post https://api.picussecurity.com/v1/threat-library/threats
Creates custom threats with given arguments
About
Create Threat endpoint creates a custom threat with specified objectives and actions. You can create a threat by giving it a name, defining objectives with action sequences, and setting result conditions.
- At least one objective with actions must be provided
- result_condition defines the overall threat-success criteria
- Actions within objectives are executed based on their defined conditions
Action IDs: You can get available action IDs from the Action Details endpoint to browse and filter actions.
After creation of the threat, you can use threat id and summary response for further usage.
Example for Basic Threat Creation
Create a simple threat with a single objective containing two actions.
curl --location 'https://api.picussecurity.com/v1/threat-library/threats' \
--header 'Authorization: Bearer access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "Apidoc-Example-Threat",
"result_condition": "OBJ1",
"objectives": [
{
"name": "Collection",
"result_condition": "A1 AND A2",
"action_ids": [
33042,
33041
]
}
]
}'
{
"threat": {
"id": 110668,
"display_id": 183671,
"created_at": "2025-06-24T07:19:23.72964766Z",
"name": "Apidoc-Example-Threat",
"severity": "Medium",
"tags": [
"Custom"
],
"affected_os": [
"Windows"
],
"description": ""
}
}
Fields
| Field Name | Required | Type | Constraints | Default Value | Options/Examples | Description |
|---|---|---|---|---|---|---|
| name | ✅ Yes | String | Max 255 characters | - | - | The name of the custom threat |
| result_condition | ✅ Yes | String | - | - | "OBJ1", "OBJ1 AND OBJ2", "(OBJ1 OR OBJ2) AND OBJ3" | Defines the overall success criteria for the threat using boolean logic |
| objectives | ✅ Yes | Array | Min: 1, Max: 100 items | - | See objective sub-fields below | Contains the attack objectives with their associated actions |
| objectives.name | ✅ Yes | String | - | - | "Collection", "A1" | Identifier for the objective |
| objectives.action_ids | ✅ Yes | Array | Min: 1, Max: 100 items | - | - | Array of action IDs to execute |
| objectives.result_condition | ✅ Yes | String | - | - | "A1 AND A2" | Boolean logic for objective success |
| description | ❌ No | String | Max 2500 characters | - | - | Detailed explanation of the threat |
| severity | ❌ No | String | Must be one of the options | "Medium" | "High" (Critical threats), "Medium" (Moderate threats), "Low" (Minor threats) | Risk level of the threat |
| affected_operating_systems | ❌ No | Array | Max 10 items | ["Windows"] | "Windows" (Microsoft Windows), "Linux" (Linux-based), "macOS" (Apple macOS) | Operating systems affected by the threat |
| tags | ❌ No | Array | Max 50 items | - | ["APT 10", "Defense Evasion", "Credential Access"] | Custom tags for categorization (automatically includes "Custom" tag) |
| threat_actor_id | ❌ No | Integer | Max value: 10000 | - | 0 (for unknown) | Associates the threat with a known threat actor |
| from_campaign | ❌ No | Integer | - | - | - | Creates threat based on existing campaign template |