Finding the best threat intelligence feeds is about finding the right mix of coverage, context, and operational value.
In this guide, you will find 12 free threat intelligence feeds worth following in 2026, what each one does best, and how to think about fit for your environment.
What Is a Threat Intelligence Feed?
A threat intelligence feed is a continuous stream of cyber threat data, such as malicious IP addresses, domains, URLs, hashes, and other indicators tied to known or emerging threats. They add context that helps security teams assess relevance and act faster across the threat intelligence lifecycle, from detection to response.
Threat intelligence feeds often include:
- Malicious IP addresses
- Domains and URLs
- File hashes and malware indicators
- Tactics, techniques, and infrastructure signals
- Other threat data tied to active or emerging threats
Many organizations use both free and commercial feeds. Free or open-source feeds support broad visibility and cost-effective enrichment, while commercial feeds often provide stronger signal quality, deeper normalization, and better automation readiness.
What Makes a Good Quality Threat Intel Feed?
A good threat intelligence feed needs more than volume. Coverage matters, but depth, timeliness, and signal quality matter more. Before relying on any intelligence feed, security teams should evaluate:
- Update frequency — How often the feed refreshes and how quickly it reflects new threat activity
- Enrichment quality — How much useful context it adds beyond raw indicators
- False-positive risk — How likely it is to introduce noisy or low-confidence signals
- Format compatibility — How easily it fits existing workflows and tools
- Ease of automation — How well it supports automated enrichment, detection, and response
Different feeds serve different purposes. Some are better for phishing URLs, domains, and email-linked threats. Others are stronger for malware information, hashes, behaviors, and related infrastructure. Some focus on IP address, domain, and sender reputation, while others are more useful for prioritizing vulnerabilities tied to active exploitation.
1. VMRay ThreatFeed
VMRay ThreatFeed is a strong option for teams that want behavior-based threat intelligence with deeper context. It is built on evasion-resistant sandbox analysis and includes atomic indicators, behavioral markers, MITRE ATT&CK mappings, configuration extracts, and enriched labeling. It is delivered in STIX 2.1 over TAXII, making it easier to use in automated workflows and threat intelligence sharing platforms.
That gives VMRay an edge over feeds that mainly aggregate external data sources. Instead, it generates intelligence from real malware execution and analysis, helping security teams improve threat detection, enrichment, threat hunting, and SOC workflows through actionable threat intelligence.
The public VMRay ThreatFeed site also shows a daily stream of analyzed malware samples processed through VMRay Analyzer, reinforcing its analysis-first approach.
2. SANS Internet Storm Center (ISC)
SANS Internet Storm Center is a long-running community resource for internet threat monitoring and practical defensive awareness. Its threat feeds are useful for situational awareness, broad monitoring, and keeping up with active internet trends that may affect your environment.
ISC is best treated as a trusted external signal source rather than a deeply enriched intelligence platform. It gives security teams visibility and context at a broad level, but it is more general than specialized or sandbox-derived feeds. That still makes it useful, especially for teams that want free threat information from a widely followed source.
3. LevelBlue Labs Open Threat Exchange (OTX)
Open Threat Exchange, now associated with LevelBlue Labs, remains one of the most recognized community-driven threat intelligence platforms. It stands out for its collaborative model and its large pool of shared indicators contributed by analysts and organizations.
That breadth is useful, especially for teams that want free access to a large body of cyber threat intelligence feeds and shared threat information. At the same time, community-driven content can vary in quality and relevance, so internal validation still matters. OTX is often most useful when paired with stronger internal context or other threat intelligence tools.
4. Spamhaus
Spamhaus is a strong option for email, domain, and IP address reputation use cases. Its focus on spam, malware, abusive infrastructure, and blocklists makes it especially useful for organizations dealing with malicious senders, suspicious domains, and perimeter filtering needs.
Operationally, Spamhaus helps reduce exposure to known abusive infrastructure and supports more effective filtering across mail and network defenses. Its strengths are narrower and more reputation-focused than behavior-rich feeds, but that specialization is also what makes it valuable. Not every intelligence feed needs to do everything.
5. OpenPhish
OpenPhish is a specialized threat intelligence feed focused on phishing URLs and related infrastructure. It offers both free and premium versions with different update frequencies and depth levels, making it a practical option for teams that want phishing-focused threat intel feeds.
