1 Introduction
A threat intelligence feed is like a news feed for cybersecurity threats. Instead of headlines about politics or sports, it delivers a constant stream of data about malicious IP addresses, suspicious domains, malware hashes, and emerging attack campaigns. Security teams consume these feeds to stay ahead of attackers.
Think of it like a weather forecast for cyberattacks. Just as a pilot checks weather reports before flying, a security analyst checks threat feeds before and during operations. The feed does not tell you exactly what will happen, but it tells you what storms are forming and where they are heading.
Types of threat intelligence
Tactical
IOCs: IPs, domains, hashes for immediate blocking
Operational
TTPs: how attackers operate and which tools they use
Strategic
Trends, motivations, and geopolitical context for executives
2 How It Works
Explore our live threat feed below to see real-time indicators of compromise being tracked across the Internet.
Feed sources and formats
OSINT (Open Source)
Freely available intelligence from public sources. Great for getting started but may contain false positives and lacks context.
AlienVault OTX
Abuse.ch (URLhaus, MalwareBazaar)
PhishTank
CIRCL MISP feeds
Commercial feeds
Paid intelligence with higher quality, fewer false positives, and richer context. Typically include analyst-curated data.
CrowdStrike Falcon Intelligence
Recorded Future
Mandiant Advantage
IBM X-Force Exchange
STIX and TAXII: the standard exchange protocols
STIX (Structured Threat Information eXpression)
A standardized JSON format for describing threat intelligence. STIX objects include indicators, attack patterns, malware descriptions, threat actors, and relationships between them. Think of it as the language of threat intelligence.
TAXII (Trusted Automated eXchange of Intelligence Information)
The transport protocol for sharing STIX data. TAXII defines how threat intelligence is requested and delivered between systems. Think of it as the delivery mechanism -- the postal service that carries the STIX letters.
3 Detailed Analysis
How organizations consume threat feeds
Ingestion
Feeds are pulled into a Threat Intelligence Platform (TIP) like MISP, OpenCTI, or a commercial solution. The TIP normalizes data from multiple sources into a unified format.
Enrichment
Raw indicators are enriched with context: geolocation, ASN, WHOIS data, related malware families, historical sightings. This transforms data into actionable intelligence.
Correlation
The TIP matches incoming IOCs against internal logs and alerts. If a malicious IP from a feed is found in your firewall logs, you have a potential compromise to investigate.
Action
Verified indicators are pushed to security controls: firewall blocklists, SIEM detection rules, EDR signatures. This automates defense against known threats.
OSINT vs. commercial feeds
| Criteria | OSINT feeds | Commercial feeds |
|---|---|---|
| Cost | Free | $10K-$500K+/year |
| False positives | Higher | Lower (curated) |
| Context | Limited | Rich (analyst notes, attribution) |
| Timeliness | Variable | Near real-time |
| Best for | Small teams, learning, supplemental data | SOCs, incident response, regulated industries |
Try it on mlab.sh
Explore real-time threat intelligence data including malicious IPs, domains, and file hashes. Search, scan, and enrich indicators directly from your browser.
Explore mlab.sh threat intel4 Red Flags
Here are the warning signs to watch for when working with threat intelligence feeds:
Stale indicators
IOCs that are weeks or months old may no longer be active. Attackers rotate infrastructure frequently. Blocking outdated IPs may cause false positives without security benefit.
No context or attribution
A bare list of IPs without explanation of why they are malicious is hard to act on. Quality intelligence includes the threat type, confidence level, and source.
Shared hosting IPs on blocklists
Blocking an IP that hosts thousands of legitimate websites because one malicious site shares the address will cause major collateral damage. Always check before blocking.
Feed with no update frequency
A feed that has not been updated in days or weeks is unreliable. Threat landscapes change rapidly, and your intelligence must keep pace.
Over-reliance on a single source
No single feed captures all threats. Using only one source creates blind spots. Best practice is to aggregate multiple feeds and cross-reference indicators.
Blindly auto-blocking without review
Automatically pushing every IOC to your firewall without validation can disrupt business operations. Establish a confidence threshold and review process before automated blocking.
Related Modules
How to read a CTI report
Deciphering a Cyber Threat Intelligence report: structure, indicators, and recommendations.
Major threat families
APTs, hacktivists, cybercriminals, insiders: mapping cyber threat actors.
What is an IOC?
Clues of a cyberattack: learning to recognize indicators of compromise.
Source: mlab Academy — Cybersecurity Awareness Platform
URL: https://academy.mlab.sh//page/threat-intel-feed
Module: What is a threat intel feed? — Threat Intelligence
Disclaimer: This content is for awareness purposes only.