for automated consumption by SIEMs, TIPs, and SOAR platforms.

TAXII 1.x

  • Endpoint: https://api.recordedfuture.com/taxii
  • Data format: STIX 1.1.1 (XML)
  • Auth: Basic Auth or X-RFToken header
  • Collections: 280 granular collections — one per risk rule, per IOC type
  • Write support: No (read-only)

TAXII 2.1

  • Endpoint: https://api.recordedfuture.com/taxii2
  • Data format: STIX 2.1 (JSON)
  • Auth: HTTP Basic (empty username, API token as password)
  • Collections: 5 per API root — one per IOC type (IP, domain, URL, hash, vulnerability)
  • Write support: No (read-only)
  • Interactive docs: api.recordedfuture.com/taxii2/docs

Which version should I use?

Use TAXII 2.1 if your platform supports it. It returns structured JSON, supports pagination, and offers purpose-built API roots for different use cases (default, large, OpenCTI, test).

Use TAXII 1.x if your integration requires STIX 1.1.1 XML, or if you need per-risk-rule collections (e.g., pulling only IPs matching a single risk rule like "Actively Communicating Validated C&C Server" rather than the full aggregated risk list).

Authentication

Both services require a valid Recorded Future API token. Access is limited to clients with an Integration subscription.

TAXII 1.x accepts either:

  • HTTP Basic Auth with any username and your API token as the password
  • Your API token in the X-RFToken request header

TAXII 2.1 uses HTTP Basic Auth as defined by the TAXII 2.1 standard:

  • Username: empty string
  • Password: your API token

IOC types available

Both services provide risk-scored indicators for:

IOC TypeDescription
IP addressesIPv4 addresses with risk scores and triggered risk rules
DomainsInternet domain names flagged by Recorded Future risk rules
URLsSpecific URLs associated with malicious activity
HashesFile hashes (MD5, SHA-1, SHA-256) linked to malware or exploits
VulnerabilitiesCVEs with risk scores based on exploitation activity and threat intelligence

Note: The indicator sets returned by TAXII may not be identical to risk lists downloaded from Fusion or the Connect API. The TAXII 2.1 server performs a live search upon each request, while downloadable risk list files are periodically updated snapshots.