Threat intelligence feeds are continually updated streams of data that inform users of different cybersecurity threats, their sources, and any infrastructure impacted or at risk of being impacted by those threats.
These feeds are often in a standard format like STIX/TAXII so they can be integrated with EDR, SIEM, firewalls, threat intelligence platforms, and other network security tools, offering an additional source of real-time or near-real-time threat information to monitor for indicators of compromise (IoCs), malicious domains and other cyber threats. As a bonus, many of these tools are free to access and have specialized feeds that focus on different industries and sectors.
Here are our picks for the top threat intelligence feeds that security teams should consider adding to their defensive arsenal:
- AlienVault Open Threat Exchange: Best for community-driven threat feeds
- FBI InfraGard: Best for critical infrastructure security
- abuse.ch URLhaus: Best for malicious URL detection
- Proofpoint ET Intelligence: Best for contextualized threat information
- Spamhaus: Best for email security and anti-spam
- SANS: Internet Storm Center: Best for threat explanations
Top Threat Intelligence Feed Comparison
Threat intelligence feeds can come in a variety of formats and pull their information from a number of different sources across the web. To get a better idea of what each top threat intelligence feed solution offers, take a look at our comparison table below.
|AlienVault Open Threat Exchange
|Best for community-driven threat feeds
|Best for critical infrastructure security
|Best for malicious URL detection
|Proofpoint ET Intelligence
|Best for contextualized threat information
|Best for email security and anti-spam
|SANS: Internet Storm Center
|Best for threat explanations
Jump ahead to:
- Key Features of Threat Intelligence Feeds
- How to Choose the Best Threat Intelligence Feed for Your Business
- How We Evaluated Threat Intelligence Feeds
- Frequently Asked Questions (FAQs)
- Bottom Line: Boost Security with Threat Intelligence Feeds
AlienVault Open Threat Exchange
Best for community-driven threat feeds
AT&T Cybersecurity’s AlienVault Open Threat Exchange (OTX) is one of the largest and most comprehensive threat intelligence feed communities today, with more than 100,000 participants representing 140 countries and contributing more than 19 million threat indicators on a daily basis. OTX prides itself on being a completely open community for threat intelligence, extending access to threat research and shared expertise from security professionals to any and all users.
Beyond simply making its feed available to all kinds of users, AlienVault Open Threat Exchange also does a good job of making its data accessible and easy to read through detailed dashboards. Dashboards clearly state the quantity and types of indicators of compromise (IoCs) and also provide Pulses to quickly summarize threats and their impact. Additionally, dashboards share data about threat names, any relevant reference URLs, tags, adversary and malware families, and attack IDs.
All OTX products and features, including the AlienVault Open Threat Exchange and OTX Endpoint Security, are free to use on their own. Additional costs may arise when integrating OTX and OTX Pulses into third-party software or applications. There are also costs associated with the USM product, which users often connect to OTX.
- 100,000 participants and contributors from 140 countries
- OTX Pulses for real-time looks at indicators of compromise, targeted software, and threat summaries
- Integrations with other tools through the DirectConnect API
- Built-in integration with AlienVault USM and AlienVault OSSIM
- Pulse Wizard for automated IoC extraction from blogs, threat reports, emails, PCAPs, and text files
- Open community approach means threat and security professionals of all backgrounds and from all over the globe can contribute their insights.
- One of the most comprehensive threat delivery solutions available; over 19 million threat indicators are posted daily.
- Threat dashboards are highly intuitive and easy to read.
- With Pulse Wizard, users can easily and automatically extract IoCs from sources in different formats.
- Though free tools and integrations are available, OTX works best with paid AT&T Cybersecurity products like AlienVault USM.
- The massive, crowdsourced approach OTX takes limits the possibility of effective quality assurance.
