The Top 10 Open-Source Threat Intelligence Feeds
Security teams need more than siloed alerts and reactive posturing. They need cyberthreat intelligence that's timely, trustworthy, and actionable. That’s where open-source threat intelligence feeds (OSINT feeds) come in.
By providing real-time insights from a wide range of community, commercial feeds, and government agencies, OSINT feeds are becoming essential tools in the modern cybersecurity stack.
But with so many options out there, which OSINT feeds are actually worth following? This guide highlights some of the best threat intelligence sources available today — and how to put them to work.
Why OSINT Feeds Matter
OSINT feeds aggregate publicly available cybersecurity data, including indicators of compromise (IoCs), malware hashes, suspicious domains, denial of service reports, and adversary infrastructure. Because they are community-driven, open source, and freely accessible, OSINT feeds help:
- Improve early detection of potential threats
- Support incident response with additional context
- Supplement commercial threat intel sources
- Provide a cost-effective force multiplier for lean security teams
The best threat intelligence feeds deliver curated, relevant, and regularly updated threat data that aligns with your organization’s threat landscape. Whether you work in the financial sector, federal government, or healthcare, there are trusted OSINT sources tailored to your needs.
What Makes a Good Open-Source Threat Intelligence Feed?
Before diving into recommendations, it’s important to know what sets quality OSINT feeds apart. Look for feeds that are:
- Timely: Frequently updated with current threats and IoCs
- Credible: Sourced from reputable security researchers, such as the Computer Emergency Response Team (CERT)
- Structured: Delivered in machine-readable formats like STIX and TAXII
- Relevant: Aligned with your industry, geography, or use case
- Actionable: Contain specific threat intelligence data points that can be correlated with internal telemetry
Top 10 OSINT Feeds to Follow
- Abuse.ch
Focused on tracking malware and botnet infrastructure, Abuse.ch offers feeds like URLhaus, SSL Blacklist, and MalwareBazaar. It’s particularly valuable for blocking malicious IPs and identifying emerging threats. - AlienVault Open Threat Exchange (OTX)
One of the largest open threat-sharing platforms, OTX provides IoCs and threat intelligence pulses from a global community. Data is easily consumed via API or integrated with threat intelligence tools like Anomali. - Computer Incident Response Center Luxembourg (CIRCL)
CIRCL publishes a range of OSINT data, including phishing campaigns, malware analysis, and public threat advisories. It also maintains the Malware Information Sharing Platform (MISP) project — a popular platform for sharing technical data. - MISP OSINT Feeds
The MISP project aggregates feeds from various sources, including sector-specific indicators. It supports integration with both government agencies and private-sector security operations centers (SOCs). - Cybercrime Tracker
This feed focuses on crimeware command-and-control infrastructure and helps track and disrupt malware campaigns. It is especially useful for threat detection and IP address correlation. - Malc0de Database
A straightforward and frequently updated malware domain feed, ideal for DNS blocking and blacklisting efforts. - OpenPhish
Delivers real-time phishing intelligence with a strong reputation for accuracy. The free version offers a feed of verified phishing URLs, with structured context. - US-CERT/National Cyber Awareness System
Managed by the federal government, this feed delivers cybersecurity advisories, alerts, and bulletins for a wide audience, including those in the supply chain and public sector. - Shadowserver Foundation
Offers a diverse set of feeds covering scanning reports, malware activity, botnets, and dark web monitoring. It’s widely respected among cybersecurity professionals for its breadth and depth of actionable intelligence. - ThreatFox by Abuse.ch
A companion to other Abuse.ch offerings, ThreatFox focuses specifically on sharing indicators of malicious activities, such as malware samples, command-and-control servers, and threat actor infrastructure. Its open-source, structured format makes it easy to ingest and automate across various security tools.
How OSINT Feeds Fit Into a Threat Intel Strategy
While OSINT feeds provide a wealth of actionable information, they work best as part of a broader threat intelligence strategy. Security analysts should:
- Correlate OSINT with internal network security data
- Enrich alerts with external threat context
- Use OSINT to validate or dismiss suspicious activity
- Combine OSINT with commercial and private threat intelligence sources
When paired with the right threat intelligence platform, OSINT feeds transform from raw data into decision-ready insights that support threat hunting, threat detection, and incident response.
How Anomali Makes OSINT Actionable
Anomali ThreatStream features a wide range of built-in OSINT feeds, including community-contributed IoCs and dark web sources. ThreatStream supports STIX/TAXII ingestion, enabling security professionals to aggregate and normalize threat intelligence feeds from dozens of trusted sources.
Advanced AI capabilities make this threat data even more powerful. With Anomali, analysts can correlate OSINT with internal telemetry and historical trends, apply AI-driven scoring to prioritize the most relevant threats, and generate executive-ready summaries of IP reports, malware analysis, and dark web forums using large language model–powered tools.
Anomali also supports secure collaboration through Trusted Circles — private, role-based sharing communities that allow organizations to exchange threat intelligence with industry peers, trusted partners, and government agencies. These purpose-built groups help accelerate threat detection and response while maintaining control over sensitive data.
By turning open-source data into enriched, context-aware, and easily shareable intelligence, Anomali helps improve your organization’s security posture in real time, without the need for bolt-on tools or complex orchestration layers.
Key Takeaways
Open-source threat intelligence is a critical resource for modern security analysts. From malware indicators to phishing campaigns and dark web activity, the right OSINT sources can sharpen visibility, accelerate response, and reduce manual effort.
With Anomali, OSINT feeds aren’t just another data stream — they become part of an integrated, AI-powered threat intelligence platform designed to counter cyber attacks with precision.
Ready to see how Anomali turns OSINT into action? Schedule a demo.
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
