Threat intelligence transforms raw security data into actionable knowledge. Instead of reacting to every alert in isolation, threat intelligence tells you what adversaries are doing globally — which IP addresses are actively scanning infrastructure, what malware families are in current circulation, which phishing domains are registering today. That context converts a generic firewall alert into a confirmed indicator of compromise from a known threat actor.
This guide covers the landscape of threat intelligence sources, formats, and integration patterns for security teams building or improving their threat intelligence capability.
What Threat Intelligence Actually Is
Threat intelligence is typically categorized into four tiers:
- Strategic: High-level intelligence for executives — threat actor motivations, geopolitical context, industry targeting trends. Consumed in reports, not feeds.
- Operational: Information about specific campaigns — TTPs (Tactics, Techniques, and Procedures) of active threat actors, often mapped to the MITRE ATT&CK framework.
- Tactical: Indicators of Compromise (IOCs) — IP addresses, domain names, file hashes, URL patterns associated with known malicious activity.
- Technical: Raw data from honeypots, malware sandboxes, and network sensors.
Most free and open-source feeds operate at the tactical and technical levels — they provide IOCs. This is the most immediately actionable form for security operations teams.
Free and Open-Source Threat Intelligence Feeds
AbuseIPDB
AbuseIPDB is a community-driven database of IP addresses reported for malicious activity — spam, port scanning, brute force attacks, and more. Organizations report IPs they observe attacking their infrastructure; those reports aggregate into a reputation score.
Use cases:
- Query IPs seen in your firewall or IDS logs to determine if they’re known bad actors
- Automate blocking of high-confidence malicious IPs
- Report IPs attacking your infrastructure to contribute to the community
The API is free for basic use, with higher rate limits available for paying subscribers.
AlienVault Open Threat Exchange (OTX)
OTX is one of the largest open threat intelligence communities, operated by AT&T Cybersecurity. It hosts “pulses” — curated collections of IOCs related to specific threats, malware families, or campaigns — contributed by thousands of security researchers.
OTX provides IOCs in multiple formats and integrates directly with the AlienVault OSSIM/USM SIEM. The API is freely available and supports STIX/TAXII.
Strengths: Large community, regularly updated, rich context per indicator, good API.
Limitations: Feed quality varies by contributor; some IOCs become stale without clear expiration dates.
MISP (Malware Information Sharing Platform)
MISP is an open-source threat intelligence platform designed for sharing, storing, and correlating IOCs. Unlike feed aggregators, MISP is a full platform organizations deploy internally and connect to partner networks for sharing.
Key MISP capabilities:
- Ingest IOCs from multiple feeds and sources
- Enrich indicators with context and relationships
- Share IOCs with trusted partner organizations via synchronization
- Export indicators in STIX, OpenIOC, CSV, and other formats
- Integrate with SIEMs, firewalls, and endpoint tools via API
MISP is widely deployed in government CERTs, ISACs (Information Sharing and Analysis Centers), and large enterprises. Running your own MISP instance gives you a central platform to aggregate all your intelligence sources.
Other Notable Free Sources
| Source | Focus |
|---|---|
| URLhaus (abuse.ch) | Malicious URLs distributing malware |
| MalwareBazaar (abuse.ch) | Malware samples and file hashes |
| Feodo Tracker (abuse.ch) | Botnet C2 infrastructure tracking |
| Emerging Threats (Proofpoint) | Snort/Suricata rules, free tier available |
| Spamhaus | IP and domain reputation (various zones) |
| VirusTotal | File hash reputation and sandbox analysis |
| CISA Known Exploited Vulnerabilities | Authoritative list of actively exploited CVEs |
Commercial Threat Intelligence Platforms
Free feeds cover a lot of ground but have limitations in freshness, enrichment depth, and support. Commercial platforms address these gaps:
Recorded Future: Provides real-time intelligence ingested from the open, dark, and technical web. Strong on threat actor tracking, brand monitoring, and predictive risk scoring. Widely used by large enterprises and government agencies.
CrowdStrike Intelligence: Threat actor tracking aligned with CrowdStrike’s adversary naming convention (Fancy Bear, Cozy Bear, etc.). Deep integration with the Falcon EDR platform.
Mandiant Advantage: Google-owned intelligence platform built on decades of incident response case data. Particularly strong on targeted threat actor TTPs and vulnerability intelligence.
Cisco Talos: One of the largest commercial threat intelligence teams, feeding into Cisco’s security product line. Talos publishes extensive free research and maintains free IP/domain reputation lookups.
STIX and TAXII: The Intelligence Exchange Standards
Without common formats and transport protocols, sharing threat intelligence between organizations and tools would require custom integration for every combination. STIX and TAXII solve this.
STIX (Structured Threat Information eXpression): A JSON-based language for describing cyber threat intelligence. STIX 2.1 defines objects including:
- Indicator: A pattern matching malicious activity (IP, hash, URL)
- Threat Actor: Information about an adversary
- Attack Pattern: A technique used by adversaries (maps to MITRE ATT&CK)
- Malware: Information about malicious software
- Relationship: Connects objects (e.g., threat actor uses malware)
TAXII (Trusted Automated eXchange of Intelligence Information): An HTTPS-based protocol for exchanging STIX bundles. TAXII servers host “collections” that clients can subscribe to and pull from.
Most modern TI platforms and SIEMs support STIX 2.1 and TAXII 2.1 natively.
Integrating Threat Intelligence with SIEM Tools
Intelligence feeds are only valuable when they’re applied to your data. Integration patterns include:
IOC matching: Ingest IP, domain, and hash IOCs into your SIEM and create detection rules that alert when those indicators appear in your logs. In Splunk, this typically uses a lookup against a threat intel table. In Microsoft Sentinel, the Threat Intelligence Blade ingests STIX/TAXII feeds natively.
Microsoft Sentinel: Built-in TAXII client allows direct feed ingestion. TI indicators are stored in the ThreatIntelligenceIndicator table and matched against network logs, DNS logs, and firewall data automatically.
Splunk ES: Threat intelligence framework ingests feeds and performs automatic IOC matching across indexed data via threat intelligence modular inputs.
QRadar: Reference Set Manager allows IOC lists to be used in detection rules. STIX import is available via the Threat Intelligence Import app.
Practical integration tip: Not all IOCs are equal. Implement a confidence threshold — only auto-block or auto-alert on high-confidence, recently seen indicators. Use low-confidence or older IOCs for enrichment context rather than automated action, to avoid alert fatigue and false positives.
A mature threat intelligence program is not about subscribing to the most feeds — it’s about operationalizing the right intelligence for your environment. Start with two or three high-quality sources, build the integration pipeline, validate that IOC matches are reducing mean time to detect, and expand from there.