A threat intel feed, or threat intelligence feed, provides a continuous incoming flow of data related to cyber threats and risks. Businesses can significantly improve their threat intelligence ecosystem and overall security posture by routing and integrating the right threat intel feeds to the right threat intelligence and cybersecurity tools.
Optimal threat intel feeds ensure that businesses receive accurate and high-quality data about cybercriminals, potential threats, and indicators of compromise (IoCs). By unlocking actionable threat intelligence from threat intel feeds, businesses can boost digital and cloud-based operations, prepare for cybersecurity incidents, and keep their crown jewel data safe.
An important clarification before you proceed: Occasionally, you may come upon the phrase “threat feeds.” Remember that threat feeds and threat intel feeds, although they sound similar, have a critical difference. Threat feeds comprise raw information and lack specific context. Threat intel feeds—with their inclusion of IoCs—feature more context, which can help businesses triage security threats more effectively.
Primarily, there are two kinds of threat intel feeds: open-source feeds and commercial feeds. Open-source feeds are typically free or low-cost, stewarded, and iteratively managed by online communities.
On the other hand, commercial feeds are products that businesses need to procure from third-party providers. Some commercial feeds may include data that isn’t publicly available. What's vital to understand is that there’s no right or wrong with threat intel feeds. Businesses should choose threat intel feeds that suit their unique needs. With that said, let’s explore some specific threat intel feeds.
Our very ownCloud Threat Landscape is the perfect starting point for this list of threat intel feeds. Wiz Cloud Threat Landscape features a comprehensive list of incidents, techniques, targeted technologies, threat actors, tools, defenses, and security measures. This rich threat intel is based on various sources and is carefully curated by the Wiz Research team. With an emphasis on public cloud environments, CI/CD systems, and source code management systems, Wiz Cloud Threat Landscape is a powerful cloud security resource—and it’s the only cloud-focused threat intel feed available in the world.
2. SANS Internet Storm Center (ISC)
A product of the SANS Technology Institute, the ISC has long been a trusted resource for enterprises looking to understand the threat landscape. The ISC’s threat intel sources are wide and varied; the team leverages data from sensors across half a million IP addresses and around 50 different countries. The ISC’s threat intel feed is free to use and includes technical data and step-by-step instructions on how to mitigate potential threats.
LevelBlue Labs connects organizations with a vast web of threat analysts and cybersecurity experts. By integrating LevelBlue Labs’ community-led and collaborative threat intel feed into their IT environments, businesses can benefit from more than 20 million IoCs, 200,000 international collaborators, malware scanning capabilities, and other AI-powered cyber threat intelligence. LevelBlue Labs' threat intel is available in formats such as CSV, OpenIoC, and Stix.
4. Spamhaus
With an emphasis on email security, malware, and spam management, Spamhaus’ threat feeds can help businesses secure email inboxes and online applications. The Spamhaus Block List (SBL) and Domain Block List (DBL) are useful resources for organizations because they include tens of thousands of IP addresses and domain names that hackers use to breach enterprise networks. Using Spamhaus' threat intel feeds and blocklists alongside other feeds and threat intelligence platforms can boost security and reduce false positives and alert fatigue.
5. OpenPhish
The OpenPhish threat intel feed is particularly relevant today because of how prevalent phishing attacks have become. According toIBM, phishing was the second-most frequent attack vector for data breaches in 2024. OpenPhish has both free and premium phishing intel feeds. While the free version updates the feed every 12 hours and delivers only text files, the premium versions offer updates (in CSV and JSON formats) every 5 minutes and feature a broader range of information, including IP, GeoIP, SSL metadata, and phishing logs.
6. CrowdSec
There are free and commercial options for the CrowdSec threat intel feed, and both can help businesses flag malicious activity and generate actionable insights. (The free version limits users to 50 queries per day.) CrowdSec threat intel feeds comprise more than 25 million malicious IPs, and its database includes threat intel from 190 countries and 80,000 machines. Notably, CrowdSec’s cyber threat intelligence is curated and context-rich, providing organizations with extensive information on malicious IPs and numerous other threats including botnets and DDoS attacks.
