Skip to main content
A live instance of CyberThreat AI is available at ctai.marcvspt.tech. You can use it without any setup or API keys — the platform works out of the box using built-in credentials.

Submit your first IoC

1

Open the platform

Navigate to ctai.marcvspt.tech in your browser. The main page shows a search field and a model selector.
2

Configure API keys (optional)

Click the API Keys button in the header to open the configuration modal. You can supply your own keys for OpenRouter, VirusTotal, AbuseIPDB, and PolySwarm. If you skip this step, the platform uses its built-in credentials where available.See Configuration for details on which keys affect which sources.
3

Enter an IoC

Type or paste an indicator into the search field. CyberThreat AI accepts:
  • IPv4 and IPv6 addresses — e.g. 1.2.3.4 or 2001:4860:4860::8888
  • Domain names — e.g. malware.example.com
  • File hashes — MD5, SHA1, or SHA256
The Type chip below the field updates automatically as you type, confirming what the platform detected.
4

Submit and read the verdict

Press Analyze or hit Enter. The AI response begins streaming immediately. You will see the verdict, confidence level, reasoning, and recommended actions appear as the model generates them — no need to wait for the full response.

Using the API directly

You can call the analysis endpoint with curl or any HTTP client without opening a browser. 
curl "https://ctai.marcvspt.tech/api/ctai?ioc=1.2.3.4"
To specify an AI model, add the model query parameter: 
curl "https://ctai.marcvspt.tech/api/ctai?ioc=1.2.3.4&model=openrouter/auto"
To pass your own API keys, include them as request headers: 
curl "https://ctai.marcvspt.tech/api/ctai?ioc=1.2.3.4" \
  -H "X-OpenRouter-Key: your-openrouter-key" \
  -H "X-VT-Key: your-virustotal-key" \
  -H "X-AbuseIPDB-Key: your-abuseipdb-key" \
  -H "X-Polyswarm-Key: your-polyswarm-key"
Other IoC types work the same way: 
curl "https://ctai.marcvspt.tech/api/ctai?ioc=2001:4860:4860::8888"

Reading the SSE stream

The endpoint returns a text/event-stream response. Events are emitted in sequence as the analysis progresses.

Event sequence

EventWhen emittedPayload
metaFirst — before AI response starts{ ioc, type, model, warnings? }
modelAfter OpenRouter resolves the routed model{ model }
chunkRepeatedly — once per token{ content }
doneLast — signals the stream is complete{ done: true }
errorIf an error occurs{ error, stage, errorType }

Example stream output

event: meta
data: {"ioc":"1.2.3.4","type":"IPv4","model":"openrouter/auto"}

event: model
data: {"model":"google/gemma-3-4b-it:free"}

event: chunk
data: {"content":"**Veredicto:** Sospechoso\n"}

event: chunk
data: {"content":"**Confianza:** Media\n"}

event: chunk
data: {"content":"\n**Resumen:** La dirección IP 1.2.3.4 ha sido..."}

event: done
data: {"done":true}
The meta event arrives first and includes the detected IoC type. If any CTI source reported a warning (invalid API key, no data returned), those warnings appear in meta.warnings as an array. The chunk events form the full AI response when concatenated in order.
If all CTI sources fail to return data, the stream emits meta followed immediately by done — no AI call is made. This prevents unnecessary OpenRouter usage when there is nothing to analyze.

Next steps

Configuration

Set up your own API keys and select an AI model

API Reference

Full endpoint reference including query parameters, headers, and error codes

IoC types

Learn how each IoC type is validated and which sources are queried

Interpreting results

Understand verdicts, confidence levels, and what actions to take

Build docs developers (and LLMs) love

Get started for freeTalk to us