Best for critical infrastructure security
InfraGard is a threat intelligence feed and network partnership between the FBI and other government agencies and interested private sector parties. The goal of this threat intelligence community is to share useful threat information back and forth: Private sector leaders can benefit from access to FBI insider knowledge, training, and best practices, while the FBI and other governmental bodies gain additional eyes on different areas of U.S. critical infrastructure. Although it is free to join, membership is required to access InfraGard resources.
InfraGard’s feeds and membership training resources are divided into 16 critical infrastructure categories:
- Commercial facilities
- Critical manufacturing
- Defense Industrial base
- Emergency services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, materials, and waste
- Transportation services
- Water and wastewater systems
These focus areas give private sector members access to highly tailored threat information and security tips for their particular industry.
It is free to become an InfraGrad member and use InfraGard tools and feeds.
- Threat intelligence feeds are categorized into 16 critical infrastructure sectors
- Threat advisories, intelligence bulletins, analytical reports, and vulnerability assessments are shared with private sector members by the FBI and other government agencies
- Members-only web portal with up-to-date FBI intelligence
- Local InfraGard Member Alliance chapters across the United States
- Two-way threat sharing between the government and the private sector
- 16 different specialized threat feeds make it possible for users to focus on threats that are relevant to their particular sector
- One of the only threat intelligence solutions that focuses on threat detection and mitigation for U.S. critical infrastructure
- Combines the expertise and insights of government agencies with private sector professionals
- Members can access sector-specific training and resources from the National Sector Security and Resiliency Program (NSSRP) and Cross-Sector Council (CSC)
- Its membership and networking focus takes away from dedicated threat intelligence efforts
- Focused solely on U.S. infrastructure, making it a less effective option for global enterprises and distributed workforces
Best for malicious URL detection
abuse.ch’s URLhaus feed project compiles data about malicious URLs into user-friendly databases. Though anyone can access this free collection of feeds and the detailed databases they produce, abuse.ch specifically states that the solution is best suited to the needs of network operators, internet service providers (ISPs), computer emergency response teams (CERTs), and domain registries.
URLhaus manages three primary feeds that focus on specific IP address and domain name anomalies. These feeds can be fetched for up-to-date information directly from the URLhaus website. However, for users that want to use this tool to blacklist, review indicators of compromise, or access a parsable dataset, it will be necessary to download the URLhaus API. Additionally, users can only submit their own malicious URL discoveries if they have an abuse.ch account.
URLhaus is free for both commercial and non-commercial use.
- ASN Feed for tracking URLs with domain names that resolve to an IP address with a specific AS number
- Country Feed for tracking URLs with domain names that resolve to an IP address with a specific geo IP location or country code
- TLD Feed for tracking URLs with domain names that are associated with a specific ccTDL or gTLD
- Comprehensive, regularly updated malware URL database that includes information such as date added, URLs, status, tags, and the reporter’s identity
- URLhaus API for downloading and submitting malware URLs
- URLhaus’s three main feeds work for tracking both online and offline malicious URLs.
- URLhaus provides a detailed submission policy to filter out irrelevant malware submissions from users.
- The URLhaus database is well-labeled and frequently updated.
- URLhaus’s API and download options, including a database dump CSV option, are extensive and varied enough to match different user preferences.
- Several customizations and capabilities, such as blacklisting, are only available if users choose to use datasets in the URLhaus API rather than URLhaus feeds.
- To submit malware URLs via the web, users must log in with Twitter, Google, LinkedIn, or GitHub, which will be publicly visible; the only way around this rule is to submit via API.
Proofpoint ET Intelligence
Best for contextualized threat information
Proofpoint ET Intelligence takes a comprehensive approach to threat intelligence, offering its feeds through what it calls a rich threat intelligence and context portal. It is a top provider of historical threat data, offering both current and historical metadata on IP addresses, domains, and other IoCs. As an added bonus, ET does a great job of separating, classifying, and scoring IP addresses and domains with regular hourly list updates.
