Bulk-update AKRs.

PATCH

/v1/risks/akr

• Production
• Staging
• Local

Request Body ^required

PATCH /risks

object

One of:

object

PATCH /risks/:id

object

assigned_to

string | null format: uuid

closed_date

string | null format: date-time

control_statement

string | null

description

string | null

discovered_date

string | null format: date-time

expected_date

string | null format: date-time

impact

One of:

null

null

string

string

Allowed values: Very Low Low Medium High Severe

impact_reasoning

string | null

initially_reported_urgency

One of:

null

null

string

string

Allowed values: Critical High Medium Low Info

likelihood

One of:

null

null

string

string

Allowed values: Remote Unlikely Possible Probable Imminent

likelihood_reasoning

string | null

remediation_task

string | null

source

string | null

status

One of:

null

null

string

The status of a risk

string

Allowed values: New Urgency Proposed Remediation Closure Proposed Closed

tags

array | null

threat_objectives

array | null

A relational struct that has a threat objective type and its relevancy to a risk.

PartialEq, Eq, and Hash are implemented manually to exclude created_date, which is metadata about when the relation was mutated — not part of the identity.

object

created_date

The time that this relation was mutated

string | null format: date-time

relevance

One of:

null

null

string

The relevancy of the threat objective to the risk. Typically a value of 1, or 2. While the relevancy is null the the database, implementations of retrieving this from postgres should ignore null values.

string

Allowed values: Moderate Substantial

threat_objective

required

The threat objective type

string

Allowed values: Sabotage Data Disclosure Extortion Customer Targeting Resource Hijacking Fraud

title

string | null

type

One of:

null

null

string

string

Allowed values: Code Configuration Control Deficiency Policy Procedural Vulnerability Third-party

ids

Array<string>

default:

tag_operation

One of:

null

null

string

string

Allowed values: no-change add replace find-remove remove-all

Responses

200

AKRs updated successfully

Paginated response for the AKR register.

object

key_risks

Array<object>

default:

Register row for Adversarial Key Risks (AKRs). A KeyRisk plus the relational data shown on the AKR register: threat objectives, incident associations, and comment count. AKRs cannot be tagged.

object

comments

required

integer format: int64

incident_associations

required

Array<string>

Example

INC-00001

key_risk

required

The core view of an Adversarial Key Risk (AKR).

Relational data — threat objectives, comments, and incident associations — is exposed on KeyRiskRegisterEntry, not here.

object

assigned_to

One of:

null

null

object

A User as returned by the API.

Profile images are not embedded — clients fetch them from GET /api/v1/{icon} when icon is Some.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

closed_date

string | null format: date-time

control_statement

string | null

created_date

required

string format: date-time

description

required

string

discovered_date

required

string format: date-time

due_date

string | null format: date-time

expected_date

string | null format: date-time

id

required

string

Example

AKR-00001

impact

One of:

null

null

string

string

Allowed values: Very Low Low Medium High Severe

likelihood

One of:

null

null

string

string

Allowed values: Remote Unlikely Possible Probable Imminent

remediation_task

string | null

status

required

The status of a risk

string

Allowed values: New Urgency Proposed Remediation Closure Proposed Closed

title

required

string

type

required

string

Allowed values: Code Configuration Control Deficiency Policy Procedural Vulnerability Third-party

updated_date

required

string format: date-time

urgency

One of:

null

null

string

Derived from likelihood and impact. Null when either is missing.

string

Allowed values: Info Low Medium High Critical

threat_objectives

required

Array<object>

A relational struct that has a threat objective type and its relevancy to a risk.

PartialEq, Eq, and Hash are implemented manually to exclude created_date, which is metadata about when the relation was mutated — not part of the identity.

object

created_date

The time that this relation was mutated

string | null format: date-time

relevance

One of:

null

null

string

The relevancy of the threat objective to the risk. Typically a value of 1, or 2. While the relevancy is null the the database, implementations of retrieving this from postgres should ignore null values.

string

Allowed values: Moderate Substantial

threat_objective

required

The threat objective type

string

Allowed values: Sabotage Data Disclosure Extortion Customer Targeting Resource Hijacking Fraud

total

integer

0

400

Validation failed (e.g. empty ids, unknown source, inactive assignee, tags rejected)