Skip to content

Live Threat Intelligence Resources

This page aggregates the highest-signal free threat intelligence resources for SOC analysts. Bookmark this as your daily threat briefing starting point.

Update Frequency

This page is manually curated and updated periodically. For live, automated feeds, see the Threat Feed Integration guide.

Daily Briefing Sources

Government & CERT

Source URL Update Frequency Best For
CISA Known Exploited Vulnerabilities (KEV) https://www.cisa.gov/known-exploited-vulnerabilities-catalog Daily Patch prioritization
CISA Alerts & Advisories https://www.cisa.gov/news-events/cybersecurity-advisories As needed Critical threats
US-CERT Current Activity https://www.cisa.gov/uscert/ncas/current-activity Daily Active campaigns
FBI Flash Advisories https://www.ic3.gov/Home/IndustryAlerts As needed Criminal threat groups
NSA Cybersecurity Advisories https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Technical-Guidance/ Monthly Nation-state TTPs
NCSC (UK) Threat Reports https://www.ncsc.gov.uk/section/keep-up-to-date/threat-reports Weekly APT campaigns
ENISA Threat Landscape https://www.enisa.europa.eu/topics/cyber-threats Annual + updates EU threat landscape
ASD/ACSC (Australia) https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/cyber-supply-chain-risk-management As needed APAC threats

Vendor Research Blogs

Vendor Focus Notable Features
Mandiant/Google TI Blog APT groups, incident research Named threat actor tracking
CrowdStrike Intelligence eCrime, nation-state Adversary naming (Bears/Kittens/etc.)
Microsoft MSTIC Azure/M365 attacks, nation-state CVE/TTP correlation
Recorded Future Geopolitical risk, dark web Structured TI with confidence scores
Palo Alto Unit 42 Malware families, campaigns Excellent malware analysis
Secureworks CTU eCrime, ransomware Gold/Silver naming
Cisco Talos Network threats, malware Snort rules
ESET Research APT, Eastern European threats In-depth malware reports
Check Point Research Mobile, cloud threats Threat indices
Sophos X-Ops Ransomware focus State of Ransomware annual report

OSINT & IOC Feeds

Free IOC Sources

Feed Type STIX/TAXII? Notes
AlienVault OTX IP, domain, hash, URL Yes (TAXII) Community contributed, quality varies
Abuse.ch (MalwareBazaar) Malware hashes API Curated malware samples
Abuse.ch (URLhaus) Malicious URLs API Malware distribution URLs
Abuse.ch (ThreatFox) IOCs (all types) API Community + automated
PhishTank Phishing URLs API Crowdsourced phishing
OpenPhish Phishing URLs Feed Automated detection
Emerging Threats (ET) Rules Snort/Suricata rules Download Network detection
MISP Default Feeds Multiple IOC types MISP/STIX Community MISP instances
DigitalSide TI Multiple MISP Italian CERT feed
Botvrij.eu Multiple MISP European TI

Premium (Free Tier Available)

Service Free Tier Use Case
VirusTotal 4 lookups/min Hash/URL/domain lookup
Shodan Limited queries Internet-facing asset exposure
Censys Limited queries Internet scan data
SecurityTrails 50 queries/month DNS history, domain intel
GreyNoise Community tier IP noise vs. signal
Spyse/SecurityTrails Limited OSINT enrichment

Vulnerability Intelligence

Vulnerability Feeds

Source What It Provides API?
NVD (NIST) CVE details, CVSS scores Yes
CISA KEV Actively exploited vulns Yes (JSON)
EPSS (FIRST.org) Exploit probability scoring Yes
VulnDB (Risk Based Security) Commercial, comprehensive Paid
Exploit-DB Public exploits, PoC Search
0day.today Exploit marketplace Research only
Packet Storm Exploits, advisories Search

Vulnerability Query

# Fetch CISA KEV programmatically
import requests
kev = requests.get("https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json").json()
for vuln in kev['vulnerabilities']:
    print(f"{vuln['cveID']} | {vuln['vendorProject']} | Due: {vuln['dueDate']}")

Dark Web Monitoring (Free/OSINT Methods)

Legal and Operational Security

Dark web research must be conducted through proper channels with appropriate operational security. Use Tor Browser or dedicated research VMs. Never use corporate credentials or personal identity for dark web research.

