Tal Moriah

March 30, 2026

Get the top 10 threat intelligence tools for 2026—key features and limitations. This master list covers the best TI feeds and tools for your environment.

Tal Moriah

March 30, 2026

A threat intel feed, or threat intelligence feed, provides a continuous incoming flow of data related to cyber threats and risks.

Threat intelligence is the systematic collection and analysis of data about current and emerging cyber threats that helps organizations make informed security decisions.

Open-source intelligence (OSINT) is a framework that involves gathering, analyzing, and interpreting publicly available data to gain insights into cyber threats, adversarial activities, and attack techniques. OSINT identifies innocuous-seeming information that, if analyzed with an attacker’s mindset, could reveal critical loopholes in an enterprise’s security posture.

APT38 is a North Korean state-sponsored threat group that conducts financially motivated cyberattacks against banks, cryptocurrency exchanges, and financial institutions worldwide.

APT29 is a Russian state-sponsored advanced persistent threat (APT) group attributed to Russia's Foreign Intelligence Service (SVR), conducting cyber espionage operations since at least 2008.

APT42 is an Iranian state-sponsored cyber espionage group that uses tailored spear phishing and cloud account access for long-term surveillance.

APT33 is believe to be a state-sponsored threat actor active since 2013, conducting long-term intelligence operations against aerospace, energy, and defense organizations to steal intellectual property that advances Iran's military and economic capabilities.

Dark web monitoring is scanning hidden networks to detect compromised credentials, leaked data, and stolen information for timely threat alerts.

Cybersquatting is registering domain names identical or confusingly similar to trademarks or company names with bad faith intent to profit or harm.

Threat hunting is a proactive search for threats that your tools did not automatically catch. Instead of waiting for an alert to tell you where to look, you go looking on purpose.

.

Business email compromise is a targeted cyberattack where criminals impersonate someone you trust—like your CEO, a vendor, or a business partner—to trick you into sending money or revealing confidential information.

A backdoor attack creates a hidden method for bypassing standard authentication or security controls in a computer system, application, or network. Think of it as a secret entrance that allows attackers to return to a compromised system whenever they want, without going through the front door.

Snort rules are the detection logic that powers Snort, an open-source intrusion detection and prevention system.

Cyber espionage is the unauthorized access to computer systems and networks to steal classified information, trade secrets, or sensitive data for economic, political, or military advantage.

An advanced persistent threat is a sophisticated cyberattack where skilled hackers break into your network and stay hidden for months or even years

Indicators of attack (IOAs) are real-time behavioral signals that reveal active malicious activity in your cloud environment. Unlike static signatures, IOAs detect attacker techniques as they happen.

Indicators of compromise are forensic artifacts that prove a security breach has already happened. Think of IOCs as digital fingerprints left behind at a crime scene—they're specific pieces of evidence that confirm an attacker was in your system.

Enrichment in threat intelligence is the process of adding context, metadata, and relationships to raw security data to make it actionable.

Vulnerability threat intelligence is the practice of combining vulnerability assessment data with real-world threat information to understand which security weaknesses actually matter.

Digital risk protection (DRP) is a cybersecurity discipline that monitors and mitigates threats to your digital assets across public, deep, and dark web channels.

While the deep web is mostly used for legitimate, private activities, the dark web hosts both illegal marketplaces and serves as a haven for privacy-seekers and activists in repressive regimes.

The threat intelligence lifecycle is a continuous, six-phase process that transforms raw data about potential cyber threats into refined, actionable intelligence

.

.

A brute force attack is a cybersecurity threat where a hacker attempts to access a system by systematically testing different passwords until a correct set of credentials is identified.