ThreatExchange UI Overview

Finding the UI

Visit and select your app:

Then find the ThreatExchange product within the navbar on the left:

Adding team members

  • Please visit and select your app
  • Select Roles -> Roles
  • Please add teammates as either Administrators or Developers
  • Please do not add teammates as Test Users or Analytics Users -- these do not have meaning for ThreatExchange apps
  • If your organization has a ThreatExchange app ID but the only administrators/developers have since left your organization, please contact us at so that we can reset an admin to be a current employee of your organization -- at which point you'll be able to self-service add everyone else in your organization.

Searching Data Using the UI

A variety of search options is supported -- here we'll focus on the power-search option. (As of January 2020 multi-page search results are still in development.)

Here we search for all malicious URLs uploaded in the last week:

Publishing Data Using the UI

Please see the Submitting Data page for several examples.



  • The ThreatExchange user interface is in general beta as of October 2019.
  • The UI is fully up and running for privacy-group and tag editing.
  • Descriptors can be created and edited singly; they can be uploaded from CSV or JSON, and downloaded to CSV or JSON.
  • Non-paginated query results are available: you can access at most 1000 descriptors from any given query.
  • Bulk edit of descriptors (e.g. apply a given tag to all on-screen results)
  • Complex queries for descriptors ("power search")
  • Support for reactions (see also Reacting to Existing Data)
  • Support for creating/editing related-to/connections for descriptors

For bulk download we recommend using the python package cli or consulting the API reference::

To be implemented (present in the API, not yet present in the UI):

  • Improved user experience for complex descriptor queries
  • Full paginated results for queries matching large numbers of descriptors
  • Descriptor deletion
  • Ability to query for all descriptors which have reactions on them
  • Support for non-descriptor malware types


Please contact with any and all feedback on how we can better enable your success in using ThreatExchange!

Alternatively, feel free to use the bugnub to report issues:


What do people do with ThreatExchange? Lots of things. Here we focus on the most basic subset:

  • People at various organizations want to share information about threats -- malware signatures, malicious URLs, and so on.
  • A threat indicator is the objective part -- a file hash, a URL, and so on -- along with a type (MD5, SHA1, URL, etc.).
  • A threat descriptor contains an indicator as well as the subjective parts -- how malicious a team thinks it is; when they first saw it; and so on.
  • Whereas Facebook privacy revolves around user IDs, ThreatExchange revolves around app IDs. For example, app ID 1064060413755420 is Media Hash Sharing Test. These are generally of the form Team T at company C.
  • When people share threat data, they can specify who they want to see each datum -- this is visibility or privacy type.
    • Visible/public means all ThreatExchange members can see it
    • Or for each datum they can make an app-whitelist of specific teams at specific companies.
    • Or for each datum they can specify a privacy-group which is simply a predefined list of app IDs.
  • People can tag their descriptors. These are tags in any other tool -- except that ThreatExchange tags have their own metadata including the subjective parts that descriptors have, and they also have their own visiblity (public/app-whitelist/privacy-group).
  • There's more about threat descriptors (review status and others), and other types of data shareable on ThreatExchange (malware analyses, malware families, and others) -- but for this little walkthrough we've just stuck to indicators, descriptors, visibility, and tags.

Please continue on to the UI Reference to learn more.