Cyber threat feeds (or threat data feeds) are regularly-updated sources of data about cyber threats, such as malicious IP addresses, malicious domain names, malicious email addresses, malware hashes, malware file names, and other indicators of compromise (IoCs).
Threat data feeds can use various formats, including STIX, CSV, JSON, and text. These feeds can be ingested by a threat intelligence platform (TIP), SOAR, SIEM, or firewall to automatically update their threat databases. Steps vary by system, so you’ll need to see the documentation for your system.
Threat data feeds are often called threat intelligence feeds, but data isn’t the same as intelligence. Intelligence requires that data be analyzed and given proper context, so that it’s relevant to the organization consuming it.
Free general threat feeds can be useful, but you’ll benefit more from feeds that are customized to your organization, or by having CTI analysts work with the free threat feeds (curating, adding context, etc.).
Sources of Free Cyber Threat Data Feeds
Here are several sources of free threat data feeds. These are lists of threat feeds, not individual threat feeds (that would make this post much longer and more difficult to keep updated). Please let me know if you know of others!
Free threat intelligence feeds - threatfeeds.io
Search and download free and open-source threat intelligence feeds with threatfeeds.io.
Free and Open Source Threat Intelligence Feeds
Indicator of Compromise, IoC, URL, Domain, IP, File Hash, STIX and YARA free and open source feeds list. Free to use in…
GitHub - hslatman/awesome-threat-intelligence: A curated list of Awesome Threat Intelligence…
A curated list of Awesome Threat Intelligence resources - GitHub - hslatman/awesome-threat-intelligence: A curated list…
For the last one, find instances of the word feed on the page, and note that not all are free.
Threat Data Feeds and Threat Intelligence Are Not the Same Thing
It's important to know the difference between the two terms. Here's why.