wrhalpin · wrhalpin · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
diff --git a/gnat/connectors/armis/client.py b/gnat/connectors/armis/client.py
@@ -68,6 +68,10 @@ class ArmisClient(BaseClient, ConnectorMixin):
         Armis API secret key.
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "report": "devices",
         "vulnerability": "cves",

diff --git a/gnat/connectors/aws_security/client.py b/gnat/connectors/aws_security/client.py
@@ -121,6 +121,10 @@ class AWSSecurityClient(BaseClient, ConnectorMixin):
         Override for GuardDuty base URL. Defaults to same region.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "indicator": "guardduty/findings",
         "vulnerability": "securityhub/findings",

diff --git a/gnat/connectors/axonius/client.py b/gnat/connectors/axonius/client.py
@@ -72,6 +72,10 @@ class AxoniusClient(BaseClient, ConnectorMixin):
         Axonius API secret.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v2"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "report": "assets",
         "vulnerability": "vulnerabilities",

diff --git a/gnat/connectors/bitsight/client.py b/gnat/connectors/bitsight/client.py
@@ -71,6 +71,10 @@ class BitSightClient(BaseClient, ConnectorMixin):
         BitSight API token.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "vulnerability": "findings",
         "report": "companies",

diff --git a/gnat/connectors/carbon_black/client.py b/gnat/connectors/carbon_black/client.py
@@ -87,6 +87,10 @@ class CarbonBlackClient(BaseClient, ConnectorMixin):
         Connector/API ID that accompanies the ``api_key``.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v6"
+    API_PREFIX: str = "/appservices"
+
     stix_type_map: dict[str, str] = {
         "indicator": "alerts",
         "malware": "processes",

diff --git a/gnat/connectors/censys/client.py b/gnat/connectors/censys/client.py
@@ -67,6 +67,10 @@ class CensysClient(BaseClient, ConnectorMixin):
         Censys API secret.
     """
 
+    TRUST_LEVEL: str = "untrusted_external"
+    API_VERSION: str = "v2"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "observed-data": "hosts",
         "vulnerability": "hosts",

diff --git a/gnat/connectors/chatgpt/client.py b/gnat/connectors/chatgpt/client.py
@@ -68,6 +68,10 @@ class ChatGPTClient(BaseClient, ConnectorMixin):
         OpenAI API key.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "report": "chat",
     }

diff --git a/gnat/connectors/cisco_umbrella/client.py b/gnat/connectors/cisco_umbrella/client.py
@@ -125,6 +125,10 @@ class CiscoUmbrellaClient(BaseClient, ConnectorMixin):
         Default: ``"white"``.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "indicator": "domain",
         "course-of-action": "allow_list",

diff --git a/gnat/connectors/claroty/client.py b/gnat/connectors/claroty/client.py
@@ -75,6 +75,10 @@ class ClarotyClient(BaseClient, ConnectorMixin):
         Fallback password for legacy auth.
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "report": "assets",
         "observed-data": "alerts",

diff --git a/gnat/connectors/cloudsek/client.py b/gnat/connectors/cloudsek/client.py
@@ -43,6 +43,10 @@ class CloudSEKClient(BaseClient, ConnectorMixin):
         CloudSEK organisation ID for multi-tenant deployments.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/xvigil"
+
     stix_type_map: dict[str, str] = {
         "indicator": "indicators",
         "observed-data": "alerts",

diff --git a/gnat/connectors/controlup/client.py b/gnat/connectors/controlup/client.py
@@ -60,6 +60,10 @@ class ControlUpClient(BaseClient, ConnectorMixin):
         Determines the URL prefix used for all requests.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/dex"
+
     stix_type_map: dict[str, str] = {
         "infrastructure": "devices",
         "observed-data": "sessions",

diff --git a/gnat/connectors/copilot/client.py b/gnat/connectors/copilot/client.py
@@ -69,6 +69,10 @@ class CopilotClient(BaseClient, ConnectorMixin):
         Azure AD token for Microsoft Copilot.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {"report": "chat"}
 
