DFIR Suite API Documentation
The DFIR Suite API provides programmatic access to phishing email analysis, IOC enrichment, and a growing set of security tools — all through a simple REST interface secured with API key authentication.
Quick Start
1
Create an API key
Head to the API Keys page and generate a new key. Copy it — you will only see it once.
2
Make your first request
Call the phishing analysis endpoint with a sample email source.
curl -X POST https://api.dfir-lab.ch/v1/phishing/analyze \
-H "Authorization: Bearer sk-dfir-your-key-here" \
-H "Content-Type: application/json" \
-d '{"raw_email": "<your .eml content>"}'3
Check the response
The API returns a JSON object with the analysis results, verdict, and confidence score. Every successful call deducts credits from your account based on the endpoint used.
API Playground
Try every endpoint in your browser
Free sandbox: 10 credits/week. No signup required — bring your own API key or use the built-in sandbox for anonymous testing.
Base URL
https://api.dfir-lab.ch/v1
Available Endpoints
| Endpoint | Method | Description | Credits |
|---|---|---|---|
| /phishing/analyze | POST | Heuristic email analysis | 1 |
| /phishing/analyze/ai | POST | AI-enhanced verdict | 10 |
| /phishing/enrich | POST | IOC enrichment | 2 |
| /phishing/dns | POST | DNS configuration analysis | 1 |
| /phishing/blacklist | POST | IP DNSBL check | 1 |
| /phishing/geoip | POST | IP geolocation | 1 |
| /phishing/safe-browsing | POST | Google Safe Browsing | 2 |
| /phishing/checkphish | POST | CheckPhish URL scan | 2 |
| /phishing/urlscan | POST | URLScan.io analysis | 3 |
| /phishing/url-expand | POST | URL redirect chain | 1 |
| /enrichment/lookup | POST | IOC enrichment | 3/indicator |
| /exposure/scan | POST | Attack surface scan | 10 |
| /ai/triage | POST | AI alert triage | 10 |
| /ai/analysis | POST | Deep incident analysis | 15 |
| /ai/threat-profile | POST | Threat actor profiling | 20 |
| /ai/detect | POST | Detection rule generation | 15 |
| /file/analyze | POST | Script static analysis | 5 |
| /file/deep | POST | Deep/dynamic/AI analysis | 15–60 |
| /file/status/{sha256} | GET | Poll analysis status | 1 |
| /health | GET | Service status | 0 |
Authentication
Include your API key in the Authorization header of every request using the Bearer scheme:
Authorization: Bearer sk-dfir-your-key-here