Its strongest fit is in email security, browser protection, URL filtering, and phishing response workflows. Because it is focused on one attack type, it works best as part of a broader threat intelligence strategy rather than as a complete cyber threat intelligence platform on its own.
6. CrowdSec
CrowdSec is a community-driven feed with strong malicious IP intelligence and broad visibility into suspicious activity across a large network. Both free and commercial options are available, though the free version comes with query limits.
For security teams, CrowdSec is most useful where malicious IP detection, infrastructure-level alerting, and automated blocking matter. It is not trying to be the deepest contextual malware intelligence platform, but it does provide a practical signal layer that can support perimeter defense and detection pipelines.
7. Shadowserver
Shadowserver is an operationally valuable source of remediation-focused intelligence. Instead of acting only as a passive feed of indicators, it provides free reports on exposed services, infections, botnets, and other internet-facing issues that defenders can investigate and fix.
That makes it particularly useful for larger organizations and network defenders who need to prioritize real exposure. Shadowserver is strong when the goal is not just collecting threat data, but identifying what needs cleanup, investigation, or containment.
8. HoneyDB
HoneyDB is a honeypot-driven intelligence source. It gathers data from attacker interactions with decoy systems, which can reveal scanning behavior and attacker patterns that may not show up as clearly in broader threat intelligence feeds.
This makes HoneyDB useful for teams interested in behavioral visibility and opportunistic probing. It is a helpful specialized feed for studying attacker activity, but it is not a replacement for broader feeds with stronger context or wider coverage across malware, phishing, and infrastructure signals.
9. AIS (Automated Indicator Sharing)
AIS is a government-backed mechanism for threat intelligence sharing. Its role is to support machine-readable exchange of cyber threat indicators so participating sectors and communities can improve awareness and response.
Its usefulness depends heavily on the consuming team’s ability to ingest, interpret, and operationalize the data. For organizations with mature workflows, AIS can support broader visibility into cybersecurity threats affecting shared ecosystems, especially in the United States and connected sectors.
10. Blocklist.de
Blocklist.de is a volunteer-supported source of attack data from common server-side abuse. It publishes regularly updated IP blocklists tied to attacks on SSH, FTP, mail logins, and web servers.
That makes it most useful for infrastructure and server security teams looking for practical visibility into recurring abusive sources. Like Spamhaus, its strength is focused rather than broad. It is more about tactical filtering and defense than full-spectrum cyber threat intelligence.
11. CISA Known Exploited Vulnerabilities (KEV)
CISA’s Known Exploited Vulnerabilities catalog is one of the most practical free sources for vulnerability prioritization. Its value comes from tracking vulnerabilities that are known to be exploited in the wild, which gives security teams stronger grounds for risk-based patching and remediation.
KEV is more vulnerability-centric than malware- or infrastructure-centric, so it complements the other feeds on this list rather than replacing them. For cloud security, exposure management, and broader threat and vulnerability management programs, that real-world exploitation signal is often more useful than speculative vulnerability scoring alone.
12. abuse.ch URLhaus
URLhaus is focused on malicious URLs and the infrastructure used for malware distribution. The project describes itself as a platform from abuse.ch and Spamhaus dedicated to sharing malicious URLs used in malware campaigns, and it offers APIs to help automate bulk queries and signal exchange.
This makes URLhaus valuable for threat blocking, URL reputation checks, and investigations involving malware delivery infrastructure. It is strongest when paired with richer contextual sources, since URL-focused intelligence is most effective when analysts can connect it to broader malware behavior, threat actors, and campaign patterns.
Putting Threat Intelligence Feeds to Work
The best threat intelligence feeds are not simply the biggest ones. They are the ones that combine timeliness, accuracy, context, and operational usefulness.
Free sources can add real value, but they vary a lot in enrichment depth, signal quality, and fit across incident response, threat hunting, cloud security, and broader security operations. A strong program usually blends specialized free feeds with a more reliable source of high-confidence intelligence.
For teams that need deeper behavioral context and less noise, VMRay ThreatFeed stands out as a strong fit. Its sandbox-derived intelligence, MITRE ATT&CK mapping, behavioral markers, and automation-ready delivery make it especially useful for organizations that want more actionable insights from their threat intelligence workflow.