     def __init__(

diff --git a/gnat/connectors/cortex_xdr/client.py b/gnat/connectors/cortex_xdr/client.py
@@ -102,6 +102,10 @@ class CortexXDRClient(BaseClient, ConnectorMixin):
         API key string.
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/public_api"
+
     stix_type_map: dict[str, str] = {
         "indicator": "alerts",
         "malware": "incidents",

diff --git a/gnat/connectors/cortex_xpanse/client.py b/gnat/connectors/cortex_xpanse/client.py
@@ -71,6 +71,10 @@ class CortexXpanseClient(BaseClient, ConnectorMixin):
         Xpanse API Key ID.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v2"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "vulnerability": "exposures",
         "report": "assets",

diff --git a/gnat/connectors/cribl/client.py b/gnat/connectors/cribl/client.py
@@ -70,6 +70,10 @@ class CriblClient(BaseClient, ConnectorMixin):
         :class:`~gnat.clients.base.BaseClient`.
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "course-of-action": "pipelines",
         "observed-data": "searches",

diff --git a/gnat/connectors/cyble_vision/client.py b/gnat/connectors/cyble_vision/client.py
@@ -69,6 +69,10 @@ class CybleVisionClient(BaseClient, ConnectorMixin):
         Cyble Vision access token.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v4"
+    API_PREFIX: str = "/engine/api"
+
     stix_type_map: dict[str, str] = {
         "indicator": "iocs",
         "report": "alerts",

diff --git a/gnat/connectors/cycognito/client.py b/gnat/connectors/cycognito/client.py
@@ -69,6 +69,10 @@ class CyCognitoClient(BaseClient, ConnectorMixin):
         CyCognito API key.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "vulnerability": "issues",
         "report": "assets",

diff --git a/gnat/connectors/darktrace/client.py b/gnat/connectors/darktrace/client.py
@@ -99,6 +99,10 @@ class DarktraceClient(BaseClient, ConnectorMixin):
         Darktrace API private key (used for HMAC signing).
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "observed-data": "modelbreaches",
         "threat-actor": "devices",

diff --git a/gnat/connectors/datadog/client.py b/gnat/connectors/datadog/client.py
@@ -85,6 +85,10 @@ class DatadogClient(BaseClient, ConnectorMixin):
         Datadog application key.
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v2"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "indicator": "security_monitoring/signals",
         "vulnerability": "posture_management/findings",

diff --git a/gnat/connectors/defectdojo/client.py b/gnat/connectors/defectdojo/client.py
@@ -69,6 +69,10 @@ class DefectDojoClient(BaseClient, ConnectorMixin):
         DefectDojo API token.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v2"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "vulnerability": "findings",
         "report": "engagements",

diff --git a/gnat/connectors/defenderti/client.py b/gnat/connectors/defenderti/client.py
@@ -58,6 +58,10 @@ class DefenderTIClient(BaseClient, ConnectorMixin):
         Service principal client secret.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1.0"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "indicator": "tiIndicators",
         "threat-actor": "tiIndicators",

diff --git a/gnat/connectors/dragos/client.py b/gnat/connectors/dragos/client.py
@@ -82,6 +82,10 @@ class DragosClient(BaseClient, ConnectorMixin):
         Dragos API secret.
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "threat-actor": "activity-groups",
         "indicator": "indicators",

diff --git a/gnat/connectors/extrahop/client.py b/gnat/connectors/extrahop/client.py
@@ -73,6 +73,10 @@ class ExtraHopClient(BaseClient, ConnectorMixin):
         OAuth2 client secret (for Reveal(x) 360 cloud only).
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "observed-data": "detections",
         "network-traffic": "records",

diff --git a/gnat/connectors/flare/client.py b/gnat/connectors/flare/client.py
@@ -46,6 +46,10 @@ class FlareClient(BaseClient, ConnectorMixin):
         Flare tenant ID for multi-tenant deployments.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v2"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "indicator": "leaks",
         "observed-data": "events",

diff --git a/gnat/connectors/flashpoint/client.py b/gnat/connectors/flashpoint/client.py
@@ -71,6 +71,10 @@ class FlashpointClient(BaseClient, ConnectorMixin):
         Flashpoint API token.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "indicator": "iocs",
         "report": "alerts",

