Search by IP / CIDR - VantaPrism API

Find infections originating from a specific IP address, or scan a whole subnet — useful for correlating known-bad infrastructure or scoping exposure across a corporate IP range.

Request

POST /v1/search/ip-cidr · Required scope: search:ip (all tiers) Provide ips or cidr — at least one is required.

Parameter	Type	Required	Default	Description
`ips`	string[] (IPv4)	One of `ips`/`cidr` required	`[]`	Exact IPv4 addresses, e.g. `["203.0.113.42"]`
`cidr`	string \| null	One of `ips`/`cidr` required	—	IPv4 CIDR range, e.g. `"203.0.113.0/24"`
`start_date`	string (date-time) \| null	No	—	Inclusive start filter, clamped by `query_window_days`
`end_date`	string (date-time) \| null	No	—	Inclusive end filter
`sort_direction`	`asc` \| `desc`	No	`desc`	Must stay constant across pages
`cursor`	string \| null	No	—	Pagination token
`limit`	integer	No	`25`	1–500, clamped to your tier’s `max_rows`

Example request

curl -X POST https://api.vantaprism.me/v1/search/ip-cidr \
  -H "api-key: $VANTAPRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "cidr": "203.0.113.0/24", "limit": 25 }'

Response

200 OK — array of IPExposureResult, cursor-paginated.

{
  "data": [
    {
      "stealer_id": "RL-2026-AC91F3",
      "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
      "ip": "203.0.x.x",
      "country": "US",
      "operating_system": "Windows 11 Pro",
      "computer_name": "DE*************",
      "stealer_family": "RedLine",
      "stealer_version": "1.4",
      "anti_viruses": ["Windows Defender"],
      "infection_date": "2026-05-02T14:22:31Z"
    }
  ],
  "nextCursor": null,
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 27.9,
    "tier": "free",
    "masked_fields": ["ip", "computer_name"]
  }
}

Field	Description
`stealer_id`	`log_victim_id` of the infected machine
`victim_id`	SHA-256 victim ID — use with Victim Profiles
`ip`	Masked via `subnet_mask` on free tier — unless it exactly matches an address you searched for in `ips` (addresses matched only via `cidr` remain masked)
`country`	ISO 3166-1 alpha-2
`operating_system`
`computer_name`	Masked via `partial_identifier` on free tier
`stealer_family`, `stealer_version`	Malware identification
`anti_viruses`	Detected AV products
`infection_date`	When the log was captured

Pagination

Cursor-paginated — see Pagination.

Errors

Status	`code`	Cause
400	`VALIDATION_ERROR`	Neither `ips` nor `cidr` provided, or `ips` contains a non-IPv4 value
400	`INVALID_CURSOR`	Tampered or stale `cursor`
403	`FORBIDDEN_SCOPE`	Key lacks `search:ip`

See Errors for the full catalog.

Tier notes

An exact ips entry is returned unmasked even on free tier; a cidr-only match stays subnet-masked (a.b.x.x). computer_name is masked via partial_identifier on free tier regardless.

​Request

​Example request

​Response

​Pagination

​Errors

​Tier notes