Of all the solutions listed in this guide, Proofpoint ET Intelligence is one of the most comprehensive, but it’s also the most expensive. Businesses that are interested in enterprise-level threat explanations and investigative support are the best fit for this solution, while smaller businesses and individual users will probably want to avoid the price tag and opt for a free threat intelligence feed.
- Proofpoint ET Intelligence: Subscriptions are estimated to be between $20,000 and $130,000 per year, depending on user count, reseller, and other factors.
- Proofpoint ET Pro: Ruleset: The Ruleset is priced separately. Estimated to be between $750 and $1,000 per year.
- Free trial available.
- Access to historical metadata on IPs, domains, and other IoCs
- IP and domain reputation feeds
- Searchable threat intelligence portal with trends, timestamps, threat type and exploit kit labels, and related samples
- Confidence scoring with aggressive aging practices and hourly list updates
- Support for TXT, CSV, JSON, and compressed formats
- Integrates with cybersecurity tools and threat intelligence platforms like Splunk, QRadar, Anomali, and ArcSight.
- For an additional fee, users can access the extensive documentation that comes with the ET Pro Ruleset.
- ET intelligence dashboards include highly legible, color-coded graphs.
- Users with less IT infrastructure of their own can use agnostic threat feeds for additional threat detection support.
- One of the most expensive threat intelligence feeds on the market, and prices continue to go up.
- May have redundant features with other cybersecurity tools in your existing toolset.
Best for email security and anti-spam
Spamhaus is one of the largest providers of threat intelligence feeds and blacklists/blocklists for email service providers and internet service providers, covering more than 3 billion users with its solutions. Users can access and apply blocklists for policies, exploits, domains, and general IP address spam issues. They can also fix incorrect spam listings in the Blocklist Removal Center, access live news and specialized ISP information, and read dedicated documents on best practices for everything from anti-spam to email marketing.
With its six main feeds and lists, Spamhaus is a comprehensive email security and anti-spam solution; in fact, it is often considered the best solution for accurate, real-time spam filter data. For users who don’t want to juggle multiple Spamhaus threat feeds simultaneously, Spamhaus also now offers Spamhaus Zen, which combines blocklists and information from SBL, SBLCSS, XBL, and PBL blocklists.
Most Spamhaus features and DNSBL feeds are extended to users free of charge. However, users and sites that need higher-scale, commercial spam filtering will need to subscribe to Spamhaus’s Datafeed Query Service (DQS). DQS pricing is user- and query-volume-based; pricing starts at $250 per year, and a 30-day free trial is available.
- The Spamhaus Block List (SBL) is a database of IP addresses associated with unsolicited bulk emails and from which users should not accept emails.
- The Exploits Block List (XBL) is a real-time database for IP addresses of PCs that have been hijacked and infected by third-party exploits.
- The Policy Block List (PBL) is a database that helps networks enforce acceptable use policies when dealing with dynamic and non-MTA customer IP ranges.
- The Domain Block List (DBL) is a list of domain names that should be avoided due to their bad reputations.
- The Don’t Route Or Peer Lists (DROP) are drop-all-traffic lists of netblocks that have been hijacked by professional cybercriminals.
- The Register of Known Spam Operations List (ROKSO) identifies the names and countries of several major persistent spam operations.
- More than 3 billion user inboxes are protected with Spamhaus threat feeds and blocklists; this is one of the largest (if not the largest) blockers of internet spam and malware.
- A detailed FAQ guide is available for users who have specific blocklist questions or more general questions about DNSBL usage.
- For users that want to use only one DNSBL tool, Spamhaus has packaged its SBL, XBL, and PBL solutions into one solution: Spamhaus Zen.
- Spamhaus has a secure ROKSO LEA portal that law enforcement agencies can use to more securely access classified records about spam operations.
- Certain commercial features and capabilities are only available through a paid upgrade to Datafeed Query Service.
- Spamhaus’s blacklisting procedures sometimes mean safe public IP addresses get blacklisted; the process for getting these IPs unlisted can be tedious.
