CTI Sources#

Reference catalog of cyber-threat-intelligence (CTI) feeds and indicator sources, the inputs an SOC, threat-hunter, or detection-engineering team consumes to produce alerts, blocks, and reports.

The four types of indicator (Pyramid of Pain, David Bianco, 2013): trivial-to-change values at the bottom (hashes, IPs), through domains and tools, up to TTPs at the top. Block low-pyramid indicators for noise reduction; hunt for high-pyramid TTPs to find determined adversaries.

Free / open feeds#

Source

What it provides

abuse.ch

URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker, SSLBL.

AlienVault OTX

Community pulses, IOC sharing.

CIRCL

Luxembourg CERT; AIL leak monitor; CVE search.

CVE / NVD

MITRE CVE list + NIST National Vulnerability DB.

EmergingThreats Open

Snort / Suricata signatures (free tier).

ThreatFox

IOCs (URLs, domains, IPs, hashes) tagged by malware family.

URLhaus

Live malware-distribution URLs.

MalwareBazaar

Malware sample exchange.

PhishTank

Verified phishing URLs (OpenDNS / Cisco Umbrella).

OpenPhish

Real-time phishing feed.

Feodo Tracker

Botnet C2 IPs (Emotet, Dridex, TrickBot lineage).

SSL Blacklist

Bad TLS certificates.

Spamhaus

DROP / EDROP / SBL; mostly free for non-commercial.

DNS-BH MalwareDomains

Domain blocklist.

Tor Project

Exit node + relay lists.

Public sinkhole feeds

Shadowserver daily reports (per-org via signup).

abuse-ch ThreatFox JSON API

Machine-readable IOC feed.

SANS ISC

DShield IP blocklists, daily diary.

Virus Total

Free tier; static + dynamic file analysis (rate-limited).

Hybrid Analysis

Sandbox sample submission; community.

ANY.RUN

Interactive sandbox (free tier limited).

Joe Sandbox Cloud Basic

Free analysis for non-commercial.

Government feeds#

Source

Notes

CISA AIS / KEV

Automated Indicator Sharing; Known Exploited Vulnerabilities catalog (the actionable patch list).

CISA Alerts / Advisories

Plus joint advisories with NSA, FBI, MS-ISAC, partners.

NCSC (UK)

Active Cyber Defence; Mail Check; PDNS.

ANSSI (France)

CERT-FR alerts.

BSI (Germany)

Bundesamt; CERT-Bund advisories.

ENISA

EU situational reports.

JPCERT/CC

Japanese CERT alerts.

KrCERT/CC

Korean CERT alerts.

US-CERT (now CISA)

historical; superseded.

FS-ISAC

Financial-services sharing (members).

H-ISAC

Healthcare sharing.

EI-ISAC

Elections.

MS-ISAC

US state/local government.

Auto-ISAC, Aviation-ISAC, Space-ISA

C sectoral sharing groups.

Commercial / paid#

Vendor

Strength

Recorded Future

Insikt research, Intelligence Cloud.

Mandiant Advantage

Mandiant intel; FLARE-VM analysis.

CrowdStrike Falcon X

adversary-mapped intel.

Microsoft Defender Threat Intel

formerly RiskIQ.

Flashpoint

underground forums + leaks.

Intel 471

IAB / cybercrime intel.

KELA

cybercrime / dark-web.

Group-IB

DFIR + IAB intel.

Kaspersky Threat Intel

family-level reports.

Cisco Talos

Snort signatures + research.

Sophos X-Ops, ESET, Trellix

vendor intel feeds.

Rapid7

Insight Connect, vuln intel.

Tenable, Qualys

vuln intel + KEV-aligned scoring.

Anomali, ThreatConnect

TIP platforms with bundled feeds.

DomainTools, RiskIQ

infrastructure pivot platforms.

Censys, Shodan

Internet-asset enumeration; both free + paid tiers.

GreyNoise

benign-internet-noise-vs-targeted feed.

Spur, IPinfo, MaxMind

IP enrichment (geo, ASN, anonymizer detection).

Indicator types#

Indicator

Pyramid of Pain level

Hash values (MD5/SHA1/SHA256)

Trivial, attacker recompiles.

IP addresses

Easy, attacker rotates.

Domain names

Simple, attacker registers new.

Network / host artifacts

Annoying, attacker rebuilds tooling.

Tools

Challenging, attacker swaps frameworks.

TTPs (ATT&CK)

Tough, attacker has to retrain.

Standards and formats#

Standard

Use

STIX 2.1

Structured Threat Information eXpression; the OASIS standard.

TAXII 2.1

Transport for STIX (push / poll feeds).

MISP

OSS threat-intel platform; sharing communities.

OpenIOC

Mandiant’s older XML format.

YARA

File / memory pattern matching (see YARA).

Sigma

SIEM-agnostic detection rules (Sigma).

Snort / Suricata rules

network IDS rules (IDS Rules).

SCAP / OVAL / OCIL

vuln + config compliance content.

CVSS, EPSS

vuln severity / exploit-prob scoring.

ATT&CK Navigator

technique-coverage visualization.

Aggregators / TIPs#

Platform

Notes

MISP

Open-source TIP, the de-facto sharing platform.

OpenCTI

OSS knowledge-graph-shaped TIP.

Anomali ThreatStream

commercial.

ThreatConnect

commercial.

EclecticIQ

commercial.

Recorded Future Intelligence Cloud

commercial.

ThreatQ

commercial.

Yeti

OSS, lightweight.

Operator notes#

  • High-fidelity feeds first, abuse.ch, CISA KEV, vendor-shared YARA rules. Add aggregator feeds only with deduplication and scoring.

  • Validate before blocking, false-positive IPs (CDNs, Cloudflare, popular DNS resolvers) recur in raw feeds. Maintain an allowlist.

  • Sigma + Atomic Red Team, pair detection rules with the validation tests that exercise them.

  • Storage, IOCs land in Postgres / OpenSearch / OpenCTI / MISP; retention typically 90-365 days for active blocks, longer for hunting / forensics.

  • Author your own, bespoke YARA / Sigma authored from your own incident data is the highest-leverage CTI investment.

References#