The 13 Must-Follow Threat Intel Feeds

A threat intel feed, or threat intelligence feed, provides a continuous incoming flow of data related to cyber threats and risks.

6 minutes read

What are threat intel feeds?

A threat intel feed, or threat intelligence feed, provides a continuous incoming flow of data related to cyber threats and risks. Businesses can significantly improve their threat intelligence ecosystem and overall security posture by routing and integrating the right threat intel feeds to the right threat intelligence and cybersecurity tools. 

Optimal threat intel feeds ensure that businesses receive accurate and high-quality data about cybercriminals, potential threats, and indicators of compromise (IoCs). By unlocking actionable threat intelligence from threat intel feeds, businesses can boost digital and cloud-based operations, prepare for cybersecurity incidents, and keep their crown jewel data safe. 

An important clarification before you proceed: Occasionally, you may come upon the phrase “threat feeds.” Remember that threat feeds and threat intel feeds, although they sound similar, have a critical difference. Threat feeds comprise raw information and lack specific context. Threat intel feeds—with their inclusion of IoCs—feature more context, which can help businesses triage security threats more effectively. 

Open-source vs. commercial feeds

Primarily, there are two kinds of threat intel feeds: open-source feeds and commercial feeds. Open-source feeds are typically free or low-cost, stewarded, and iteratively managed by online communities.

On the other hand, commercial feeds are products that businesses need to procure from third-party providers. Some commercial feeds may include data that isn’t publicly available. What's vital to understand is that there’s no right or wrong with threat intel feeds. Businesses should choose threat intel feeds that suit their unique needs. With that said, let’s explore some specific threat intel feeds.

13 critical threat intelligence feeds to track

Explore these 13 essential threat intelligence feeds that can provide valuable insights to protect your enterprise against emerging cyber threats:

  1. Wiz Cloud Threat Landscape

  2. SANS Internet Storm Center (ISC)

  3. LevelBlue Labs Open Threat Exchange (OTX)

  4. Spamhaus

  5. OpenPhish

  6. CrowdSec

  7. Cyber Cure

  8. HoneyDB

  9. Automated Indicator Sharing (AIS)

  10. Blocklist.de

  11. FBI InfraGard

  12. abuse.ch URLhaus

  13. ELLIO

1. Wiz Cloud Threat Landscape

Cloud Threat Landscape – Actors tab (Source: Wiz)

Our very own Cloud Threat Landscape is the perfect starting point for this list of threat intel feeds. Wiz Cloud Threat Landscape features a comprehensive list of incidents, techniques, targeted technologies, threat actors, tools, defenses, and security measures. This rich threat intel is based on various sources and is carefully curated by the Wiz Research team. With an emphasis on public cloud environments, CI/CD systems, and source code management systems, Wiz Cloud Threat Landscape is a powerful cloud security resource—and it’s the only cloud-focused threat intel feed available in the world. 

2. SANS Internet Storm Center (ISC)

A product of the SANS Technology Institute, the ISC has long been a trusted resource for enterprises looking to understand the threat landscape. The ISC’s threat intel sources are wide and varied; the team leverages data from sensors across half a million IP addresses and around 50 different countries. The ISC’s threat intel feed is free to use and includes technical data and step-by-step instructions on how to mitigate potential threats.

3. LevelBlue Labs Open Threat Exchange (OTX)

LevelBlue Labs Dashboard (Source: LevelBlue)

LevelBlue Labs connects organizations with a vast web of threat analysts and cybersecurity experts. By integrating LevelBlue Labs’ community-led and collaborative threat intel feed into their IT environments, businesses can benefit from more than 20 million IoCs, 200,000 international collaborators, malware scanning capabilities, and other AI-powered cyber threat intelligence. LevelBlue Labs' threat intel is available in formats such as CSV, OpenIoC, and Stix.

4. Spamhaus

Spamhaus BlockList (Source: Spamhaus)

With an emphasis on email security, malware, and spam management, Spamhaus’ threat feeds can help businesses secure email inboxes and online applications. The Spamhaus Block List (SBL) and Domain Block List (DBL) are useful resources for organizations because they include tens of thousands of IP addresses and domain names that hackers use to breach enterprise networks. Using Spamhaus' threat intel feeds and blocklists alongside other feeds and threat intelligence platforms can boost security and reduce false positives and alert fatigue. 

5. OpenPhish

OpenPhish Dashboard (Source: OpenPhish)

The OpenPhish threat intel feed is particularly relevant today because of how prevalent phishing attacks have become. According to IBM, phishing was the second-most frequent attack vector for data breaches in 2024. OpenPhish has both free and premium phishing intel feeds. While the free version updates the feed every 12 hours and delivers only text files, the premium versions offer updates (in CSV and JSON formats) every 5 minutes and feature a broader range of information, including IP, GeoIP, SSL metadata, and phishing logs.

