Threat Intelligence Feeds
91+ community threat intelligence sources powering SOC Defenders
Feed Architecture
Our threat intelligence is sourced from 91+ community feeds organized into 3 tiers based on update frequency and criticality:
TIER 1Critical
Updated every 15 minutes. Active C2 servers, live phishing, abuse.ch feeds.
17 feeds
TIER 2Standard
Updated every 1 hour. Community blocklists, hash feeds, emerging threats.
37 feeds
TIER 3Background
Updated every 6 hours. Historical aggregates, reputation lists, large datasets.
37 feeds
Enterprise-Grade Reliability
Circuit Breaker
Auto-disabled feeds that fail repeatedly to prevent cascading failures.
Exponential Backoff
Smart retry logic with jitter to prevent thundering herd.
TLP Classification
Traffic Light Protocol tagging for proper information sharing.
Confidence Scoring
Source reputation-based scoring for IOC prioritization.
Tier 1 Feeds
Updated every 15 minutes
| Feed Name | Category | Description |
|---|---|---|
| URLhaus | Malware | Malicious URLs distributing malware |
| Feodo Tracker | C2/RAT | Botnet C2 IPs (Emotet, TrickBot, QakBot, Dridex) |
| ThreatFox | Mixed | Mixed IOCs from community submissions |
| C2 Tracker - Cobalt Strike | C2/RAT | Active Cobalt Strike C2 servers |
| C2 Tracker - Metasploit | C2/RAT | Active Metasploit Framework C2 servers |
| C2 Tracker - Sliver | C2/RAT | Active Sliver C2 servers |
| C2 Tracker - Brute Ratel | C2/RAT | Active Brute Ratel C4 servers |
| C2 Tracker - Havoc | C2/RAT | Active Havoc C2 servers |
| C2 Tracker - AsyncRAT | C2/RAT | Active AsyncRAT C2 servers |
| C2 Tracker - DcRAT | C2/RAT | Active DcRAT C2 servers |
| C2 Tracker - Posh | C2/RAT | Active Posh C2 servers |
| OpenPhish | Phishing | Active phishing URLs |
| C2 Tracker - Mythic | C2/RAT | Active Mythic C2 servers |
| C2 Tracker - Deimos | C2/RAT | Active Deimos C2 servers |
| C2 Tracker - NightHawk | C2/RAT | Active NightHawk C2 servers |
| SSL Blacklist IPs | C2/RAT | IPs associated with malicious SSL certificates |
| VXVault URLs | Malware | Live malware download URLs |
Tier 2 Feeds
Updated every 1 hour
| Feed Name | Category | Description |
|---|---|---|
| MalwareBazaar MD5 | Malware | Recent malware MD5 hashes |
| MalwareBazaar SHA256 | Malware | Recent malware SHA256 hashes |
| SSL Blacklist JA3 | C2/RAT | Malicious JA3 fingerprints |
| DigitalSide IPs | Blocklist | Latest malicious IPs |
| DigitalSide Domains | Blocklist | Latest malicious domains |
| DigitalSide URLs | Malware | Latest malicious URLs |
| Phishing Army | Phishing | Phishing domain blocklist |
| TweetFeed | Mixed | IOCs shared by security researchers on Twitter/X |
| Botvrij Destination IPs | C2/RAT | Destination IPs from malware traffic |
| Botvrij Domains | Malware | Malicious domains from threat analysis |
| Blocklist.de SSH | Blocklist | SSH brute force attackers |
| Blocklist.de Apache | Blocklist | Apache web attack IPs |
| Blocklist.de Bruteforce | Blocklist | Brute force login attackers |
| Binary Defense | Blocklist | Attacker IPs from honeypot network |
| GreenSnow | Blocklist | Active attacking IPs |
| CI Army Bad IPs | Blocklist | Known bad actors from Collective Intelligence |
| ET Compromised IPs | Blocklist | Known compromised hosts |
| Botvrij URLs | Malware | Malicious URLs from threat analysis |
| Blocklist.de Mail | Blocklist | Mail spam IPs |
| Blocklist.de Bots | Blocklist | Bot IPs |
| Blocklist.de Strong IPs | Blocklist | Persistent attackers (multiple attacks) |
| Blocklist.de All | Blocklist | All reported attacking IPs |
