BlackHawk Data
Comprehensive Open Source Threat Intelligence
Threat Intelligence Feed Directory
Welcome to BlackHawk Data's curated collection of the most reliable open-source threat intelligence feeds. Our team continuously monitors and verifies these sources to provide you with the most current threat data available.
Threat Intelligence Definition
Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
General Threat Intelligence
These feeds provide broad-spectrum threat intelligence covering multiple threat types and vectors.
AlienVault OTX
by AlienVault
A collaborative platform where security researchers and professionals share the latest threat data, including malware indicators, attack patterns, and vulnerability information.
Coverage:
Global, multi-vector (IPs, domains, hashes, URLs)
Update Frequency:
Real-time
Best For:
Comprehensive threat monitoring, SOC teams
MISP Platform
Open Source Community
The Malware Information Sharing Platform is a robust open-source solution for collecting, storing, distributing and sharing cybersecurity indicators and threats.
Coverage:
Structured threat data (STIX/TAXII compatible)
Update Frequency:
Depends on instance
Best For:
Threat intelligence sharing communities
OpenPhish
Community Maintained
Provides real-time phishing URL feeds with both free and commercial offerings available.
Coverage:
Active phishing URLs
Update Frequency:
Real-time
Best For:
Email security, web filtering
PhishTank
by Cisco
Community-driven phishing URL database that verifies suspected phishing URLs through crowdsourcing.
Coverage:
Verified phishing sites
Update Frequency:
Continuous community submissions
Best For:
Anti-phishing protection
Network & Infrastructure Threats
Feeds focused on malicious network activity, compromised infrastructure, and attack patterns.
FireHOL IP Lists
Community Maintained
Aggregates and categorizes IP addresses involved in malicious activities from various reputable sources, providing ready-to-use blocklists.
Coverage:
IP addresses (IPv4/IPv6), networks
Update Frequency:
Daily to real-time (depends on source)
Best For:
Network security, firewall rules
Abuse.ch Feeds
by Abuse.ch
A family of specialized threat feeds focusing on different aspects of cyber threats, from malware C2 servers to phishing infrastructure.
Key Feeds:
- SSL Blacklist - Malicious SSL certificates
- Feodo Tracker - Botnet C2 servers
- ThreatFox - Malware IOCs
- URLhaus - Malware distribution URLs
Update Frequency:
Real-time to daily
Best For:
Targeted threat protection
Spamhaus DROP/EDROP Lists
by Spamhaus
Lists of malicious IP ranges (netblocks) involved in spam, malware distribution, and other malicious activities.
Coverage:
IP ranges/netblocks
Update Frequency:
Daily
Best For:
Network-level blocking
Blocklist.de
Community Maintained
Aggregates IPs involved in brute-force attacks, spam, and scanning from various sources.
Coverage:
IP addresses
Update Frequency:
Real-time
Best For:
Brute force attack prevention
GreyNoise
by GreyNoise Intelligence
Collects and analyzes data on Internet-wide scanning activity, distinguishing between benign scanners and malicious actors.
Coverage:
Internet scanning activity
Update Frequency:
Real-time
Best For:
Noise reduction, threat context
Malware Intelligence
Resources focused on malware detection, analysis, and prevention.
MalwareBazaar
by Abuse.ch
A repository of malware samples with extensive metadata and analysis results, allowing security teams to research and identify new threats.
Data Types:
Malware samples, hashes, signatures, behavior analysis
Update Frequency:
Continuous as new samples are submitted
Best For:
Malware researchers, threat analysts
URLhaus
by Abuse.ch
Tracks malicious URLs used for malware distribution, providing timely information about active infection vectors.
Coverage:
Malicious URLs, hosting infrastructure
Update Frequency:
Real-time
Best For:
Web filtering, email security
SSL Blacklist
by Abuse.ch
Provides a list of "bad" SSL certificates identified to be associated with malware or botnet activities.
Coverage:
Malicious SSL certificates
Update Frequency:
Daily
Best For:
SSL/TLS inspection
Malware Domain List
Community Maintained
A searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits.
Coverage:
Malicious domains, registrants
Update Frequency:
Daily
Best For:
DNS filtering, domain monitoring
ThreatFox
by Abuse.ch
Platform for sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.
Coverage:
Malware IOCs, campaigns
Update Frequency:
Continuous
Best For:
Malware analysis, threat hunting
Vulnerabilities & Exploits
Resources for tracking vulnerabilities and active exploits in the wild.
National Vulnerability Database
U.S. Government
The U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
Coverage:
All CVE-listed vulnerabilities
Update Frequency:
As CVEs are published
Best For:
Vulnerability management programs
Exploit Database
by Offensive Security
Archive of public exploits and vulnerabilities maintained by Offensive Security as part of their Kali Linux distribution.
Coverage:
Public exploits, proof-of-concepts
Update Frequency:
Daily
Best For:
Vulnerability research, penetration testing
Emerging Threats
Feeds focused on new and evolving threats.
Emerging Threats Rules
by Proofpoint
A collection of Snort and Suricata rules files that can be used for alerting or blocking emerging threats.
Coverage:
Network signatures for threats
Update Frequency:
Daily
Best For:
IDS/IPS systems
CINS Score
Community Maintained
A subset of the commercial CINS Score list, focused on poorly rated IPs that are not currently present on other threatlists.
Coverage:
IP reputation scoring
Update Frequency:
Daily
Best For:
Threat prioritization
Automated Threat Intelligence Tools
Platforms and tools for automating threat intelligence collection and processing.
IntelOwl
Open Source Project
Automates threat intelligence collection from multiple sources including VirusTotal, AbuseIPDB, and others with a single API call.
Coverage:
Multi-source intelligence aggregation
Update Frequency:
On-demand
Best For:
Automated analysis pipelines
Yeti
Open Source Project
A platform for organizing observables, IOCs, and threat data into a unified knowledge base for threat intelligence.
Coverage:
Threat data organization
Update Frequency:
User-driven
Best For:
Threat intelligence management
Practical Applications
How to leverage these threat feeds in your security operations:
Network Protection
Integrate IP and domain feeds into firewalls, proxies, and network intrusion detection systems to automatically block known malicious traffic.
Email Security
Use phishing and malware URL feeds to enhance email security gateways and protect against malicious attachments and links.
Threat Hunting
Correlate internal logs with threat intelligence to identify compromised systems or ongoing attacks within your environment.
Automation
Feed threat data into SOAR platforms to automate incident response workflows for known threat indicators.
Additional Resources
Complementary resources for threat intelligence practitioners:
MITRE ATT&CK
by MITRE
Knowledge base of adversary tactics and techniques based on real-world observations, useful for threat modeling and detection engineering.
Access Resource
STIX/TAXII
OASIS Standards
Standards for structured threat information expression (STIX) and trusted automated exchange of indicator information (TAXII).
Learn More
Threat Intelligence Training
Various Providers
Collection of training resources and courses for developing threat intelligence skills and knowledge.
Explore Training