What are threat intel feeds?
Threat intelligence feeds are automated data streams that deliver real-time information about cyber threats, indicators of compromise (IoCs), and attack patterns to security teams.
These feeds enable organizations to proactively identify emerging threats before they impact their infrastructure. By integrating high-quality threat intel feeds into security operations, teams can strengthen their defense capabilities and reduce response times to critical incidents, a crucial factor given that faster identification and containment have been shown to drive down the average cost of a data breach.
Threat feeds contain raw, unprocessed security data without context or analysis. Threat intelligence feeds provide enriched data that includes indicators of compromise (IoCs), attack attribution, and actionable context.
This contextual information helps security teams prioritize threats based on relevance to their environment and potential impact.
Practical Guide to Threat Detection, Investigation, and Response
This guide explains what CDR is, why SecOps teams need it, how it helps the business, where other tools fall short, and how it fits into SOC workflows.
Open-source vs. commercial feeds
Open-source feeds are community-maintained, typically free resources that provide basic threat indicators and attack patterns. These feeds work well for organizations with limited budgets or those seeking to supplement existing intelligence.
Commercial feeds offer proprietary threat data, advanced analytics, and dedicated support from security vendors. They often include exclusive intelligence from private research and faster update frequencies.
The choice between open-source and commercial feeds depends on your organization's security requirements, budget constraints, and internal expertise.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
What makes a high-quality threat intel feed
Not all threat intel feeds are created equal. When evaluating options, focus on feeds that provide actionable and relevant data. Look for these key characteristics:
Timeliness: Data must be delivered in near real-time to be effective against fast-moving threats. A feed that updates daily may be too slow for zero-day exploits.
Accuracy: The feed should have a low false-positive rate. Inaccurate data leads to alert fatigue and erodes trust in the system, causing teams to ignore real threats.
Context: Raw data, like an IP address, is only moderately useful. A high-quality feed provides context, such as the associated threat actor, malware family, or attack vector, which is critical for prioritization and response.
Relevance: The intelligence should be relevant to your organization's industry, geography, and technology stack. A feed focused on financial services malware may not be useful for a healthcare provider.
Integration: The feed should be available in standard formats like STIX/TAXII for easy integration with your existing SIEM, SOAR, and other security platforms.
13 critical threat intelligence feeds to track
These 13 threat intelligence feeds represent the most reliable and comprehensive sources available, selected based on data quality, update frequency, coverage scope, and integration capabilities:
1. Wiz Cloud Threat Landscape
Our very own Cloud Threat Landscape is the perfect starting point for this list of threat intel feeds. Wiz Cloud Threat Landscape features a comprehensive list of incidents, techniques, targeted technologies, threat actors, tools, defenses, and security measures. This rich threat intel is based on various sources and is carefully curated by the Wiz Research team. With an emphasis on public cloud environments, CI/CD systems, and source code management systems, Wiz Cloud Threat Landscape is a powerful cloud security resource—and it’s the only cloud-focused threat intel feed available in the world.
Wiz Vulnerability Database
A comprehensive resource for monitoring high-profile vulnerabilities in cloud environments, tailored for security teams and cloud professionals
See Database
2. SANS Internet Storm Center (ISC)
A product of the SANS Technology Institute, the ISC has long been a trusted resource for enterprises looking to understand the threat landscape. The ISC’s threat intel sources are wide and varied; the team leverages data from sensors across half a million IP addresses and around 50 different countries. The ISC’s threat intel feed is free to use and includes technical data and step-by-step instructions on how to mitigate potential threats.
CROC Talks - Threat Models, Cloud Tools, and Security Tales - Special Guest: Kat Traxler
Écoutez maintenant
3. LevelBlue Labs Open Threat Exchange (OTX)
LevelBlue Labs Open Threat Exchange (formerly AlienVault OTX) connects organizations with a large, community-led network of threat analysts and cybersecurity experts. By integrating this collaborative threat intel feed, teams gain access to a broad set of IoCs, malware insights, and community-curated intelligence to strengthen defenses. OTX data is available in widely supported formats such as CSV, OpenIoC, and STIX.
4. Spamhaus
With an emphasis on email security, malware, and spam management, Spamhaus’ threat feeds can help businesses secure email inboxes and online applications. The Spamhaus Block List (SBL) and Domain Block List (DBL) are useful resources for organizations because they include tens of thousands of IP addresses and domain names that hackers use to breach enterprise networks. Using Spamhaus' threat intel feeds and blocklists alongside other feeds and threat intelligence platforms can boost security and reduce false positives and alert fatigue.
5. OpenPhish
The OpenPhish threat intel feed is particularly relevant today because of how prevalent phishing attacks have become. According to IBM, phishing was the second-most frequent attack vector for data breaches in 2024. OpenPhish has both free and premium phishing intel feeds. While the free version updates the feed every 12 hours and delivers only text files, the premium versions offer updates (in CSV and JSON formats) every 5 minutes and feature a broader range of information, including IP, GeoIP, SSL metadata, and phishing logs.