SANS: Internet Storm Center
Best for threat explanations
Internet Storm Center is one of the oldest and most trusted threat intelligence feed options on the market. It is a feed and community that is entirely built on collaboration, with a small team of volunteers handling daily threat monitoring and documentation. Beyond these daily handlers, ISC benefits from other users who willingly share performance data from their firewalls and intrusion detection systems.
The Internet Storm Center manages to differentiate itself in several ways. For starters, its proprietary network of sensors and its reporting setup mimic weather forecasting in a way that makes ISC effective at providing early warnings for emerging threats. Additionally, ISC focuses not only on technical information about threats but also on providing procedural guidance for how to address these threats.
The Internet Storm Center is a free service.
- Pulls information from sensors across 500,000 IP addresses and more than 50 countries.
- Anomalies and detected threats are analyzed by volunteer incident handlers.
- Daily diaries detail handler analyses.
- Frequently updated DShield intrusion detection system and database.
- Incoming data is monitored with automated analysis and graphical visualization tools.
- Beyond daily diaries, the Internet Storm Center team is also willing to generate custom global summary reports upon user request.
- The ISC’s network of volunteer handlers is made up of cybersecurity professionals with years of experience.
- The daily handler diaries are often the first public reports of emerging attack vectors.
- The distributed sensor network design of ISC makes it easier for the team to quickly identify threats across all corners of the web.
- The ability to customize ISC’s threat feeds or integrate the tool into private networks and proprietary systems is extremely limited.
- Though the ISC’s network of volunteers is full of experts, it’s still a relatively small team with a setup that could lead to inconsistencies in reporting and depth of analysis.
Key Features of Threat Intelligence Feeds
It’s clear that threat intelligence feeds need to find and identify threats in order to be effective, but what other key features should you be looking for in threat intelligence feeds? In our experience, these are some of the most important features for a threat intelligence feed to include:
Indicators of compromise (IoCs)
Indicators of compromise are the pieces of evidence that reveal a network or specific part of a network has been breached. While more generalized threat intelligence feeds and blacklists don’t always offer IoCs, they’re a valuable feature for teams that want additional guidance for their threat response efforts. Examples of IoCs include malicious IP and email addresses, suspicious domain names and URLs, unusual file paths or file names, unexpected network traffic patterns, and behavioral oddities like frequent unauthorized access attempts.
Real-time updates or near-real-time updates are a crucial feature of threat intelligence feeds, as threats can evolve or fall apart and new ones can arise in a matter of hours. Many feeds update on a momentary or hourly basis, while nearly all of them update on an at-least daily basis. Many threat intelligence feed providers give users the option to subscribe to alerts when new threats arise or when new daily reports are available.
With threat intelligence feeds, threat data is infinitely more useful if users can understand where the threats are coming from, what kind(s) of infrastructure they’re impacting, the overall damage they’re causing, and how these threats compare to historic threats. Dashboards are the most important feature for easy-access contextual analysis. But other features, like contextualized historic metadata, specialized rulesets, and enriched log data are all helpful for better security response and mitigation strategies.
Historical data access
Historical data helps users to frame current threats, both in relation to how those threats first emerged and how they compare to similar historic threats. Historical data that many threat intelligence feeds provide cover attack origins, the identity and past actions of the threat actor, past vs. present attack methods, and past vs. present damage. Having this historical data access allows users to see how quickly certain threat vectors have grown and predict future threat variants and changes in tactics, techniques, and procedures (TTPs).
Integrations with other cybersecurity tools help to make threat intelligence feeds more contextual and relevant to cybersecurity management efforts. The best threat intelligence feeds are accessible on their own but also integrate with and provide in-platform insights for other cybersecurity solutions. These integrations may be natively offered or made available through APIs.
