What are threat intel feeds?
Threat intelligence feeds are automated data streams that deliver real-time information about cyber threats, indicators of compromise (IoCs), and attack patterns to security teams.
These feeds enable organizations to proactively identify emerging threats before they impact their infrastructure. By integrating high-quality threat intel feeds into security operations, teams can strengthen their defense capabilities and reduce response times to critical incidents, a crucial factor given that faster identification and containment have been shown to drive down the average cost of a data breach.
Threat feeds contain raw, unprocessed security data without context or analysis. Threat intelligence feeds provide enriched data that includes indicators of compromise (IoCs), attack attribution, and actionable context.
This contextual information helps security teams prioritize threats based on relevance to their environment and potential impact.
25 AI Agents. 257 Real Attacks. Who Wins?
From zero-day discovery to cloud privilege escalation, we tested 25 agent-model combinations on 257 real-world offensive security challenges. The results might surprise you 👀
Your work email here
See which agent won
Open-source vs. commercial feeds
Open-source feeds are community-maintained, typically free resources that provide basic threat indicators and attack patterns. These feeds work well for organizations with limited budgets or those seeking to supplement existing intelligence.
Commercial feeds offer proprietary threat data, advanced analytics, and dedicated support from security vendors. They often include exclusive intelligence from private research and faster update frequencies.
The choice between open-source and commercial feeds depends on your organization's security requirements, budget constraints, and internal expertise.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
Work Email*
First Name*
Last Name*
Country
Phone Number*
Company*
Subscribe me to the Wiz blog digest emails
Submit
For information about how Wiz handles your personal data, please see our Privacy Policy.
Your work email here
Get a demo
What makes a high-quality threat intel feed
Not all threat intel feeds are created equal. When evaluating options, focus on feeds that provide actionable and relevant data. Look for these key characteristics:
Timeliness: Data must be delivered in near real-time to be effective against fast-moving threats. A feed that updates daily may be too slow for zero-day exploits.
Accuracy: The feed should have a low false-positive rate. Inaccurate data leads to alert fatigue and erodes trust in the system, causing teams to ignore real threats.
Context: Raw data, like an IP address, is only moderately useful. A high-quality feed provides context, such as the associated threat actor, malware family, or attack vector, which is critical for prioritization and response.
Relevance: The intelligence should be relevant to your organization's industry, geography, and technology stack. A feed focused on financial services malware may not be useful for a healthcare provider.
Integration: The feed should be available in standard formats like STIX/TAXII for easy integration with your existing SIEM, SOAR, and other security platforms.
WIZ ACADEMY
What is enrichment in threat intelligence?
Enrichment in threat intelligence is the process of adding context, metadata, and relationships to raw security data to make it actionable.
Read more
13 critical threat intelligence feeds to track
These 13 threat intelligence feeds represent the most reliable and comprehensive sources available, selected based on data quality, update frequency, coverage scope, and integration capabilities:
Wiz Cloud Threat Landscape
SANS Internet Storm Center (ISC)
LevelBlue Labs Open Threat Exchange (OTX)
Spamhaus
OpenPhish
CrowdSec
Cyber Cure
HoneyDB
Automated Indicator Sharing (AIS)
Blocklist.de
FBI InfraGard
abuse.ch URLhaus
ELLIO
1. Wiz Cloud Threat Landscape
Cloud Threat Landscape – Actors tab (Source: Wiz)
The Cloud Threat Landscape provides curated threat intelligence focused on public cloud environments, CI/CD systems, and source code management systems. It is designed to help security teams identify and contextualize cloud-specific threats alongside other threat intel feeds.
Wiz Vulnerability Database
A resource that provides information on vulnerabilities in cloud environments, intended to support security teams in monitoring and prioritizing risk.
See Database
2. SANS Internet Storm Center (ISC)
A product of the SANS Technology Institute, the ISC has long been a trusted resource for enterprises looking to understand the threat landscape. The ISC’s threat intel sources are wide and varied; the team leverages data from sensors across half a million IP addresses and around 50 different countries. The ISC’s threat intel feed is free to use and includes technical data and step-by-step instructions on how to mitigate potential threats.
CRYING OUT CLOUD
CROC Talks - Threat Models, Cloud Tools, and Security Tales - Special Guest: Kat Traxler
Listen now
3. LevelBlue Labs Open Threat Exchange (OTX)
LevelBlue Labs Dashboard (Source: LevelBlue)
LevelBlue Labs Open Threat Exchange (formerly AlienVault OTX) connects organizations with a large, community-led network of threat analysts and cybersecurity experts. By integrating this collaborative threat intel feed, teams gain access to a broad set of IoCs, malware insights, and community-curated intelligence to strengthen defenses. OTX data is available in widely supported formats such as CSV, OpenIoC, and STIX.
4. Spamhaus
Spamhaus BlockList (Source: Spamhaus)
With an emphasis on email security, malware, and spam management, Spamhaus’ threat feeds can help businesses secure email inboxes and online applications. The Spamhaus Block List (SBL) and Domain Block List (DBL) are useful resources for organizations because they include tens of thousands of IP addresses and domain names that hackers use to breach enterprise networks. Using Spamhaus' threat intel feeds and blocklists alongside other feeds and threat intelligence platforms can boost security and reduce false positives and alert fatigue.
