Feed endpoints provide threat intelligence in formats optimized for consumption by firewalls, DNS resolvers, and Panguard agents. Blocklist feeds return plain text; structured feeds return JSON.
GET /api/feeds/ip-blocklist
Returns a plain-text list of malicious IP addresses, one per line. Designed for direct ingestion by firewalls (iptables, pf, Windows Firewall) and network appliances.
Maximum reputation score to include (0 = most malicious). Lower values produce a more conservative list.
Filter by threat category: malware, botnet, bruteforce, scanner, c2.
curl -X GET "https://tc.panguard.ai/api/feeds/ip-blocklist?minReputation=20" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
# Panguard AI IP Blocklist
# Generated: 2026-03-07T12:00:00Z
# Total: 1423 IPs
198.51.100.42
198.51.100.78
203.0.113.15
203.0.113.99
192.0.2.50
...
The response content type is text/plain. Lines starting with # are comments containing metadata. The list is sorted by reputation score (most malicious first).
GET /api/feeds/domain-blocklist
Returns a plain-text list of malicious domains, one per line. Suitable for DNS sinkhole configurations (Pi-hole, dnsmasq, Unbound).
Maximum reputation score to include.
Filter by threat category: malware, phishing, c2, exploit.
curl -X GET "https://tc.panguard.ai/api/feeds/domain-blocklist" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
# Panguard AI Domain Blocklist
# Generated: 2026-03-07T12:00:00Z
# Total: 892 domains
malware-c2.example.net
phishing-bank.example.org
dropper.example.com
evil-redirect.example.io
...
GET /api/feeds/iocs
Returns the full IoC feed in structured JSON format with metadata, suitable for SIEM integrations and automated processing.
ISO 8601 timestamp. Returns only IoCs updated after this time (for incremental sync).
Filter by IoC type: ip, domain, hash, url.
Maximum number of IoCs to return (max 5000).
curl -X GET "https://tc.panguard.ai/api/feeds/iocs?since=2026-03-06T00:00:00Z&type=ip" \
-H "Authorization: Bearer YOUR_API_KEY"
{
"ok": true,
"data": {
"generatedAt": "2026-03-07T12:00:00.000Z",
"count": 156,
"iocs": [
{
"value": "198.51.100.42",
"type": "ip",
"reputation": 12,
"category": "bruteforce",
"sightings": 47,
"firstSeen": "2026-02-15T10:00:00.000Z",
"lastSeen": "2026-03-07T08:15:00.000Z",
"metadata": {
"asn": "AS64496",
"country": "CN",
"mitreIds": ["T1110"]
}
}
]
}
}
GET /api/feeds/agent-update
Returns a bundled update package for Panguard Guard agents containing the latest detection rules and IoC data. This endpoint is called automatically by agents during their update cycle.
The agent’s current rule version. Only returns changes since this version.
The requesting agent’s ID for access control.
curl -X GET "https://tc.panguard.ai/api/feeds/agent-update?currentVersion=v20260306" \
-H "Authorization: Bearer YOUR_API_KEY"
{
"ok": true,
"data": {
"version": "v20260307",
"rules": {
"atr": {
"added": 12,
"updated": 3,
"removed": 1,
"files": [
{
"id": "ATR-2025-0125",
"name": "Detect Cryptominer via Agent Action",
"content": "..."
}
]
}
},
"iocs": {
"ipBlocklist": ["198.51.100.42", "203.0.113.99"],
"domainBlocklist": ["malware-c2.example.net"],
"hashBlocklist": ["e3b0c44298fc1c149afbf4c8996fb924"]
},
"config": {
"heartbeatInterval": 60,
"logLevel": "info"
}
}
}
The agent-update endpoint uses delta updates when a currentVersion is provided. This minimizes bandwidth by only sending new or modified rules since the agent’s last update.