6. CrowdSec
There are free and commercial options for the CrowdSec threat intel feed, and both can help businesses flag malicious activity and generate actionable insights. (The free version limits users to 50 queries per day.) CrowdSec threat intel feeds comprise more than 25 million malicious IPs, and its database includes threat intel from 190 countries and 80,000 machines. Notably, CrowdSec’s cyber threat intelligence is curated and context-rich, providing organizations with extensive information on malicious IPs and numerous other threats including botnets and DDoS attacks.
7. Shadowserver
Shadowserver provides free, large‑scale daily network remediation reports used by enterprises and CSIRTs to reduce risk at scale. Reports (delivered via email/API) cover a wide range of issues such as botnet infections, exposed services, and open resolvers, helping teams quickly prioritize response. Its breadth and operational reach make it a strong, widely adopted choice for machine‑readable, actionable threat data.
8. HoneyDB
The HoneyDB threat intel feed consists of honeypot threat intel, which is information gathered by deliberately luring threat actors to a surveilled online environment and analyzing their tools and tactics. HoneyDB’s threat intel API features information categories including bad hosts, bad hosts by service, IP history, sensor data, services, nodes, autonomous systems (AS), and payload history. HoneyDB’s free version allows 1,500 queries per month, and its highest commercial enterprise version has no limits on monthly queries.
9. Automated Indicator Sharing (AIS)
AIS is a service provided by the Cybersecurity and Infrastructure Security Agency (CISA). Using the Structured Threat Information Expression (STIX™) and Trusted Automated Exchange of Indicator Information (TAXII™) open standards, AIS is a free, machine-readable resource for discovering the most potent cyber vulnerabilities; IoCs; and tactics, techniques, and procedures (TTPs). The AIS ecosystem includes both public and private organizations, such as enterprises, governments, federal agencies, information-sharing and analysis centers (ISACs), and information-sharing and analysis organizations (ISAOs).
10. Blocklist.de
The Blocklist.de threat intel feed is a free, volunteer-led solution that businesses can adopt to learn about and secure themselves from SSH-, mail-login-, FTP-, and web server–based attacks on servers. With around 6,644 active users, each update of the Blocklist.de threat intel feed includes more than 70,000 attacks. These information updates occur every 12 hours, ensuring threat-data freshness. Users have the option to download blocked IP address lists as compressed gzip files.
11. CISA Known Exploited Vulnerabilities (KEV)
CISA's Known Exploited Vulnerabilities (KEV) catalog is an authoritative, machine‑readable list (CSV/JSON) of vulnerabilities confirmed to be exploited in the wild. Updated frequently, KEV is highly actionable for patch prioritization and aligns with enterprise risk‑reduction programs. Integrating KEV alongside other feeds helps teams focus remediation on the exposures most likely to be targeted.
12. abuse.ch URLhaus
Ideal for identifying suspicious domains and URLs, URLhaus offers three distinct types of threat intel feeds: an ASN (AS number) feed, a country feed, and a top-level domain (TLD) feed. The key demographics for URLhaus threat intel feeds include CERTs, ISPs, and network providers. According to URLhaus, the primary focus of their feeds isn’t blacklisting/blocklisting or IoCs. If organizations want to use these feeds for those purposes, they have to download the URLhaus API.
13. GreyNoise
GreyNoise provides curated intelligence on internet‑wide scanners and opportunistic attackers, delivering near real‑time enterprise feeds to filter noise and focus on relevant threats. By distinguishing background scan traffic from actionable activity, GreyNoise helps reduce alert fatigue and sharpen SOC triage. Its feeds are designed for easy integration into existing SOC workflows and tooling.
How Wiz can boost your threat intelligence ecosystem
The entire spectrum of Wiz's capabilities is based on deep knowledge of the cloud. Being powered by unmatched cloud threat intelligence makes Wiz a profoundly important and one-of-a-kind tool to navigate the contemporary threat landscape.
With unparalleled investigations, a world-class Threat Center, the integration of public and in-house cloud threat intelligence, TTP analyses, and IP and domain reputation evaluations, Wiz is the ultimate threat intelligence–fueled cloud security platform.
To dive deeper into Wiz TI’s insights, check out our podcast on cloud security (there’s nothing quite like it), our diverse library of cloud security research, and the comprehensive Open Cloud Vulnerabilities and Security Issues Database that we founded and maintain.
Also, coming soon: New capabilities, courtesy of the Cloud Threat Landscape in the Wiz portal, will enable you to learn about threat actors and correlate findings across your cloud environments with specific adversaries.
Get a demo now to see how Wiz (and our Cloud Threat Landscape) can enhance your cloud security and threat intelligence.
Watch 5-minute threat defense demo
Watch the demo to see how Wiz Defend enhances threat intel feeds by correlating runtime activity with cloud context—surfacing real attacks, tracing blast radius, and accelerating investigations.
Watch demo now