7. Cyber Cure
Cyber Cure’s threat intel feed, which is ideal for small and medium businesses as well as individual home users, provides actionable cyber intelligence on IoCs for malware and cyber incidents. It also includes URLs and CDNS, IP addresses, and file hashes that adversaries use to spread malware and propagate other security threats. The free version of Cyber Cure features IoC updates every few hours, and the premium version features updates every 10 minutes.
8. HoneyDB
The HoneyDB threat intel feed consists of honeypot threat intel, which is information gathered by deliberately luring threat actors to a surveilled online environment and analyzing their tools and tactics. HoneyDB’s threat intel API features information categories including bad hosts, bad hosts by service, IP history, sensor data, services, nodes, autonomous systems (AS), and payload history. HoneyDB’s free version allows 1,500 queries per month, and its highest commercial enterprise version has no limits on monthly queries.
/
9. Automated Indicator Sharing (AIS)
AIS is a service provided by the Cybersecurity and Infrastructure Security Agency (CISA). Using the Structured Threat Information Expression (STIX™) and Trusted Automated Exchange of Indicator Information (TAXII™) open standards, AIS is a free, machine-readable resource for discovering the most potent cyber vulnerabilities; IoCs; and tactics, techniques, and procedures (TTPs). The AIS ecosystem includes both public and private organizations, such as enterprises, governments, federal agencies, information-sharing and analysis centers (ISACs), and information-sharing and analysis organizations (ISAOs).
10. Blocklist.de
The Blocklist.de threat intel feed is a free, volunteer-led solution that businesses can adopt to learn about and secure themselves from SSH-, mail-login-, FTP-, and web server–based attacks on servers. With around 6,644 active users, each update of the Blocklist.de threat intel feed includes more than 70,000 attacks. These information updates occur every 12 hours, ensuring threat-data freshness. Users have the option to download blocked IP address lists as compressed gzip files.
11. FBI InfraGard
The InfraGard threat intel feed is a joint effort between the FBI and various private enterprises. By using the InfraGard threat intel feed, private organizations can benefit from the advanced security knowledge and capabilities of the FBI. In return, the FBI gets a comprehensive view of critical infrastructure across the country. InfraGard provides 16 different threat intel feeds, each addressing an aspect of critical infrastructure such as chemicals, dams, food and agriculture, healthcare, and IT.
12. abuse.ch URLhaus
Ideal for identifying suspicious domains and URLs, URLhaus offers three distinct types of threat intel feeds: an ASN (AS number) feed, a country feed, and a top-level domain (TLD) feed. The key demographics for URLhaus threat intel feeds include CERTs, ISPs, and network providers. According to URLhaus, the primary focus of their feeds isn’t blacklisting/blocklisting or IoCs. If organizations want to use these feeds for those purposes, they have to download the URLhaus API.
13. ELLIO
The ELLIO IP Threat Intel feed comprises malicious IP addresses, targeted ports, and targeted regions in the JSON format. The Community ELLIO: IP Feed is the free version, featuring an IP blocklist of up to 250,000 addresses, daily updates, and a negligible number of false positives (0.02%). ELLIO offers updates every 5 minutes every day (and sometimes even offers real-time updates).
How Wiz can boost your threat intelligence ecosystem
The entire spectrum of Wiz's capabilities is based on deep knowledge of the cloud. Being powered by unmatched cloud threat intelligence makes Wiz a profoundly important and one-of-a-kind tool to navigate the contemporary threat landscape.
With unparalleled investigations, a world-class Threat Center, the integration of public and in-house cloud threat intelligence, TTP analyses, and IP and domain reputation evaluations, Wiz is the ultimate threat intelligence–fueled cloud security platform.
Also, coming soon: New capabilities, courtesy of the Cloud Threat Landscape in the Wiz portal, will enable you to learn about threat actors and correlate findings across your cloud environments with specific adversaries.
Application detection and response (ADR) is an approach to application security that centers on identifying and mitigating threats at the application layer.
Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.
Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.
DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional.
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.