Credential Intelligence API

Active exploitation capture, exposed as a clean defender API

This is not a post-breach dump. BlackDome captures credentials during live exploitation attempts across exposed services, then exposes the feed through authenticated API endpoints for SOC and detection workflows.

Start Subscription Open Dashboard

Coverage

13 protocols

SSH, FTP, MySQL, PostgreSQL, HTTP, SMTP, and the rest of the BlackDome sensor mesh.

Auth

Bearer token

Send Authorization: Bearer bd_... on every request.

Rate Limits

300 rpm / 5K day

The Credential Intelligence plan enforces 300 requests per minute and 5,000 requests per day.

Authentication

Use your BlackDome API key as a Bearer token

Credential Intelligence endpoints sit behind the same BlackDome API key model used across the product line.

Request header

Paid plans receive API keys prefixed with bd_.

Authorization: Bearer bd_your_api_key

Endpoints

Core endpoints

Use the feed for automation, stats for posture reporting, search for targeted hunts, and top for fast summaries.

GET /api/credentials/feed

Stream the latest captured credentials with filters for time window, protocol, username, IP, and pagination.

curl -H "Authorization: Bearer bd_your_api_key" \
  "https://blackdome.ai/api/credentials/feed?since=2026-03-01&protocol=ssh&limit=100"

GET /api/credentials/stats

Roll-up totals for credentials, usernames, source IPs, protocol distribution, and cross-protocol reuse.

curl -H "Authorization: Bearer bd_your_api_key" \
  "https://blackdome.ai/api/credentials/stats"

GET /api/credentials/search

Search by username, source IP, protocol, or free-text query without pulling the whole feed.

curl -H "Authorization: Bearer bd_your_api_key" \
  "https://blackdome.ai/api/credentials/search?username=admin"

GET /api/credentials/top

Return the highest-frequency usernames, passwords, source IPs, and protocol clusters for fast triage.

curl -H "Authorization: Bearer bd_your_api_key" \
  "https://blackdome.ai/api/credentials/top"

Response Shape

Live example from the BlackDome feed

Sample below reflects a real captured record observed on March 22, 2026. `source_country` can be null when geo enrichment is still pending for that source IP.

GET /api/credentials/feed

Response includes the current page of credentials plus total count and cursor info.

{
  "credentials": [
    {
      "username": "postgres",
      "password_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      "password_plain": null,
      "protocol": "postgresql",
      "source_ip": "46.19.137.194",
      "source_country": null,
      "edge_id": "leeroy-syd-01",
      "session_id": null,
      "first_seen": "2026-02-25T14:22:37.314041Z",
      "last_seen": "2026-03-22T09:27:20.287850Z",
      "cross_protocol": false,
      "attempt_count": 419
    }
  ],
  "total": 1693,
  "has_more": true,
  "next_offset": 100
}

Use Cases

Where teams use Credential Intelligence

The product is built for prevention and hunt workflows, not for incident retrospectives alone.

Password Policy Validation

Compare live attacker guesses against your own naming conventions, default accounts, and weak password patterns.

Breach Detection

Watch for your usernames, tenant labels, or service accounts showing up in active exploitation traffic.

Threat Hunting

Pivot from repeated usernames and hashes into actor infrastructure, protocol preference, and attack timing.