About

Create Threat endpoint creates a custom threat with specified objectives and actions. You can create a threat by giving it a name, defining objectives with action sequences, and setting result conditions.

At least one objective with actions must be provided
result_condition defines the overall threat-success criteria
Actions within objectives are executed based on their defined conditions

Action IDs: You can get available action IDs from the Action Details endpoint to browse and filter actions.

After creation of the threat, you can use threat id and summary response for further usage.

Example for Basic Threat Creation

Create a simple threat with a single objective containing two actions.

curl --location 'https://api.picussecurity.com/v1/threat-library/threats' \
--header 'Authorization: Bearer access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "Apidoc-Example-Threat",
    "result_condition": "OBJ1",
    "objectives": [
        {
            "name": "Collection",
            "result_condition": "A1 AND A2",
            "action_ids": [
                33042,
                33041
            ]
        }
    ]
}'

{
    "threat": {
        "id": 110668,
        "display_id": 183671,
        "created_at": "2025-06-24T07:19:23.72964766Z",
        "name": "Apidoc-Example-Threat",
        "severity": "Medium",
        "tags": [
            "Custom"
        ],
        "affected_os": [
            "Windows"
        ],
        "description": ""
    }
}

Fields

Field Name	Required	Type	Constraints	Default Value	Options/Examples	Description
name	✅ Yes	String	Max 255 characters	-	-	The name of the custom threat
result_condition	✅ Yes	String	-	-	`"OBJ1"` , `"OBJ1 AND OBJ2"` , `"(OBJ1 OR OBJ2) AND OBJ3"`	Defines the overall success criteria for the threat using boolean logic
objectives	✅ Yes	Array	Min: 1, Max: 100 items	-	See objective sub-fields below	Contains the attack objectives with their associated actions
objectives.name	✅ Yes	String	-	-	`"Collection"` , `"A1"`	Identifier for the objective
objectives.action_ids	✅ Yes	Array	Min: 1, Max: 100 items	-	-	Array of action IDs to execute
objectives.result_condition	✅ Yes	String	-	-	`"A1 AND A2"`	Boolean logic for objective success
description	❌ No	String	Max 2500 characters	-	-	Detailed explanation of the threat
severity	❌ No	String	Must be one of the options	"Medium"	`"High"` (Critical threats), `"Medium"` (Moderate threats), `"Low"` (Minor threats)	Risk level of the threat
affected_operating_systems	❌ No	Array	Max 10 items	["Windows"]	`"Windows"` (Microsoft Windows), `"Linux"` (Linux-based), `"macOS"` (Apple macOS)	Operating systems affected by the threat
tags	❌ No	Array	Max 50 items	-	`["APT 10", "Defense Evasion", "Credential Access"]`	Custom tags for categorization (automatically includes "Custom" tag)
threat_actor_id	❌ No	Integer	Max value: 10000	-	`0` (for unknown)	Associates the threat with a known threat actor
from_campaign	❌ No	Integer	-	-	-	Creates threat based on existing campaign template