diff --git a/gnat/connectors/fortiedr/client.py b/gnat/connectors/fortiedr/client.py
@@ -72,6 +72,10 @@ class FortiEDRClient(BaseClient, ConnectorMixin):
         Password for Basic Auth.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/rest"
+
     stix_type_map: dict[str, str] = {
         "observed-data": "event",
         "incident": "incident",

diff --git a/gnat/connectors/fortisiem/client.py b/gnat/connectors/fortisiem/client.py
@@ -71,6 +71,10 @@ class FortiSIEMClient(BaseClient, ConnectorMixin):
         Password for Basic Auth.
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = "/phoenix/rest"
+
     stix_type_map: dict[str, str] = {
         "incident": "incident",
         "observed-data": "event",

diff --git a/gnat/connectors/fortisoar/client.py b/gnat/connectors/fortisoar/client.py
@@ -68,6 +68,10 @@ class FortiSOARClient(BaseClient, ConnectorMixin):
         Password for authentication.
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v3"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "incident": "incidents",
         "observed-data": "alerts",

diff --git a/gnat/connectors/gemini/client.py b/gnat/connectors/gemini/client.py
@@ -21,6 +21,10 @@ class GeminiClient(BaseClient, ConnectorMixin):
     GNAT Connector for Google Gemini with search-to-STIX capabilities.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1beta"
+    API_PREFIX: str = ""
+
     stix_type_map = {
         "report": "generate_content",
     }

diff --git a/gnat/connectors/google_chronicle/client.py b/gnat/connectors/google_chronicle/client.py
@@ -76,6 +76,10 @@ class GoogleChronicleClient(BaseClient, ConnectorMixin):
         Google Cloud project ID (auto-detected from key if possible).
     """
 
+    TRUST_LEVEL: str = "trusted_internal"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "observed-data": "udm_events",
         "indicator": "detections",

diff --git a/gnat/connectors/greenbone/client.py b/gnat/connectors/greenbone/client.py
@@ -66,6 +66,10 @@ class GreenboneClient(BaseClient, ConnectorMixin):
         GVM password.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "vulnerability": "results",
         "report": "reports",

diff --git a/gnat/connectors/greymatter/client.py b/gnat/connectors/greymatter/client.py
@@ -79,6 +79,10 @@ class GreyMatterClient(BaseClient, ConnectorMixin):
         Verify TLS.  Default ``True``.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "indicator":      "observables",
         "threat-actor":   "threat-actors",

diff --git a/gnat/connectors/greynoise/client.py b/gnat/connectors/greynoise/client.py
@@ -70,6 +70,10 @@ class GreyNoiseClient(BaseClient, ConnectorMixin):
         GreyNoise API key (Community or Enterprise).
     """
 
+    TRUST_LEVEL: str = "untrusted_external"
+    API_VERSION: str = "v3"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "observed-data": "ip",
         "indicator": "ip",

diff --git a/gnat/connectors/grok/client.py b/gnat/connectors/grok/client.py
@@ -62,6 +62,10 @@ class GrokClient(BaseClient, ConnectorMixin):
         xAI API key.
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v1"
+    API_PREFIX: str = ""
+
     stix_type_map: dict[str, str] = {
         "report": "chat",  # chat completions mapped to STIX reports
     }

diff --git a/gnat/connectors/group_ib/client.py b/gnat/connectors/group_ib/client.py
@@ -71,6 +71,10 @@ class GroupIBClient(BaseClient, ConnectorMixin):
         Group-IB API token (used as password).
     """
 
+    TRUST_LEVEL: str = "semi_trusted"
+    API_VERSION: str = "v2"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "indicator": "collections",
         "report": "collections",

diff --git a/gnat/connectors/hibp/client.py b/gnat/connectors/hibp/client.py
@@ -79,6 +79,10 @@ class HIBPClient(BaseClient, ConnectorMixin):
         HIBP API key from haveibeenpwned.com/API/Key.
     """
 
+    TRUST_LEVEL: str = "untrusted_external"
+    API_VERSION: str = "v3"
+    API_PREFIX: str = "/api"
+
     stix_type_map: dict[str, str] = {
         "vulnerability": "breaches",
         "identity": "pasteaccount",