The database grows by 1,000 to 1,500 rules every year. A subscription includes the curation of old rules. We change and improve around 500 old rules every year.
Our team curates YARA rules in 8 different categories: APT, Hack Tools, Malware, Web Shells, Exploits, Threat Hunting, Anomalies and Third Party. The first five of them can be subscribed, the other three are only used in a compiled and encrypted form in our scanner THOR.
With access to VALHALLA, you can boost your detection by adding most of our highly successful THOR scanners’ signatures to your own scan engines.
All rules are performance optimised and quality tested against terabytes of goodware and other data.

22,000+
quality tested YARA rules
4,000+
handcrafted Sigma rules
1,000+
new rules every year
~500
changed and improved old rules every year

Growth
The rule set grows by 1,000 to 1,500 hand-written and quality tested rules per year.

Delivery
You can download the full subscribed set via web browser or use our public API client written in Python to get a customized rule set that fits your scan engine.

Subscription
We offer subscriptions for each of our rule set categories or the whole curated rule set. Each subscription includes improvements, fixes and updates on the subscribed categories for 12 months.

Performance Optimization
All rules are used in our scanners and therefore optimized for performance. The planned version 1.1 of the API will allow you to pull less strict rule sets that are more effective for in-memory detection and the detection in data streams.

Curation
We improve around 500 old rules per year. These improvements include false positive reductions and the tightening or extension of existing rules.

Trial
Rich Meta Data
Valhalla provides rich meta data that adds valuable context to each match, such as a web reference, related threat group campaigns, hashes of samples for which the rule was initially created and a list of public samples on which the rule has matched so far.
Each rule contains information about the required YARA version and modules to run that rule.
The API client allows you to retrieve only those rules that your product supports.
The rule’s score and tags indicate its reliability and scope. Both can be used to select the perfect rule set for your application.
Web Frontend
The website allows you to immediately retrieve your subscribed rules using nothing but a web browser.
Just insert your API key and click on “Get Rules”.
You can also select the “JSON” checkbox to get them in JSON format or select “DEMO” to test drive this feature with a demo API key, which allows you to retrieve all public YARA or Sigma rules in the selected format.
The website also contains statistics about the current rule set.
Smart API
The Python module allows you download the subscribed categories as text or JSON object. It even has presets for well-known products like FireEye’s appliances, Tenable, Tanium, CarbonBlack or Symantec MAA.
It requires no more than 3 lines of code to retrieve the subscribed rule set:
from valhallaAPI.valhalla import ValhallaAPI v = ValhallaAPI(api_key="Your API Key") response = v.get_rules_text(product="FireEyeEX")
Integration
The web API allows you to retrieve the perfect set that integrates seamlessly with the platform you use. Depending on your use case, we recommend subscriptions for different rule categories.
Note: The feed cannot be downloaded or used on Microsoft Windows or macOS systems.

Command Line Client
The comfortable command line client ‘valhalla-cli’ helps to integrate the rule retrieval into your deployment process.
It’s really as simple as it gets.
It can be installed running the following command:
pip3 install valhallaAPI
The next command retrieves all subscribed rules:
valhalla-cli -k APIKEY
The command line client supports proxy servers and allows you to apply numerous filters, e.g.
- Exclude rules with low scores
(e.g. threat hunting rules with scores lower than 75) - Exclude rules that wouldn’t work on your scan engine (e.g. “Tanium”)
- Retrieve only rules with certain tags
(e.g. “CHINA”, “APT”)


(note: the API key shown in the animated GIF is not valid anymore)
YARA Categories: Subscribable
Special Strengths:
- Rules to detect a variety of offensive security tools and frameworks
- Rules cover the tool itself, output, helper files and special command line parameters to detect their use in log files
Special Strengths:
- High grade rules for malware and tools used by threat groups
- Based on public reports, our own undisclosed threat intel work, threat intel partners, threat exchanges and active incident response cases (mainly Europe, Asia and the Middle East)
Special Strengths:
- Often very low Antivirus detection ratio
- One of the things most EDRs are unable to detect
YARA Categories: Only Available in THOR Scanner
Special Strengths:
- Generic rules / heuristic detection methods focus on methods and obfuscation instead of specific threats
- Highly effective in detecting new, yet unknown threats
YARA Categories: Quantity Comparison

* only in THOR scanner