Ransomware Leak Site Monitoring (via OSINT)

Several security researchers maintain indexed/archived versions of ransomware group activity:

Resource What It Tracks
Ransomwatch (GitHub) Ransomware group sites, victim counts
DarkFeed Aggregated ransomware posts (paid)
ID Ransomware Ransomware identification service
NoMoreRansom.org Decryptors, victim support
CISA Ransomware Guide Defensive guidance

Threat Actor Tracking

ATT&CK Groups Database

MITRE ATT&CK Groups page provides structured TTP data for 130+ threat actors: - Technique mappings per group - Software used - Campaign timeline - References

ATT&CK Group Matrix: https://attack.mitre.org/groups/
ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/

Key APT Group Quick Reference

Group Also Known As Origin Primary Targets Key TTPs
APT28 Fancy Bear, STRONTIUM Russia (GRU) Government, defense, elections T1566, T1078, T1071
APT29 Cozy Bear, Midnight Blizzard Russia (SVR) Government, think tanks, cloud T1078.004, T1560, T1102
APT41 Double Dragon, BARIUM China (MSS) Telecom, finance, gaming T1078, T1027, T1105
Lazarus Group Hidden Cobra North Korea (RGB) Finance, crypto, defense T1059, T1003, T1486
Volt Typhoon Bronze Silhouette China Critical infrastructure T1078, LOLBAS heavy
Scattered Spider 0ktapus eCrime (EN-speaking) Finance, cloud (Okta, M365) T1078.004, T1566.001
FIN7 Carbanak, Carbon Spider eCrime Hospitality, finance, retail T1566, T1059.001
LockBit Gold Mystic eCrime (RaaS) All sectors T1486, T1490, T1048
Cl0p TA505 eCrime Financial, healthcare T1190, T1048, T1486
ALPHV/BlackCat Noberus eCrime (RaaS defunct) Healthcare, manufacturing T1486, T1048, BYOVD

Malware Family Intelligence

Malware Analysis Platforms

Platform Use Case Free?
MalwareBazaar Download/share samples Yes
Any.run Interactive sandbox Yes (limited)
Hybrid Analysis Automated sandbox Yes
Triage (tria.ge) Automated sandbox Yes
VirusTotal Multi-engine scan + behavior Free (limited)
Cuckoo Sandbox Self-hosted sandbox Yes (self-hosted)
Cape Sandbox Self-hosted, memory dumps Yes (self-hosted)
YARA Rules (YARAhub) Detection rules for families Yes

Community & Information Sharing

ISACs (Information Sharing and Analysis Centers)

ISAC Sector
FS-ISAC Financial Services
H-ISAC Healthcare
E-ISAC Electricity / Energy
IT-ISAC Technology
WS-ISAC Water/Wastewater
A-ISAC Aviation
MS-ISAC State/Local Government

Community Forums & Channels

  • FIRST.org — Forum of Incident Response and Security Teams, global
  • Slack: ThreatIntel.org — Analyst community (invite-based)
  • LinkedIn Security Groups — Threat intelligence sharing
  • Twitter/X: #threatintel, #infosec — Real-time community sharing
  • Mastodon: infosec.exchange — Privacy-conscious security community

Regulatory & Compliance Intelligence

Body Jurisdiction Key Publications
CISA (US) United States Shields Up, KEV, Joint Advisories
FTC United States Breach enforcement, data security guidance
SEC United States Cybersecurity disclosure rules (material breach 4 days)
EDPB European Union GDPR enforcement, data breach notification guidelines
ICO United Kingdom UK GDPR, breach notification
OAIC Australia Privacy Act, NDB scheme
PDPB India Personal Data Protection Bill
PIPL China Data localization, cross-border transfer

Building Your Threat Intelligence Program

For implementing a structured TI program, see:

  1. Chapter 7: Threat Intelligence & Context
  2. Detection Query Library — integrate IOCs as detection rules
  3. Threat Hunt Hypothesis Library — actor-specific hypotheses
  4. Lab 5: LLM Guardrails Eval — AI-assisted TI analysis

Last reviewed: March 2026 | Maintained by Nexus SecOps Contributors