API Reference
Everything in Kaimz is available over a REST API — query your telemetry, pull detections and incidents, and drive automated response from your own tooling.
Authenticate with an API key in the x-kaimz-key header (generated in the console), or with a console session. All traffic is HTTPS; the brain also supports mutual-TLS for agents.
curl -H "x-kaimz-key: <YOUR_KEY>" \ https://<brain-host>:4000/v1/assets
| Base URL | https://<brain-host>:4000/v1 |
|---|---|
| Format | JSON request and response bodies; UTF-8. |
| Auth header | x-kaimz-key: <YOUR_KEY> |
| Methods | GET to read, POST to act/create. |
Example payloads below are representative; field names may vary by version. Use the console's API explorer for the exact current schema of your deployment.
curl -H "x-kaimz-key: <KEY>" https://<brain-host>:4000/v1/assets
# → representative response
[
{ "id": "kaimz-...", "hostname": "web-01", "os": "linux",
"status": "online", "riskScore": 72, "lastSeen": "2026-06-14T15:02:11Z" }
]
Raw detections, and incidents that fold many detections into actionable cases with a timeline and MITRE mapping.
| Method | Endpoint | Purpose |
|---|---|---|
GET | /v1/detections | Behavioral / ATT&CK detections |
GET | /v1/incidents | Incident summary + list (ranked) |
GET | /v1/incidents/:id | Full incident report (timeline, kill-chain) |
POST | /v1/incidents/:id/status | Acknowledge / resolve an incident |
# Acknowledge an incident
curl -X POST -H "x-kaimz-key: <KEY>" -H "Content-Type: application/json" \
-d '{"status":"acknowledged"}' \
https://<brain-host>:4000/v1/incidents/<id>/status
Drive real-time response — isolate, kill, quarantine, scan, forensics — as cryptographically-signed tasks dispatched to agents.
# Isolate an endpoint
curl -X POST -H "x-kaimz-key: <KEY>" -H "Content-Type: application/json" \
-d '{"action":"isolate","params":{"mode":"full"}}' \
https://<brain-host>:4000/v1/response/<assetId>/action
# → { "status": "DISPATCHED", "taskId": "..." }
| Method | Endpoint | Purpose |
|---|---|---|
GET | /v1/risk/asset/:id | Explainable risk score + top vuln breakdown |
POST | /v1/vulnerabilities/smart-score | Score a vuln (CVSS + EPSS + KEV + context) |
GET | /v1/exposure | Running & network-reachable exposure |
POST | /v1/device-posture/scan | Trigger a device-hardening posture scan |
GET | /v1/ransomware | Ransomware canary & signal status |
# Risk score for a CVE in context
curl -X POST -H "x-kaimz-key: <KEY>" -H "Content-Type: application/json" \
-d '{"cve":"CVE-2024-0000","assetId":"kaimz-..."}' \
https://<brain-host>:4000/v1/vulnerabilities/smart-score
# → { "riskScore": 100, "band": "Critical", "decision": "PATCH_NOW",
# "kev": true, "epss": 0.94, "factors": [ ... ] }
| Method | Endpoint | Purpose |
|---|---|---|
GET | /v1/identity/inventory | Human identity inventory + risk |
GET | /v1/itdr/threats | Identity threats (brute force, multi-IP, anomalies) |
GET | /v1/nhi | Non-human identities — keys, tokens, service accounts |
GET | /v1/ueba/entities | UEBA entities & behavioral anomalies |
| Method | Endpoint | Purpose |
|---|---|---|
GET | /v1/compliance/posture | Live control status mapped to frameworks (CIS/PCI/HIPAA/ISO) |
GET | /v1/bas/coverage | ATT&CK detection-coverage matrix |
GET | /v1/iot/inventory | Network/IoT discovery (managed vs shadow) |
POST | /v1/dlp/analyze | Analyze content for secrets/PII (Luhn + entropy + signatures) |
SIEM search runs the Kaimz Query Language (KQL) over alerts, detections and telemetry — query from the console's SIEM view or via the search API in your deployment.
The API uses standard HTTP status codes. Errors return a JSON body with a message.
| Code | Meaning |
|---|---|
200 | Success |
400 | Bad request — check your payload |
401 | Missing or invalid API key |
404 | Resource not found |
429 | Rate limited — back off and retry |
500 | Server error |
Be a good client: handle 429 with exponential backoff, and page large result sets rather than pulling everything at once.