How to Choose the Best Threat Intelligence Feed for Your Business
Choosing the best threat intelligence feed for your business will require you to first set internal expectations around budget, integration requirements, and roles and responsibilities for team members accessing those threat intelligence feeds. You’ll also want to consider if a more general feed is what you need or if a specialized, sector-specific feed better serves your business. In many cases, and especially since so many of these threat intelligence feeds are free to use, it may be worthwhile to use multiple threat intelligence feeds in conjunction.
If you’re looking for additional capabilities that go beyond basic threat feeds, a threat intelligence platform or threat research service may be a better solution. You can learn about the leading threat intelligence platforms in this buyer’s guide; for threat intelligence services and other threat management resources, consider one of the following:
- Cisco Talos
- Palo Alto Networks WildFire
- Mandiant Threat Intelligence Services
- Sophos Managed Detection and Response
- Palo Alto Networks Unit 42 Threat Research
- Flashpoint Managed Intelligence
How We Evaluated Threat Intelligence Feeds
Beyond the core threat intelligence feeds we’ve reviewed in this guide, we assessed approximately 15 other threat intelligence feeds and solutions. The selections in this guide were chosen based on their performance in the following evaluation criteria. The percentages listed for each represent the weight of the total score for each product.
Reputation and performance – 50%
Credibility is everything when it comes to threat intelligence, so the bulk of our assessment focused on reputation and performance. We evaluated each feed based on the trustworthiness of its information source(s), the variety of information sources it pulls from, its range and depth of coverage, its contextual analysis and dashboarding capabilities, its security and compliance policies and procedures, and the utility of expert explanations and mitigation tips.
We assessed both general threat intelligence feeds and function-specific threat feeds, and both types found a spot on our list; in both cases, what we were looking for was evidence that the tool performed its core tasks well for its specified audience. Additionally, when information was available, each threat intelligence feed was assessed based on its perception and performance in user reviews. However, due to the nature of these feeds, limited user reviews were available.
Timeliness – 25%
Speed, accuracy, and comprehensiveness are all important aspects of timely threat intelligence feed delivery. In our review process, we looked for feeds that update their data in real time and from multiple sources. We also considered how quickly this information is disseminated to subscribing users and in what format that information is shared.
Integration and configurability opportunities – 25%
Because threat intelligence feeds serve an important but singular purpose, many organizations need threat intelligence feeds to smoothly integrate with their existing cybersecurity tool stack. In our evaluation of different feeds, we looked for solutions with comprehensive APIs as well as solutions with native integrations in-portfolio or with third-party cybersecurity software. Beyond simply connecting to other cybersecurity tools, we paid special attention to and boosted the rankings of feeds that gave users the freedom to configure and customize feeds according to their specific requirements.
Frequently Asked Questions (FAQs)
What are the primary sources of threat intelligence feeds?
Threat intelligence feeds collect their information from multiple sources, including from the research of security experts and government agencies, malware analysis reports and other sources of open-source threat intelligence, dark web monitoring data, regional and national databases, aggregated customer data from security companies, and network traffic analysis tools.
Can threat intelligence feeds be integrated into existing security systems?
Many threat intelligence feeds can be integrated into existing security systems, either through APIs or native third-party integrations.
How much do threat intelligence feeds cost?
The majority of threat intelligence feeds are free to use. However, some commercial threat intelligence feeds require users to pay an annual subscription, which could run anywhere from approximately a few thousand dollars to over $100,000 per year, depending on user count, reseller pricing, licensing requirements, tool features, and other factors.
Bottom Line: Boost Security with Threat Intelligence Feeds
Threat intelligence feeds won’t provide all of the functionality and corrective action you need to effectively manage your organization’s cybersecurity posture, but they’re great resources for proactive threat identification across a variety of attack vectors. With so many free and low-cost threat intelligence feeds available today, it’s a smart move to integrate one or multiple feeds into your cybersecurity workflow and tools for additional security knowledge and detection capabilities.
Read next: Network Protection: How to Secure a Network
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.