6 Free Threat Intelligence Sources You Can't Live Without in 2025
In cybersecurity, knowledge is crucial, but knowing what to do with that knowledge is even more important. A strong cyber threat intelligence framework is still a vital tool in the modern cybersecurity toolbox, as organizations lean on tried-and-true threat intelligence feeds for active protection and incident response.
What do you mean by “Threat Intelligence Feed”?
Chances are you have at least a rudimentary understanding of threat intelligence feeds. But to avoid any confusion, let’s briefly explore what they are and how they work.
A threat intelligence feed provides organizations with real-time or regularly updated information on cybersecurity risks and threats. This information typically includes data about attackers: indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), and contextual intelligence like threat severity, geographical origin, and even relevance to specific industries.
Integrating threat intelligence into your security stack significantly enhances cyber threat monitoring and proactive defense capabilities, ultimately boosting your security posture. That’s easier said than done, though.
Types of Threat Intelligence Feeds
Threat Feeds can be sorted into a few different types.
Open-Source and Community Feeds. These are free threat intelligence feeds typically managed by cybersecurity community members, security researchers, and organizations dedicated to improving overall threat awareness.
Commercial Threat Intelligence. These feeds are usually subscription-based and are advertised as providing more comprehensive information. Sometimes these subscriptions bundle or aggregate several feeds together as a service.
Government/NGO Feeds. Many government or non-profit industry groups share threat intelligence information specific to their industry. We’ll talk about ISACs specifically next.
Leveraging ISAC Threat Intelligence Feeds
Before we get to a sampling of broader threat intelligence feeds, it’s worth noting that the best feeds are hyper-focused on risks to your specific organization. That usually means a focus on your organization’s industry.
By joining a sector-specific Information Sharing and Analysis Center (ISAC), you’ll gain (sometimes) free access to threat intelligence that provides insights relevant to your organization. The National Council of ISACs is a good place to start. This is where you’ll find ISACs ranging from the automotive industry to the water sector and everything in between. Whatever your sector, there’s an ISAC and, hence, laser-focused threat intelligence feed waiting for you.
Here’s What Matters
Frequency. Effective threat intelligence feeds with high update frequency prioritize delivering updates as quickly as possible, often in real-time or near real-time. The idea here is that IP addresses and domains can change quickly, and reliance on old data can cause unnecessary false positives.
Accuracy. Although sometimes they don’t get updated as frequently, threat intelligence feeds that prioritize accuracy can provide credible, actionable, and relevant information to your organization. These feeds will conduct rigorous validation and contextual analysis before issuing information.
Integration. It’s also important to consider the integration capabilities of various threat intelligence feeds. While most feeds offer API access, their integration capabilities can vary significantly. The most effective feeds provide multiple data formats (CSV, JSON, STIX) and support various integration methods, making them more valuable for organizations with diverse security stacks.
A Sampling of Six Effective (and Free) Threat Intelligence Feeds
The six threat feed examples below are a diverse mix of old-school, enterprise, and threat-specific lists, and the best news of all is that they’re all free.
- DShield Top 20. The DShield Top 20 is one of the original threat intelligence feeds. Compiled by the SANS Internet Storm Center (ISC). It traditionally lists the Top-20 most active attacking /24 subnets. Employ this as a blacklist at the edge of your network, and that’s 20 x 256 = 5,120 less malicious IPs you need to worry about.
- Talos IP Reputation Blacklist. The Talos IP Reputation Blacklist is Cisco's contribution to the threat intelligence community. Much like Nomic's proprietary CINS Army feed (which I’ll get to later), Cisco offers a portion of its threat and reputation lists to the community — for free.
- CleanTalk HTTP Spammers. The CleanTalk HTTP Spammers intelligence feed is a unique list of IPs known for attempting to spam websites with form submissions, bogus comments, and the like. It also includes SPAM email servers, but the inbound website spamming IPs are of particular use to network and security admins protecting public web servers.
- Critical Path Security Log4j Attackers. Log4j is still a massive problem. This list, which updates frequently, includes the networks targeting vulnerable Apache servers so you can stay protected.
- Tor Exit Nodes. While not strictly a "threat feed," the Tor Exit Nodes list is a critical resource for organizations looking to control access to the Tor network from their corporate environment. It offers clear evidence if and when Tor traffic is active on your network, helping you identify and monitor any attempts to route traffic.
- CINS Army List. The CINS Army List is Nomic's free threat intelligence feed. It continuously gathers attack data from Outpost sensors worldwide, uses these metrics to assign malicious IPs a CINS Score, and distributes these lists to Nomic devices in the field so they can block known bad traffic in real-time.
What makes the CINS Army List unique is that each sensor learns from every other sensor, benefiting from the collective intelligence of every Nomic customer. The CINS Army List has been in action for over a decade, boasts thousands upon thousands of daily automated downloads, is informed by millions of scans, probes, and exploit attempts per month, and is trusted by many of the world’s best security professionals.
Want to use the CINS Lists? The list is available in its old-school text file format here: https://cinsscore.com/list/ci-badguys.txt.
It’s also available as a tarball, containing several formats, including STIX/TAXII and IPS rules. You can get it here: https://cinsarmy.com/list-download/.
Interested in signing up for the CINS Army Brief newsletter? You can start here: https://cinsarmy.com/collective-intelligence-network-security/.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.