6. CrowdSec

The CrowdSec threat intel feed (Source: CrowdSec)

There are free and commercial options for the CrowdSec threat intel feed, and both can help businesses flag malicious activity and generate actionable insights. (The free version limits users to 50 queries per day.) CrowdSec threat intel feeds comprise more than 25 million malicious IPs, and its database includes threat intel from 190 countries and 80,000 machines. Notably, CrowdSec’s cyber threat intelligence is curated and context-rich, providing organizations with extensive information on malicious IPs and numerous other threats including botnets and DDoS attacks.

7. Cyber Cure

Cyber Cure’s threat intel feed, which is ideal for small and medium businesses as well as individual home users, provides actionable cyber intelligence on IoCs for malware and cyber incidents. It also includes URLs and CDNS, IP addresses, and file hashes that adversaries use to spread malware and propagate other security threats. The free version of Cyber Cure features IoC updates every few hours, and the premium version features updates every 10 minutes. 

8. HoneyDB

HoneyDB Attack Hosts (Source: HoneyDB)

The HoneyDB threat intel feed consists of honeypot threat intel, which is information gathered by deliberately luring threat actors to a surveilled online environment and analyzing their tools and tactics. HoneyDB’s threat intel API features information categories including bad hosts, bad hosts by service, IP history, sensor data, services, nodes, autonomous systems (AS), and payload history. HoneyDB’s free version allows 1,500 queries per month, and its highest commercial enterprise version has no limits on monthly queries. 

/

9. Automated Indicator Sharing (AIS)

AIS is a service provided by the Cybersecurity and Infrastructure Security Agency (CISA). Using the Structured Threat Information Expression (STIX™) and Trusted Automated Exchange of Indicator Information (TAXII™) open standards, AIS is a free, machine-readable resource for discovering the most potent cyber vulnerabilities; IoCs; and tactics, techniques, and procedures (TTPs). The AIS ecosystem includes both public and private organizations, such as enterprises, governments, federal agencies, information-sharing and analysis centers (ISACs), and information-sharing and analysis organizations (ISAOs).

10. Blocklist.de

An example of graphical statistics on Blocklist.de (Source: Blocklist.de)

The Blocklist.de threat intel feed is a free, volunteer-led solution that businesses can adopt to learn about and secure themselves from SSH-, mail-login-, FTP-, and web server–based attacks on servers. With around 6,644 active users, each update of the Blocklist.de threat intel feed includes more than 70,000 attacks. These information updates occur every 12 hours, ensuring threat-data freshness. Users have the option to download blocked IP address lists as compressed gzip files.

11. FBI InfraGard

The InfraGard threat intel feed is a joint effort between the FBI and various private enterprises. By using the InfraGard threat intel feed, private organizations can benefit from the advanced security knowledge and capabilities of the FBI. In return, the FBI gets a comprehensive view of critical infrastructure across the country. InfraGard provides 16 different threat intel feeds, each addressing an aspect of critical infrastructure such as chemicals, dams, food and agriculture, healthcare, and IT. 

12. abuse.ch URLhaus

URLhaus Database (Source: URLhaus)

Ideal for identifying suspicious domains and URLs, URLhaus offers three distinct types of threat intel feeds: an ASN (AS number) feed, a country feed, and a top-level domain (TLD) feed. The key demographics for URLhaus threat intel feeds include CERTs, ISPs, and network providers. According to URLhaus, the primary focus of their feeds isn’t blacklisting/blocklisting or IoCs. If organizations want to use these feeds for those purposes, they have to download the URLhaus API. 

13. ELLIO

Ellio Community Threat List (Source: Ellio)

The ELLIO IP Threat Intel feed comprises malicious IP addresses, targeted ports, and targeted regions in the JSON format. The Community ELLIO: IP Feed is the free version, featuring an IP blocklist of up to 250,000 addresses, daily updates, and a negligible number of false positives (0.02%). ELLIO offers updates every 5 minutes every day (and sometimes even offers real-time updates).

How Wiz can boost your threat intelligence ecosystem

Wiz Threat Center

The entire spectrum of Wiz's capabilities is based on deep knowledge of the cloud. Being powered by unmatched cloud threat intelligence makes Wiz a profoundly important and one-of-a-kind tool to navigate the contemporary threat landscape.

With unparalleled investigations, a world-class Threat Center, the integration of public and in-house cloud threat intelligence, TTP analyses, and IP and domain reputation evaluations, Wiz is the ultimate threat intelligence–fueled cloud security platform. 

To dive deeper into Wiz TI’s insights, check out our podcast on cloud security (there’s nothing quite like it), our diverse library of cloud security research, and the comprehensive Open Cloud Vulnerabilities and Security Issues Database that we founded and maintain. 

Also, coming soon: New capabilities, courtesy of the Cloud Threat Landscape in the Wiz portal, will enable you to learn about threat actors and correlate findings across your cloud environments with specific adversaries.

Get a demo now to see how Wiz (and our Cloud Threat Landscape) can enhance your cloud security and threat intelligence. 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.