5. OpenPhish
OpenPhish Dashboard (Source: OpenPhish)
The OpenPhish threat intel feed provides updates on phishing activity, a common attack vector in recent years. Both free and premium versions are available, offering different update frequencies and levels of detail. According to IBM, phishing was the second-most frequent attack vector for data breaches in 2024. OpenPhish has both free and premium phishing intel feeds. While the free version updates the feed every 12 hours and delivers only text files, the premium versions offer updates (in CSV and JSON formats) every 5 minutes and feature a broader range of information, including IP, GeoIP, SSL metadata, and phishing logs.
6. CrowdSec
The CrowdSec threat intel feed (Source: CrowdSec)
There are free and commercial options for the CrowdSec threat intel feed, and both can help businesses flag malicious activity and generate actionable insights. (The free version limits users to 50 queries per day.) CrowdSec threat intel feeds comprise more than 25 million malicious IPs, and its database includes threat intel from 190 countries and 80,000 machines. CrowdSec provides threat intelligence on malicious IPs and other common attack vectors. The feed is available in free and commercial versions, with varying query limits and coverage.
7. Shadowserver
Shadowserver provides free, large‑scale daily network remediation reports used by enterprises and CSIRTs to reduce risk at scale. Reports (delivered via email/API) cover a wide range of issues such as botnet infections, exposed services, and open resolvers, helping teams quickly prioritize response. Its breadth and operational reach make it a strong, widely adopted choice for machine‑readable, actionable threat data.
8. HoneyDB
HoneyDB Attack Hosts (Source: HoneyDB)
The HoneyDB threat intel feed consists of honeypot threat intel, which is information gathered by deliberately luring threat actors to a surveilled online environment and analyzing their tools and tactics. HoneyDB’s threat intel API features information categories including bad hosts, bad hosts by service, IP history, sensor data, services, nodes, autonomous systems (AS), and payload history. HoneyDB’s free version allows 1,500 queries per month, and its highest commercial enterprise version has no limits on monthly queries.
9. Automated Indicator Sharing (AIS)
AIS is a service provided by the Cybersecurity and Infrastructure Security Agency (CISA). Using the Structured Threat Information Expression (STIX™) and Trusted Automated Exchange of Indicator Information (TAXII™) open standards, AIS is a free, machine-readable resource for discovering the most potent cyber vulnerabilities; IoCs; and tactics, techniques, and procedures (TTPs). The AIS ecosystem includes both public and private organizations, such as enterprises, governments, federal agencies, information-sharing and analysis centers (ISACs), and information-sharing and analysis organizations (ISAOs).
10. Blocklist.de
An example of graphical statistics on Blocklist.de (Source: Blocklist.de)
The Blocklist.de threat intel feed is a free, volunteer-led solution that businesses can adopt to learn about and secure themselves from SSH-, mail-login-, FTP-, and web server–based attacks on servers. With around 6,644 active users, each update of the Blocklist.de threat intel feed includes more than 70,000 attacks. These information updates occur every 12 hours, ensuring threat-data freshness. Users have the option to download blocked IP address lists as compressed gzip files.
11. CISA Known Exploited Vulnerabilities (KEV)
CISA's Known Exploited Vulnerabilities (KEV) catalog is an authoritative, machine‑readable list (CSV/JSON) of vulnerabilities confirmed to be exploited in the wild. Updated frequently, KEV is highly actionable for patch prioritization and aligns with enterprise risk‑reduction programs. Integrating KEV alongside other feeds helps teams focus remediation on the exposures most likely to be targeted.
12. abuse.ch URLhaus
URLhaus Database (Source: URLhaus)
Ideal for identifying suspicious domains and URLs, URLhaus offers three distinct types of threat intel feeds: an ASN (AS number) feed, a country feed, and a top-level domain (TLD) feed. The key demographics for URLhaus threat intel feeds include CERTs, ISPs, and network providers. According to URLhaus, the primary focus of their feeds isn’t blacklisting/blocklisting or IoCs. If organizations want to use these feeds for those purposes, they have to download the URLhaus API.
13. GreyNoise
GreyNoise provides curated intelligence on internet‑wide scanners and opportunistic attackers, delivering near real‑time enterprise feeds to filter noise and focus on relevant threats. By distinguishing background scan traffic from actionable activity, GreyNoise helps reduce alert fatigue and sharpen SOC triage. Its feeds are designed for easy integration into existing SOC workflows and tooling.
How Wiz can boost your threat intelligence ecosystem
Wiz Threat Center
The entire spectrum of Wiz's capabilities is based on deep knowledge of the cloud. Being powered by unmatched cloud threat intelligence makes Wiz a profoundly important and one-of-a-kind tool to navigate the contemporary threat landscape.
With unparalleled investigations, a world-class Threat Center, the integration of public and in-house cloud threat intelligence, TTP analyses, and IP and domain reputation evaluations, Wiz is the ultimate threat intelligence–fueled cloud security platform.
To dive deeper into Wiz TI’s insights, check out our podcast on cloud security (there’s nothing quite like it), our diverse library of cloud security research, and the comprehensive Open Cloud Vulnerabilities and Security Issues Database that we founded and maintain.
Also, coming soon: New capabilities, courtesy of the Cloud Threat Landscape in the Wiz portal, will enable you to learn about threat actors and correlate findings across your cloud environments with specific adversaries.
Get a demo now to see how Wiz (and our Cloud Threat Landscape) can enhance your cloud security and threat intelligence.
Frequently asked questions about threat intel feeds
How often should threat intel feeds be updated?
Can I use multiple threat intel feeds simultaneously without creating noise?
What's the difference between STIX/TAXII and other feed formats?
How do I measure the effectiveness of my threat intel feeds?
Should I prioritize free or commercial threat intel feeds?