Commands - VantaPrism API

Export shell command history (bash, zsh, PowerShell) captured from infected machines, filtered by search terms, shell, and/or date range. Use to understand developer activity, cloud CLI usage (aws configure, gcloud auth, etc.), or internal automation that may reveal additional credentials or infrastructure details.

Request

POST /v1/data/commands · Required scope: view:commands (pro and ultra tiers) At least one of terms, shell, start_date, or end_date is required.

Parameter	Type	Required	Default	Description
`terms`	string[]	One of the four required	`[]`	Substrings to match against the recorded command text, e.g. `["aws configure"]`
`shell`	string \| null	See above	—	Shell name filter, e.g. `"bash"`, `"powershell"`, `"zsh"`
`start_date`	string (date-time) \| null	See above	—	Inclusive start filter, clamped by `query_window_days`
`end_date`	string (date-time) \| null	See above	—	Inclusive end filter
`sort_direction`	`asc` \| `desc`	No	`desc`	Must stay constant across pages
`cursor`	string \| null	No	—	Pagination token
`limit`	integer	No	`25`	1–500, clamped to your tier’s `max_rows`

Example request

curl -X POST https://api.vantaprism.me/v1/data/commands \
  -H "api-key: $VANTAPRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "shell": "bash", "terms": ["aws configure"], "limit": 25 }'

Response

200 OK — array of CommandRecord, cursor-paginated.

{
  "data": [
    {
      "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
      "shell": "bash",
      "command": "aws configure set aws_access_key_id AKIAIOSFODNN7EXAMPLE",
      "inserted_at": "2026-05-02T14:22:31Z"
    }
  ],
  "nextCursor": null,
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 21.7,
    "tier": "pro",
    "masked_fields": []
  }
}

Field	Description
`victim_id`	SHA-256 victim ID — use with Victim Profiles
`shell`	e.g. `"bash"`, `"zsh"`, `"powershell"`
`command`	Recorded command text
`inserted_at`	When the record was ingested

Pagination

Cursor-paginated — see Pagination.

Errors

Status	`code`	Cause
400	`VALIDATION_ERROR`	None of `terms`, `shell`, `start_date`, `end_date` provided
400	`INVALID_CURSOR`	Tampered or stale `cursor`
403	`FORBIDDEN_SCOPE`	Key lacks `view:commands` (free tier)

See Errors for the full catalog.

Tier notes

This endpoint requires view:commands, which is not included on the free tier — a free-tier key receives 403 FORBIDDEN_SCOPE. No fields on CommandRecord are masked on pro or ultra tiers.

​Request

​Example request

​Response

​Pagination

​Errors

​Tier notes