The Ultimate List of Free and Open-source Threat Intelligence Feeds

Free and open-source threat intelligence feeds are invaluable tools for cybersecurity professionals seeking to improve their visibility across the threat landscape without relying solely on expensive commercial platforms. These feeds are community-maintained or publicly accessible services that provide real-time or regularly updated data on malicious activity such as phishing campaigns, malware infrastructure, scanning IPs, and malicious URLs. When integrated into detection systems, they can help automate alerts, enrich incident context, and enhance proactive defense capabilities.

This guide presents a collection of highly regarded and globally accessible threat intelligence feeds. Each one has been chosen for its consistency, reputation, relevance, and ease of integration with common security technologies, including SIEMs, firewalls, intrusion detection systems, and threat intelligence platforms. Whether you’re building detections in a SOC, conducting threat hunting activities, or supporting incident response investigations, these feeds offer concrete value.

1. MISP (Malware Information Sharing Platform)

MISP is an open-source threat intelligence platform that helps organizations collect, structure, and share critical cyber threat data. It supports real-time exchange of indicators like malware hashes, phishing URLs, and threat actor profiles, making collaboration between SOC teams, CERTs, and national cyber units faster and more effective. By correlating related indicators, MISP reveals links between incidents and uncovers broader attack patterns. Security teams use it to track adversary behaviors and gain early insight into emerging threats.

The platform integrates smoothly with SIEM, SOAR, and EDR systems, allowing automated ingestion and faster detection. It supports formats such as STIX, TAXII, and MITRE ATT&CK, ensuring interoperability across tools and teams. Its modular structure and scalable design fit both small security units and large-scale government networks. Backed by a strong open-source community, MISP continues to evolve as a core component of intelligence-driven defense.

2. SANS Internet Storm Center (ISC)

The SANS Internet Storm Center (ISC) is a threat monitoring initiative operated by the SANS Institute, designed to track malicious internet activity at a global scale. Drawing from logs and telemetry contributed by thousands of volunteers, ISC provides early warning and analysis of emerging cyber threats. One of its core components, the DShield project, collects firewall and IDS logs to detect attack trends across networks.

ISC is well known for its daily “Handler Diaries,” where seasoned analysts share insights on active exploits, zero-day vulnerabilities, and practical defensive tactics. These entries serve both as real-time threat reporting and as an educational tool for security professionals. In addition to publishing alerts and analysis, ISC helps foster collaboration between researchers, defenders, and incident responders through its open and community-supported structure.

3. AlienVault OTX (Open Threat Exchange)

AlienVault OTX is a widely used open platform for sharing cyber threat intelligence, built around the idea that collaboration strengthens collective defense. It enables participants across industries and regions to share real-time indicators of compromise, including IP addresses, malware samples, phishing domains, and exploit activity. As threat actors continue to adopt faster and more advanced techniques, platforms like OTX help defenders stay informed and respond with greater speed and context.

One of OTX’s standout features is its Pulse system, which allows users to curate and distribute customized collections of threat indicators. Analysts and researchers use these to monitor attack trends, enrich investigations, and coordinate responses across teams. The platform also supports integration with common SIEM and incident response tools, making it easy to operationalize the shared data. Backed by a large and active user base, OTX continues to serve as a trusted source of open, community-driven threat intelligence.

4. InfraGard

InfraGard is a public-private intelligence-sharing program coordinated by the FBI, created to strengthen the security of the United States’ critical infrastructure. It fosters trusted collaboration between federal agencies and members of the private sector working in areas such as energy, healthcare, transportation, finance, and information technology.

Through regular threat briefings, classified-level alerts, and sector-specific intelligence sharing, InfraGard enables two-way communication on both cyber and physical security issues. Its vetted membership spans law enforcement, industry leaders, military personnel, IT professionals, and academics. Since its establishment in 1996, InfraGard has become a key national resource for timely threat information and coordinated response efforts.

5. CISA Automated Indicator Sharing (AIS)

Automated Indicator Sharing (AIS) is a real-time threat data exchange service provided by the Cybersecurity and Infrastructure Security Agency (CISA). It enables participants from across the public and private sectors to automatically share machine-readable cyber threat indicators and defensive measures as threats are observed. By distributing timely intelligence, AIS helps reduce the window of exposure and limits adversaries’ ability to reuse known techniques.

The AIS ecosystem includes government agencies, critical infrastructure operators, private sector organizations, ISACs, and foreign partners. Shared data follows standards such as STIX and TAXII, allowing for integration with existing tools and threat intelligence platforms. CISA offers this service free of charge and provides privacy protections and legal safeguards to encourage widespread participation. As part of its broader mission, AIS strengthens national cybersecurity by enabling faster, automated collaboration between trusted partners.

