10 of the Best Open Source Threat Intelligence Feeds

10 of the Best Open Source Threat Intelligence Feeds

10 Cyber Threat Intelligence Feeds that You Can Use in Your Security Operations

In our ongoing quest to help security operations and incident response teams work more effectively, we’ve created a list of the top 10 open source threat intelligence feeds.

Each threat feed listed here can be ingested seamlessly into D3’s next-generation SOAR platform, as can feeds from dozens of the top enterprise and subscription-based threat intelligence vendors. No matter what threats your organization is facing, we recommend checking out these 10 feeds. They’re all free and open source.


1. Department of Homeland Security: Automated Indicator Sharing

Private companies are able to report cyber threat indicators with the DHS, which are then distributed via the Automated Indicator Sharing website. This database helps reduce the effectiveness of simple attacks by exposing malicious IP addresses, email senders, and more.


2. FBI: InfraGard Portal

The FBI’s InfraGard Portal provides information relevant to 16 sectors of critical infrastructure. Private and public sector organizations can share information and security events, and the FBI also provides information on cyber attacks and threats that they are tracking.


3. @abuse.ch

Abuse.ch is a research project hosted at the Bern University of Applied Sciences (BFH) in Switzerland. This resource helps security teams track malware, botnets, IOCs, malicious URLs and SSL certificates.


4. SANS: Internet Storm Center

The Internet Storm Center, formerly known as the Consensus Incidents Database, came to prominence in 2001, when it was responsible for the detection of the “Lion” worm. It uses a distributed sensor network that takes in over 20 million intrusion detection log entries per day to generate alerts regarding security threats. The site also provides analysis, tools, and forums for security professionals.


5. VirusTotal: VirusTotal

VirusTotal uses dozens of antivirus scanners, blacklisting services, and other tools to analyze and extract data from files and URLs submitted by users. The service can be used to quickly check incidents like suspected phishing emails, and every submission is retained in its database to build a global picture of cyber threats.

Read about how D3 integrates with VirusTotal on our integration page.


6. Cisco: Talos Intelligence

The Talos threat intelligence team protects Cisco customers, but there is a free version of their service available. Talos’ unmatched tools and experience provide information about known threats, new vulnerabilities, and emerging dangers. Talos also provides research and analysis tools.


7. VirusShare: VirusShare Malware Repository

VirusShare is an online repository of malware created and maintained by J-Michael Roberts, a digital forensics examiner. The site gives researchers, incident responders, and forensic investigators access millions of malware samples.


8. Google: Safe Browsing

The Safe Browsing service identifies dangerous websites and shares the information to raise awareness of security risks. Safe Browsing finds thousands of unsafe sites every day, many of which are legitimate sites that have been compromised by hackers.


9. National Council of ISACs: Member ISACs

While some ISAC feeds are quite expensive, others are free. The National Council of ISACs provides a comprehensive list.


10. The Spamhaus Project: Spamhaus

Spamhaus is a European non-profit that tracks cyber threats and provides real-time threat intelligence. Spamhaus has developed comprehensive block-lists for known spammers and malware distributors, which they provide to ISPs, email service providers, and individual organizations.


Bonus FAQ: Is MITRE a Threat Intelligence Feed?

As a SOAR vendor that works closely with the MITRE ATT&CK framework, we often get asked the question, is MITRE ATT&CK a threat intelligence feed? The answer is, not exactly. MITRE ATT&CK is much more than a conventional threat intelligence feed. It’s the world’s largest knowledgebase of cyber adversary tactics, techniques, and procedures (TTPs). However, ATT&CK is still a valuable source for threat intelligence. For example, its profiles of advanced persistent threat (APT) groups track the exact methods hacker groups are known to use, making it easier for you to plan your defence.


Wondering How to Use Threat Intelligence Effectively? Try D3 XGEN SOAR

D3’s SOAR platform integrates with 500+ security tools, including threat intelligence platforms and open source tools, in order to automatically enrich security alerts with the contextual data that security analysts need to quickly identify genuine threats. When threats are detected, D3 orchestrates automated response playbooks to rapidly remediate threats across the entire environment. D3 also leverages threat intelligence to run threat hunting playbooks that search across integrated tools to find any traces of known threats.

D3 solves an age-old problem for cyber threat intelligence (CTI) and security operations teams: how to operationalize incoming threat intelligence. With D3’s automation, you can ingest threat reports on a scheduled cadence and automatically turn that valuable intelligence into threat hunting, vulnerability management, and incident response playbooks. D3 gives you the chance to put high-quality intelligence into action without taking up any of your team’s time.

Schedule a demo today to learn from one of our SOAR experts how D3 can seamlessly bring threat intelligence into your security operations workflows.


Additional Resources: More Cyber Threat Intelligence Feeds

There are so many great sources out there that report on public threats, and a lot of them are free, just like the ones in our list. Check these links for even more lists of threat intelligence feeds:

A List of the Best Open Source Threat Intelligence Feeds (Logz.io)

Top 10 Threat Intelligence Platforms in 2022 (Toolbox)

Top Threat Intelligence Platforms for 2022 (eSecurity Planet)


Walker Banerd

Walker is the Communications Manager at D3. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.

XGEN SOAR demo image

Deep-Dive SOAR Demo

Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.