{ "openapi": "3.0.1", "info": { "title": "Attack Surface Intelligence — Certificate Transparency", "description": "Turn Certificate Transparency logs into attack-surface intelligence. Find new subdomains, exposed admin/VPN/DevOps services, brand-abuse look-alikes, and infrastructure drift, each with a risk score, recommended action, and investigation priority. Findings and executive summary included.", "version": "2.6", "x-build-id": "J2a75HamApysn5I8o" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/ryanclinton~crt-sh-search/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-ryanclinton-crt-sh-search", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/ryanclinton~crt-sh-search/runs": { "post": { "operationId": "runs-sync-ryanclinton-crt-sh-search", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/ryanclinton~crt-sh-search/run-sync": { "post": { "operationId": "run-sync-ryanclinton-crt-sh-search", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "domain" ], "properties": { "profile": { "title": "Profile (choose your goal)", "enum": [ "external-attack-surface", "phishing-monitor", "certificate-governance", "recon", "executive-report" ], "type": "string", "description": "One-click job bundle that pre-configures the actor. 'external-attack-surface' (medium+ risk review), 'phishing-monitor' (phishing mode + hunt themes), 'certificate-governance' (expiry/rotation/issuer focus), 'recon' (exposed-services-first, full detail), 'executive-report' (high-risk hosts + findings + board summary). Leave blank to configure manually. Explicit settings below always override the profile." }, "domain": { "title": "Domain", "type": "string", "description": "Domain to search for certificates (e.g., 'example.com'). Use '%.example.com' for manual wildcard subdomain search, or '%brand%' to hunt look-alike phishing domains.", "default": "crt.sh" }, "domains": { "title": "Domains (portfolio mode)", "maxItems": 25, "type": "array", "description": "Optional. Scan several domains in one run and get an organization-wide attack-surface rollup. Overrides the single Domain field when set. Capped at 25 domains; each domain is scanned independently (one bad domain won't sink the run).", "items": { "type": "string" } }, "includeExpired": { "title": "Include Expired Certificates", "type": "boolean", "description": "Include certificates that have already expired.", "default": true }, "includeSubdomains": { "title": "Include Subdomains", "type": "boolean", "description": "Automatically prepend % wildcard to search for all subdomains of the domain. Disable for faster, more reliable queries on large domains.", "default": false }, "deduplicateSubdomains": { "title": "Deduplicate Subdomains", "type": "boolean", "description": "When enabled, returns unique subdomains with first/last seen dates and per-subdomain risk scoring. When disabled, returns individual scored certificate records.", "default": true }, "maxResults": { "title": "Max Results", "minimum": 1, "maximum": 5000, "type": "integer", "description": "Maximum number of results to return per domain.", "default": 100 }, "analysisMode": { "title": "Analysis Mode", "enum": [ "attack-surface", "recon", "phishing", "certificate-audit", "compliance" ], "type": "string", "description": "Re-prioritizes the same CT data for a security persona. 'attack-surface' (default, balanced); 'recon' (boosts admin/VPN/internal tooling exposure); 'phishing' (boosts suspicion + brand-abuse signals); 'certificate-audit' (boosts expiry + rotation + issuer changes); 'compliance' (boosts expired certs, issuer changes, wildcards).", "default": "attack-surface" }, "brandName": { "title": "Brand Name (phishing / typosquat detection)", "type": "string", "description": "Optional. A brand term (e.g. 'examplebank'). Each hostname is scored for brand-abuse risk — look-alike hostnames that contain your brand on a DIFFERENT registrable domain (e.g. examplebank-login.com) are flagged. Pair with a '%brand%' query to hunt phishing domains across CT logs." }, "huntMode": { "title": "Threat-Hunting Mode", "type": "boolean", "description": "When enabled, every hostname is tagged with a phishing huntTheme (credential / payment / identity / remote-access) and themed findings are emitted — for hunting brand-abuse and phishing infrastructure across a broad '%brand%' query without knowing CT querying.", "default": false }, "watchlistName": { "title": "Watchlist Name", "type": "string", "description": "Optional. Name a watchlist to persist state across runs. On the next scheduled run, every hostname is flagged with a changeType (new-host / suspicious-new-host / issuer-changed / certificate-rotation / wildcard-added / wildcard-removed / exposure-increased / unchanged), plus run-level trend records. First run flags everything as new-host; drift becomes meaningful from run 2 onward. Leave blank for a stateless one-off scan." }, "minRiskLevel": { "title": "Minimum Risk Level", "enum": [ "minimal", "low", "medium", "high", "critical" ], "type": "string", "description": "Drop records below this risk level from the output (and from billing). Use 'medium' or 'high' to surface only the subdomains worth investigating on large domains.", "default": "minimal" }, "outputProfile": { "title": "Output Profile", "enum": [ "minimal", "standard", "full" ], "type": "string", "description": "Field verbosity per record. 'minimal' returns only the decision essentials (host, risk, recommended action, changeType, brandAbuseRisk); 'standard' (default) omits the boolean suspicion-signal breakdown; 'full' returns everything.", "default": "standard" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } }