The Ultimate List of Free and Open-source Threat Intelligence Feeds

Cybersecurity threats are evolving quickly, and there’s no time to keep up to date on the new details for most security researchers. This is why threat intelligence is an important part of the security activities of each organization. Many sources of threats include costly fees, but luckily there are many free and inexpensive choices to choose from. Here is the ultimate list of the safest platforms for open-source threats.

InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure. Through seamless collaboration, InfraGard connects owners and operators within the critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats. InfraGard’s vetted membership includes business executives, entrepreneurs, lawyers, security personnel, military, and government officials, IT professionals, academia, and state and local law enforcement-all dedicated to contributing industry-specific insight and advancing national security.

Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect participants of the AIS community and ultimately reduce the prevalence of cyberattacks. The AIS community includes private sector entities; federal departments and agencies; state, local, tribal, and territorial (SLTT) governments; information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs); and foreign partners and companies. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.

The AIS ecosystem empowers participants to share cyber threat indicators and defensive measures, such as information about attempted adversary compromises as they are being observed, to help protect other participants of the AIS community and ultimately limit the adversary’s use of an attack method. is a non-profit platform running a couple of projects helping internet service providers and network operators protecting their infrastructure from malware. IT-Security researchers, vendors, and law enforcement agencies rely on data from, trying to make the internet a safer place.

Open Threat Exchange is the neighborhood watch of the global intelligence community. It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community.

The platform publishes data sets with indicators we believe to be used by criminals trying to prey on individuals, organizations, businesses, and governments using the COVID-19 pandemic. They also have an Open Threat Exchange group with MISP feeds. The OTX is mostly for people and teams helping out with curating the threat feed, and to access it you need an API key. is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, FTP-, Webserver- and other services. The mission is to report any and all attacks to the respective abuse departments of the infected PCs/servers, to ensure that the responsible provider can inform their customer about the infection and disable the attacker.

OpenDNS uses its network analysis to help identify and confirm phishing sites. As that information becomes richer, OpenDNS will provide a feed to PhishTank. That feed’s quality will be up to the PhishTank community to judge, just as other submissions and submitters are. OpenDNS encourages its phishing feed providers to share their data with the PhishTank community.

The Emerging Threats Intelligence (ET) is one of the top rating threat intelligence feeds, developed and provided by Proofpoint in both open-source and premium. ET categorizes web malicious activities IP addresses and domain addresses and monitors recent activity by each of these. The feed has 40 separate IP and URL classes, as well as an ongoing trust value updated.

Sentinel supports the CINS Score. The CINS Score rates according to their confidence, like the ET confidence score. They add details in the form of frequency, type, and breadth of alleged or reported attacks from these IPs. They even aim to build “persons” for attacks that IPs have to do with: bugs in screening, networking or remote desktops, ransomware bots, or control servers.

It uses a distributed sensor network, which generates security warnings in more than 20 million log entries a day. The platform also offers security experts with research, tools, and forums.

VirusTotal uses hundreds of antivirus scanners, blacklist services, and other resources for analysis and extraction of user-presented data from users’ directories and URLs. The service can be used to easily check events such as alleged phishing e-mails, and each entry can be kept in its database to provide a global cyber threat image.

Cisco customers are protected by the Talos Threat Intelligence Team, although a free version has been made available for everyone. Talos’ comprehensive resources and insights inform people on knowledgeable threats, emerging risks, and current vulnerabilities. Talos also offers resources for testing and study

The Spamhaus Project is an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware, and botnets, provides real-time actionable and highly accurate threat intelligence to the Internet’s major networks, corporations, and security vendors, and works with law enforcement agencies to identify and pursue spam and malware sources worldwide.

VirusShare is an online repository of malware. The platform provides security researchers, incident responders, and forensic investigators access to millions of malware samples.

Google Safe Browsing helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to dangerous sites or download dangerous files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer. Safe Browsing protections work across Google products and power safer browsing experiences across the Internet.

Discover SOCRadar® Community Edition for free

With SOCRadar® Community Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.References Cover image by miksturaproduction from Freepik

Originally published at on April 12, 2021.



We empower you to know the unknowns.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store