API Workflows and Use Cases

Learn which API endpoints to use for each security workflow and how to automate them.

The API documentation tells you what each endpoint accepts and returns. It doesn’t tell you how to combine them into workflows that solve real problems.

Most teams start with manual API queries, then wonder how to automate the process. The gap isn’t the API itself. It’s knowing which endpoints matter for the problem you’re trying to solve.

This page maps security workflows to the API endpoints that power them. Pick a use case and see which endpoints to query.

What Are the Breachsense API Endpoints?

Breachsense is a dark web monitoring API with 9 REST endpoints, each covering a different data type. All endpoints live at api.breachsense.com and return JSON.

Here’s what each endpoint does and when you’d use it. Several endpoints return data from infostealers, so it helps to know what those are.

Creds returns credentials from third-party breaches. When a SaaS vendor gets hacked and user data leaks, those credentials end up here. Query by domain to find every employee password exposed in breaches.

Stealer returns credentials stolen by infostealer malware. Unlike breach data, these come from individual infected devices. Results include the malware type and device OS plus the machine name.

Sessions returns stolen session tokens and authentication cookies. These are the most urgent findings because they skip past MFA entirely.

Combo returns credentials from combo lists with plaintext passwords. These are aggregated collections of leaked credentials packaged for credential stuffing attacks.

Docs runs full-text search across documents from ransomware leaks, third-party breaches, and unsecured databases. Search for your organization to find your data in someone else’s breach.

Darkweb returns records of company data being sold on criminal markets. Includes screenshot URLs on the Business and Enterprise tiers.

Monitor manages your monitored assets and webhook configurations. This is how you set up ongoing alerts instead of running manual queries.

ASM handles attack surface management. It lists your known assets and flags potential phishing domains that impersonate your brand.

Radar tracks domains being discussed by attackers on hacker forums. It tells you when someone is selling access to your network or advertising your stolen data.

With the endpoints mapped, here’s how to chain them into workflows.

How Do You Check Your Full Credential Exposure?

This is the first workflow most teams run. You want to know every leaked credential tied to your domain.

Endpoints involved

Creds for third-party breach credentials. Stealer for infostealer credentials. Combo for combo list matches. Sessions for stolen tokens.

The workflow

1. Query Creds with your domain. This returns every employee credential that appeared in a third-party breach. Results include the email and password (cracked to plaintext when possible) plus the breach source.

2. Query Stealer with the same domain. This returns credentials stolen by malware on employee devices. The results overlap with Creds sometimes, but Stealer also returns device details you won’t find in breach data.

3. Query Sessions with your domain. This returns active session tokens. Any matches here need immediate action since these tokens let attackers skip authentication.

4. Query Combo for completeness. Combo lists aggregate credentials from multiple sources. Some entries won’t appear in Creds or Stealer individually.

5. Deduplicate and prioritize. Session tokens get handled first. Fresh stealer log matches come second. Old breach credentials come last. Use the date parameter to filter by recency.

Automation pattern

Schedule this workflow daily across all your domains. Compare each run against the previous results to flag only new findings. Pipe new findings into your ticketing system with severity tags based on the source endpoint.

How Do You Detect and Respond to Stolen Session Tokens?

Session tokens are your most urgent alert type. The enterprise response playbook covers the full incident response steps. Here’s the API workflow behind it.

Endpoints involved

Sessions for detection. Monitor for automated alerting.

The workflow

1. Configure monitoring. Use the Monitor endpoint to add your domains and define which cookies are used as session tokens (e.g., sessionid, auth_token). Set up a webhook pointed at your SIEM or SOAR platform.

2. When a webhook fires, parse the alert. The Sessions endpoint returns the cookie name and path plus the expiration date. It also includes the malware path and the infected device’s IP address.

3. Revoke the session immediately. Your SOAR playbook should auto-revoke the token across every service it grants access to. Don’t wait for an analyst to review it first.

4. Investigate the device. The stealer log data includes the machine name and OS. When relevant, use this to identify the infected endpoint and isolate it.

5. Query Stealer for the same device. The hardware ID in the Sessions response lets you find all credentials stolen from that same machine. The infostealer probably grabbed more than one token.

Automation pattern

Session token webhooks should page your on-call analyst and trigger auto-revocation simultaneously. Don’t queue these with regular credential alerts. The Breachsense API delivers these alerts in real time through webhooks so your automation can act within minutes.

How Do You Investigate a Vendor Breach?

A vendor gets hit by ransomware. You need to know if your data was in the dump. The Docs endpoint uses full-text search to help you find out.

Endpoints involved

Docs for searching leaked files. Creds and Stealer for credential exposure from the vendor’s breach.

