Cyber Security Threat Intelligence Sources

A list of Cyber Security threat intelligence sources that provide APIs to receive up-to-date data on emerging threats to defend against attacks.

Cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace.[1] Cyber threat intelligence sources include open source intelligencesocial media intelligencehuman Intelligence, technical intelligence or intelligence from the deep and dark web.
Intelligence SourceDescription
AbuseIPDBAbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
APT Groups and OperationsA spreadsheet containing intelligence on APT groups including their techniques, tactics and various names.
Binary Defense IP BanlistBinary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed
BOTVRIJ.EUOpen Source threat intelligence provider which contains network info (IPs), file hashes, file paths, domain names, URLs.
CISA AISThe Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, among the Federal Government; state, local, tribal, and territorial governments; and the private sector. 
CyberCure.aiCyber cure provides free to use qualified quality cyber intelligence feeds and allows to stop attackers before they attack.
DigitalSide Threat-IntelContains a set of Open Source Cyber Threat Intellegence information, monstly based on malware analysis and compromised URLs, IPs and domains.
The purpose of this project is to develop and test new wayes to hunt, analyze, collect and share relevants sets of IoCs to be used by SOC/CSIRT/CERT with minimun effort.
Proofpoint Emerging Threats RulesRegularly updated list of firewall rules for multiple different types which included; IPF, IPTables, PF and PIX
ExoneraTorEnter an IP address and date to find out whether that address was used as a Tor relay.
Feodo TrackerFeodo Tracker is a project of with the goal of sharing botnet C&C servers associated with the Feodo malware family (Dridex, Emotet/Heodo).
FireHOLA blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs.
FS-ISACFS-ISAC members have access to threat reports with tactical, operational and strategic levels of analysis for a greater understanding of the tools, methods and actors targeting the financial sector.
HoneyDBHoneyDB provides real time data from honeypots deployed across the internet. This data can be queried through the site or use of their threat API to receive real time honeypot activity.
Project IceWaterThis project provides open-source YARA rules for the detection of malware and malicious files.
InQuest LabsAn open, interactive, and API driven data portal for security researchers
IPsumIPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses.
MalshareA free Malware repository providing researchers access to samples, malicious feeds, and Yara results.
PhishTankPhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible
SophosLabs IntelixPowered by machine learning, decades of threat research, and petabytes of intelligence, SophosLabs Intelix™ gives your app superpowers to identify, classify, and prevent threats. Designed for easy integration into any application, augmenting your cybersecurity is only an HTTP request away.
SSL BlacklistThe SSL Blacklist (SSLBL) is a project of with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers.
ThreatMiner ThreatMiner is a threat intelligence portal designed to enable analysts to research under a single interface. It is used in the SANS FOR578 Cyber Threat Intelligence course . API integration is available for many industry leading platforms.
VirusTotalSearch VirusTotal’s dataset for malware samples, URLs, domains and IP addresses according to binary properties, antivirus detection verdicts, static features, behavior patterns such as communication with specific hosts or IP addresses, submission metadata and many other notions.