6. Cisco Talos Intelligence

Cisco Talos offers enterprise-grade threat intelligence, freely available to support the broader security community. Drawing on telemetry from Cisco’s global infrastructure, Talos delivers high-confidence data on malware campaigns, phishing operations, zero-day threats, and active vulnerabilities. These insights are shared through public threat feeds, detailed malware analysis reports, and up-to-date security advisories.

Unlike community-led exchanges, Talos benefits from access to large-scale network data and direct integration with Cisco’s security technologies. Its intelligence helps SOC teams and analysts identify threats earlier, understand attacker behavior, and take timely action. Talos reports are often used alongside tools like VirusTotal or Shodan to enrich investigations and monitor attack surfaces. The platform also supports integration with SIEM, SOAR, and EDR solutions, enabling more efficient detection and response workflows across environments.

7. GreyNoise

GreyNoise helps analysts filter out background noise caused by widespread, automated internet scanning. As cybercriminals increasingly use mass reconnaissance tools to locate vulnerabilities, GreyNoise provides valuable context by identifying which IP addresses are part of these broad, untargeted sweeps.

Its free IP lookup tool allows security teams to check whether a given address is associated with benign scanning or actual malicious behavior. GreyNoise’s Trend Tags further enhance visibility by tracking active CVEs, exploited protocols, and popular attack techniques, giving defenders early warnings about emerging threats. By clearly separating global noise from targeted activity, GreyNoise supports faster triage and more accurate incident prioritization. The platform also integrates with SIEM, SOAR, and TIP environments, enriching alerts with real-world behavioral context.

8. VirusTotal

VirusTotal is a widely used online platform that helps security professionals analyze suspicious files, URLs, domains, and IP addresses. By aggregating detection results from over 70 antivirus engines, domain blacklists, and behavior analysis tools, it provides fast and reliable insights into potential threats.

Users can upload files or submit URLs to receive detailed reports showing which security vendors detect malicious behavior and what types of threats are involved. VirusTotal also offers behavioral sandbox analysis, domain reputation checks, and a collaborative space where researchers contribute comments and context. Its API access allows for seamless integration into SOC workflows, making it a go-to tool for malware triage, phishing investigations, and threat enrichment.

While powerful, it’s important to remember that VirusTotal should be used as part of a broader investigation – detections are useful indicators, not definitive judgments. Despite this, its accessibility and depth make it one of the most trusted platforms in threat intelligence.

9. OpenPhish

OpenPhish is a dedicated threat intelligence platform focused on detecting and monitoring phishing attacks in real time. As phishing techniques evolve to include AI-generated lures, deepfake content, and evasive credential theft methods, OpenPhish remains a critical free resource for defenders looking to stay ahead of these threats.

The platform continuously identifies and verifies new phishing URLs using automated crawling and machine learning. Its real-time feed helps security teams block malicious domains before users are exposed. OpenPhish also offers free lookup functionality, making it easy to assess individual URLs for phishing activity. It integrates well with other tools like MISP, SIEMs, and TIPs, and complements platforms such as VirusTotal or GreyNoise by adding a phishing-specific layer of intelligence. For organizations looking to enhance their email security and threat detection pipelines, OpenPhish offers a streamlined, automated source of timely and actionable phishing data.

10. The Spamhaus Project

Spamhaus stands out as one of the most trusted names in email and spam-related threat intelligence. Operating as a nonprofit with a global footprint, the project focuses on tracking and disrupting malicious infrastructure used in spam campaigns, phishing schemes, and malware delivery. Its real-time intelligence is used by major networks and service providers to filter out unwanted traffic and block dangerous content before it reaches end users.

Its blocklists, including the Spamhaus Block List (SBL) and Domain Block List (DBL), are central to its operations. These resources list thousands of IP addresses and domains associated with spam, malware, and phishing attacks. Updated continuously, the lists integrate with SIEMs, firewalls, and email gateways to support proactive filtering and reduce alert fatigue. Spamhaus also cooperates with law enforcement to disrupt cybercriminal infrastructure on a global scale. For organizations overwhelmed by alert fatigue and rising spam volume, Spamhaus provides a focused, effective filter.

Conclusion

Free and open-source threat intelligence feeds remain one of the most effective ways for cybersecurity teams to stay informed, detect early-stage threats, and respond faster. Whether you’re protecting enterprise systems or securing cloud-native infrastructure, these resources help establish a solid baseline for threat visibility and situational awareness.

To extend these benefits further, platforms like SOCRadar Labs offer a range of no-cost tools designed for defenders who need actionable data without the overhead. From external attack surface monitoring to phishing URL detection and leaked credential lookup, SOCRadar Labs can help you discover your organization’s exposure with ease. You can start by reviewing your own digital footprint with a free Dark Web Report that scans across hacker forums, marketplaces, and Telegram sources.

As threats continue to evolve, pairing open intelligence with structured platforms and collaborative tooling is key. These feeds are more than raw data—they’re the foundation for building smarter, faster, and more resilient defense strategies.