The workflow

1. Search Docs for your organization. Use the Docs endpoint with your company name as the query. This searches across documents published on ransomware leak sites. Try your domain too.

2. Search for employee names. If key personnel had accounts with the vendor, search for their names in the leaked files. Contracts and internal communications often contain names.

3. Download relevant documents. The Docs endpoint returns document IDs for matching files. Download them by ID for forensic review. Look for contracts and customer records. Check for credentials too.

4. Query Creds filtered by the breach source. If the vendor’s breach data was also processed as credential dumps, query Creds with the breach source name to find your domain’s exposed credentials.

5. Check Stealer for overlap. If the vendor breach involved infostealers on their systems, your credentials might appear in stealer logs tied to the vendor’s infrastructure.

This workflow is central to third-party risk management. You’ll often find your data in a vendor’s breach before the vendor notifies you.

How Do You Set Up Multi-Client Monitoring for MSSPs?

MSSPs need to monitor dozens of client domains from a single API. The MSSP integration playbook covers the full operational workflow. Here’s the API side.

Endpoints involved

Monitor for asset management and webhook routing. Creds and Stealer for credential queries. Sessions for token detection.

The workflow

1. Add each client’s domains via the Monitor endpoint. Register every domain the client owns, including subsidiaries. Each domain becomes a monitored asset.

2. Configure per-client webhooks. Point each client’s alerts to a different webhook URL. Route one client to their Slack channel and another to their SIEM. The Monitor endpoint supports per-asset webhook configuration.

3. Run an initial historical scan. Query Creds and Stealer for each new client domain. Add Sessions for token exposure. This pulls up years of past credential leaks. Sort by date and deliver the results as a first exposure report.

4. Set priority-based routing rules. In your integration layer, tag incoming webhooks by source endpoint. Sessions webhooks get high severity. Stealer gets medium. Creds from old breaches gets low.

5. Schedule periodic full scans. Daily or weekly, query all client domains across all endpoints. Diff results against your last run to catch anything webhooks might have missed.

Automation pattern

Build a thin integration layer between Breachsense webhooks and your PSA or ticketing system. Each webhook payload includes the affected domain, so your router can map it to the right client automatically.

How Do You Monitor Your Attack Surface?

The ASM and Radar endpoints cover threats that aren’t credential-specific.

Endpoints involved

ASM for asset discovery and phishing domain detection. Radar for attacker chatter about your domains.

The workflow

1. Query ASM with your domain. It returns your known assets (subdomains, mail servers, nameservers) and any lookalike domains registered to impersonate your brand.

2. Filter for potential phishing domains. Use the pphish parameter to see only phishing domain results. These are domains that look similar to yours and may be stealing credentials from your employees or customers.

3. Query Radar for your domain. This returns mentions of your domain on hacker forums. If someone is selling access to your network or advertising your data, Radar catches it.

4. Cross-reference with credential data. If Radar shows your domain being discussed, query Creds and Stealer to check whether credentials have already leaked. If ASM finds a phishing domain, check whether compromised credentials were harvested through it.

5. Take action on findings. For phishing domains, initiate takedowns through attack surface management. For Radar alerts about access being sold, escalate to your incident response team.

Automation pattern

Schedule ASM and Radar queries daily. Alert immediately on new phishing domains or access-sale mentions. Queue asset inventory changes for periodic review.

How Do You Build Webhook Automations?

Webhooks are what turn the API from a query tool into a monitoring platform. Instead of polling for new data, Breachsense pushes alerts to your systems.

Setting up webhooks

Use the Monitor endpoint to register webhook URLs for each monitored domain. You can configure basic authentication on the webhook endpoint for security. Each domain can point to a different URL.

What webhook payloads include

When new exposure is detected, Breachsense sends an HTTP request to your webhook. The payload includes the affected domain and the credential or token data. It also includes the source and detection timestamp.

Common webhook destinations

SIEM integration. Route webhooks to your SIEM’s HTTP collector. Tag events with the source endpoint (creds, stealer, sessions) for severity-based correlation rules.

SOAR playbooks. Feed webhook alerts into your SOAR platform to trigger automated response. Session token alerts trigger revocation. Credential alerts trigger password resets.

Ticketing systems. Create pre-populated tickets in your PSA or ITSM tool. Include the affected user and breach source plus the recommended action. Your analyst picks up a ready-to-work ticket.

Chat notifications. Send alerts to Slack or Teams channels. Useful for smaller teams or as a secondary notification alongside ticketing.

Webhook reliability

If your endpoint is unavailable, Breachsense retries the delivery. Monitor your webhook endpoint uptime to avoid gaps in alerting.

The API documentation covers the full parameter reference for all endpoints.

For what to do after an alert fires, see the enterprise response playbook. For scaling these workflows across multiple clients, check the MSSP integration playbook.