| Bambenek DGA Domains | C2/RAT | High-confidence DGA domains |
| Bambenek C2 IPs | C2/RAT | High-confidence C2 IPs |
| Bambenek C2 Domains | C2/RAT | High-confidence C2 domains |
| DShield Top 20 | Blocklist | Top 20 attacking IPs |
| DShield Suspicious Domains High | Blocklist | High-confidence malicious domains |
| InterServer | Blocklist | Attack IPs from hosting provider honeypots |
| Talos IP Blacklist | Blocklist | Talos known malicious IPs |
| MyIP Full Blacklist | Blocklist | Comprehensive IP blacklist |
| Bruteforce Blocker | Blocklist | Brute force attackers |
| NoThink SSH | Blocklist | SSH attacking IPs |
| NoThink Telnet | Blocklist | Telnet attacking IPs |
| Rutgers Malware Domains | Malware | Malicious domains list |
| Cybercrime Tracker | C2/RAT | Active C2 panel URLs |
| Disposable Email Domains | Blocklist | Temporary/disposable email domains |
| Cryptominer Domains | Malware | Cryptojacking domains |
Tier 3 Feeds
Updated every 6 hours
| Feed Name | Category | Description |
|---|---|---|
| IPsum Level 3+ | Blocklist | IPs on 3+ threat intel lists |
| IPsum Level 4+ | Blocklist | IPs on 4+ threat intel lists |
| IPsum Level 5+ | Blocklist | IPs on 5+ threat intel lists (highest confidence) |
| Tor Exit Nodes | Blocklist | Current Tor exit node IPs |
| Spamhaus DROP | Blocklist | Dont Route Or Peer - hijacked/leased ranges |
| Spamhaus EDROP | Blocklist | Extended DROP - additional bad ranges |
| CISA KEV | Mixed | CISA Known Exploited Vulnerabilities catalog |
| FireHOL Level 1 | Blocklist | Critically dangerous IPs |
| Darklist | Blocklist | SSH brute force and spam IPs |
| CyberCure IPs | Blocklist | Active threat IPs from CyberCure honeypots |
| IPsum Level 2+ | Blocklist | IPs on 2+ threat intel lists |
| IPsum Level 6+ | Blocklist | IPs on 6+ threat intel lists (very high confidence) |
| IPsum Level 7+ | Blocklist | IPs on 7+ threat intel lists (extremely high confidence) |
| FireHOL Level 2 | Blocklist | Confirmed dangerous IPs |
| FireHOL Level 3 | Blocklist | Suspected dangerous IPs |
| FireHOL Abusers 1d | Blocklist | Recent (24h) active abusers |
| FireHOL Webclient | Blocklist | IPs attacking web clients |
| AlienVault Reputation | Blocklist | AlienVault IP reputation data |
| ET Tor Nodes | Blocklist | Tor exit and relay nodes |
| ET DShield | Blocklist | Combined block list |
| ET BotCC | C2/RAT | Known Bot C&C IPs |
| Malware Domain List | Malware | Historical malware domains |
| URLhaus Full | Malware | Full URLhaus database (text) |
| Spam404 | Phishing | Scam/spam domains |
| Disconnect Malvertising | Malware | Malvertising domains |
| SANS ISC Top IPs | Blocklist | Top attacking source IPs |
| StopForumSpam | Blocklist | Toxic IPs (forum spam/abuse) |
| CryptoLocker Domains | Ransomware | CryptoLocker DGA domains |
| Locky DGA Domains | Ransomware | Locky ransomware DGA domains |
| Mirai Scanner IPs | C2/RAT | Mirai-infected scanner IPs |
| BotScout IPs | Blocklist | Recently caught bot IPs |
| MyIP WebSec | Blocklist | Latest attackers (CSF format) |
| SSL Blacklist SHA1 | C2/RAT | Malicious SSL certificate SHA1 hashes |
| NoCoin Blocklist | Malware | Cryptominer domain blocklist |
| Dan.me.uk Tor | Blocklist | Tor exit nodes (alternative) |
| PhishStats URLs | Phishing | Phishing URLs with confidence scores |
| PhishTank Verified | Phishing | Verified phishing URLs |
Data Sources & Attribution
All threat intelligence is sourced from free, community-driven projects. We gratefully acknowledge:
Access via API
All IOCs are available through our REST API and TAXII 2.1 server for SIEM/SOAR integration.