API Documentation
(Early Alpha) API Endpoints
The Cursed Tools API provides a way for you to integrate the platform's capabilities with your cybersecurity investigation environment and tooling. All registered users automatically receive an API token and encryption key that they can use to access the data behind the UI in a programatic way.
The API WILL change. Right now we want to focus on getting it out to you so you can provide feedback on where you struggle with it, what would ease the burden on you, and how you can make better use of it. Consider it as an early Alpha version meant for exploratory access and feedback.
Base URL
https://api.cursed.tools/
Security & Encryption
Automatic Encryption for All Users when master encryption key is provided
- All authenticated users receive automatic encryption by default
- Immediate server-side encryption: Files are encrypted instantly upon upload
- In-memory only operations: Files are never stored unencrypted on disk
- Secure transmission: All uploads occur over TLS-encrypted connections
- Per-file encryption keys: Each file receives its own unique encryption key
- Per-user key derivation: Your master key is derived from your authentication credentials and we have NO access to it at all
Sharing and Privacy
- Private by default: All files and analysis jobs are private to your account, with or without the encryption key being provided. IMPORTANT - File and Job visibility is not modifiable through the API endpoint by design, to reduce the chance of mishaps. If you want to share your findings externally it must be done through the UI.
- Optional sharing: You may choose to make investigations public through the web UI
- Security risk warning: Public investigations can be accessed by unauthorized third parties if the link is shared
- User responsibility: Consider the sensitivity of your data before making investigations public and protect your API keys and credentials
Getting Started
Prerequisites
- Authentication - Set up your API credentials
- File Upload - Learn how to securely upload investigation files
Core Workflow
- Authenticate using your API token
- Upload files for analysis
- Start analysis jobs (EVTX parsing, Sigma rules, etc.). IMPORTANT - When no encryption key is provided the workload will still be private to you, but it won't be encrypted.
- Monitor job status until completion
- Retrieve results using your credentials (master encryption key is required for encrypted workloads)
API Endpoints
File Management
- List Files - Get your uploaded files
- Delete Files - Remove files from your account
Windows Event Log Analysis
- Parse EVTX Files - Analyze Windows Event Logs
- Search EVTX Results - Query and filter analysis results
Sigma Rule Processing
- Test Sigma Rules on Data - Test rules against log data
- Run Sigma Rules on Files - Execute rules on uploaded files
- Get Sigma Rules - Retrieve community rule sets
Job Management
- Get Job Status - Check analysis progress and retrieve results
- List Jobs - View your analysis history
- Delete Jobs - Remove completed analysis
Lookup Services
- Event ID Lookup - Search Windows Event ID database
- File Name Lookup - Analyze suspicious file names
Security Best Practices
API Token Management
- Store securely: Never commit tokens to version control
- Rotate regularly: Generate new tokens periodically
- Monitor usage: Track API call quota consumption through the web UI dashboard
Data Handling
- Verify file sources: Ensure you have rights to upload and analyze files
- Review sharing settings: Carefully consider making investigations public
- Comply with regulations: Follow GDPR, CCPA, and other applicable laws
Support and Resources
Getting Help
- API Documentation: Comprehensive guides for each endpoint
- Support Email: [email protected] (include "API Support" in subject)
Rate Limits and Quotas
- Monitor usage: Track your quota consumption in the dashboard
- Upgrade plans: Increase limits with paid subscriptions OR remove limitations with our business plans by contacting us at [email protected]
- Efficient usage: Batch operations when possible to conserve quota
Endpoint Reference (Quick View)
| Category | Method | Path | Auth Required | Description |
|---|---|---|---|---|
| File Upload | POST | /upload | No | Upload files for encrypted analysis |
| File Management | GET | /file/list | Yes | List your uploaded files |
| File Management | POST | /file/delete | Yes | Delete files from your account |
| Job Management | GET | /job/list | Yes | List your analysis jobs |
| Job Management | GET | /job/{id} | Optional* | Get job status & results |
| Job Management | POST | /job/delete | Yes | Delete analysis jobs |
| Windows Event Logs | POST | /winevtx/parse | No** | Parse EVTX files |
| Windows Event Logs | POST | /winevtx/search | No** | Search EVTX results |
| Lookup Services | POST | /lookup | No** | Event-ID, file-name, and IOC lookup |
| Sigma Rules | POST | /sigma/file | No** | Run Sigma rules on files |
| Sigma Rules | POST | /sigma/data | No** | Run Sigma rules on data blobs |
| Sigma Rules | POST | /sigma/rules | No** | Retrieve Sigma rule sets |
*Public jobs do not require authentication IF they were explicitly shared. Otherwise, authentication is required.
**Providing authentication credentials ensures that the operations you perform are locked down to your user account and your data.
Usage Pattern
All requests must include X-Cursed-Api-Token. Endpoints that operate on workloads and data that has been encrypted also require X-Cursed-Api-Enc-Key. The following headers are implicit in every example:
X-Cursed-Api-Token: your-api-token
X-Cursed-Api-Enc-Key: your-encryption-key # Only when accessing encrypted content
Content-Type: application/json # Unless otherwise noted (e.g. multipart/form-data)
Language Cheat-Sheet
Below is a minimal cheat-sheet showing how to make GET and POST requests using cURL. Replace the URL and payload as needed. You can easily find the alternatives ways to programatically do the request format in different languages via online tutorials or via AI LLMs.
cURL
# GET
curl -X GET "https://api.cursed.tools/analysis/URL" \
-H "X-Cursed-Api-Token: $API_TOKEN" \
-H "X-Cursed-Api-Enc-Key: $API_ENC_KEY"
# POST
curl -X POST "https://api.cursed.tools/analysis/URL" \
-H "X-Cursed-Api-Token: $API_TOKEN" \
-H "X-Cursed-Api-Enc-Key: $API_ENC_KEY" \
-H "Content-Type: application/json" \
-d '{"key":"value"}'
Bash (wget)
wget --header="X-Cursed-Api-Token: $API_TOKEN" \
--header="X-Cursed-Api-Enc-Key: $API_ENC_KEY" \
--header="Content-Type: application/json" \
--post-data='{ "key":"value" }' \
https://api.cursed.tools/analysis/URL -O response.json
For complete schemas, edge-cases, advanced options, and more extensive support, visit each dedicated endpoint page linked above. We are continuously adding depth—check the changelog for updates.
The Cursed Tools API is designed to provide secure, encrypted access to powerful cybersecurity investigation capabilities while maintaining the highest standards of data protection and user privacy.
About Cursed Tools
A cybersecurity investigation platform built to address the pain of "cursed" tooling and provide modern, secure, and fast analysis capabilities for security professionals, tech users and AI agents.
Authentication
Complete guide to authenticating with the Cursed Tools API using API tokens and encryption keys.