A curated list of Awesome Threat Intelligence resources
awesome-threat-intelligence
A curated list of awesome Threat Intelligence resourcesA concise definition of Threat Intelligence: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
Feel free to contribute.
Sources
Most of the resources listed below provide lists and/or APIs to obtain (hopefully) up-to-date information with regards to threats. Some consider these sources as threat intelligence, opinions differ however. A certain amount of (domain- or business-specific) analysis is necessary to create true threat intelligence.
| AbuseIPDB | AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. It's mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.. |
| APT Groups and Operations | A spreadsheet containing information and intelligence about APT groups, operations and tactics. |
| Binary Defense IP Banlist | Binary Defense Systems Artillery Threat Intelligence Feed and IP Banlist Feed. |
| BGP Ranking | Ranking of ASNs having the most malicious content. |
| Botnet Tracker | Tracks several active botnets. |
| BOTVRIJ.EU | Botvrij.eu provides different sets of open source IOCs that you can use in your security devices to detect possible malicious activity. |
| BruteForceBlocker | BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, http://danger.rulez.sk/projects/bruteforceblocker/blist.php. |
| C&C Tracker | A feed of known, active and non-sinkholed C&C IP addresses, from Bambenek Consulting. Requires license for commercial use. |
| CertStream | Real-time certificate transparency log update stream. See SSL certificates as they're issued in real time. |
| CCSS Forum Malware Certificates | The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates. |
| CI Army List | A subset of the commercial CINS Score list, focused on poorly rated IPs that are not currently present on other threatlists. |
| Cisco Umbrella | Probable Whitelist of the top 1 million sites resolved by Cisco Umbrella (was OpenDNS). |
| Cloudmersive Virus Scan | Cloudmersive Virus Scan APIs scan files, URLs, and cloud storage for viruses. They leverage continuously updated signatures for millions of threats, and advanced high-performance scanning capabilities. The service is free, but requires you register for an account to retrieve your personal API key. |
| CrowdSec Console | The largest crowd-sourced CTI, updated in near real-time, thanks to CrowdSec a next-gen, open-source, free, and collaborative IDS/IPS software. CrowdSec is able to analyze visitor behavior & provide an adapted response to all kinds of attacks. Users can share their alerts about threats with the community and benefit from the network effect. The IP addresses are collected from real attacks and are not coming exclusively from a honeypot network. |
| Cyber Cure free intelligence feeds | Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed documentation is available as well. |
| Cyware Threat Intelligence Feeds | Cyware’s Threat Intelligence feeds brings to you the valuable threat data from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. Our threat intel feeds are fully compatible with STIX 1.x and 2.0, giving you the latest information on malicious malware hashes, IPs and domains uncovered across the globe in real-time. |
| DataPlane.org | DataPlane.org is a community-powered Internet data, feeds, and measurement resource for operators, by operators. We provide reliable and trustworthy service at no cost. |
| Focsec.com | Focsec.com provides a API for detecting VPNs, Proxys, Bots and TOR requests. Always up-to-date data helps with detecting suspicious logins, fraud and abuse. Code examples can be found in the documentation. |
| DigitalSide Threat-Intel | Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: STIX2, CSV and MISP Feed. Reports are published also in the project's Git repository. |
| Disposable Email Domains | A collection of anonymous or disposable email domains commonly used to spam/abuse services. |
| DNS Trails | Free intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a IP and domain intelligence API available as well. |
| ELLIO: IP Feed (community free version) | A threat list of known malicious IP addresses anticipated to pose potential threats to your network in the near future, known benign scanners, and IP addresses of actors with unknown intent. It is provided with a 24-hour delay for personal, non-commercial use but still provides exceptional protection compared to other open IP threat lists/feeds. |
| Emerging Threats Firewall Rules | A collection of rules for several types of firewalls, including iptables, PF and PIX. |
| Emerging Threats IDS Rules | A collection of Snort and Suricata rules files that can be used for alerting or blocking. |
| ExoneraTor | The ExoneraTor service maintains a database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date. |
| Exploitalert | Listing of latest exploits released. |
| FastIntercept | Intercept Security hosts a number of free IP Reputation lists from their global honeypot network. |
| ZeuS Tracker | The Feodo Tracker abuse.ch tracks the Feodo trojan. |
| FireHOL IP Lists | 400+ publicly available IP Feeds analysed to document their evolution, geo-map, age of IPs, retention policy, overlaps. The site focuses on cyber crime (attacks, abuse, malware). |
| FraudGuard | FraudGuard is a service designed to provide an easy way to validate usage by continuously collecting and analyzing real-time internet traffic. |
| GreyNoise | GreyNoise collects and analyzes data on Internet-wide scanning activity. It collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms. |
| GriffinGuard | GriffinGuard is a cybersecurity platform delivering real-time threat intelligence by continuously analyzing global internet traffic and exploitation patterns. It provides free data search, and some free IP blocklists. |
| HoneyDB | HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the HoneyPy honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds. |
| Icewater | 12,805 Free Yara rules created by Project Icewater. |
| Infosec - CERT-PA | Malware samples collection and analysis, blocklist service, vulnerabilities database and more. Created and managed by CERT-PA. |
| InQuest Labs | An open, interactive, and API driven data portal for security researchers. Search a large corpus of file samples, aggregate reputation information, and IOCs extracted from public sources. Augment YARA development with tooling to generate triggers, deal with mixed-case hex, and generate base64 compatible regular expressions. |
| I-Blocklist | I-Blocklist maintains several types of lists containing IP addresses belonging to various categories. Some of these main categories include countries, ISPs and organizations. Other lists include web attacks, TOR, spyware and proxies. Many are free to use, and available in various formats. |
| IPASIS | IPASIS is a real-time bot detection and fraud prevention API that combines IP intelligence, proxy/VPN/Tor detection, and email validation into a single API call. Each request returns an Interaction Trust Score (0-100) with sub-20ms response time. Free tier includes 1,000 requests/day. API documentation and a live scanner are available. |
| IPsum | IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Created and managed by Miroslav Stampar. |
| James Brine Threat Intelligence Feeds | JamesBrine provides daily threat intelligence feeds for malicious IP addresses from internationally located honeypots on cloud and private infrastructure covering a variety of protocols including SSH, FTP, RDP, GIT, SNMP and REDIS. The previous day's IOCs are available in STIX2 as well as additional IOCs such as suspicious URIs and newly registered domains which have a high probaility of use in phishing campaigns. |
| Kaspersky Threat Data Feeds | Continuously updated and inform your business or clients about risks and implications associated with cyber threats. The real-time data helps you to mitigate threats more effectively and defend against attacks even before they are launched. Demo Data Feeds contain truncated sets of IoCs (up to 1%) compared to the commercial ones |
| Majestic Million | Probable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their blog. |
| Maldatabase | Maldatabase is designed to help malware data science and threat intelligence feeds. Provided data contain good information about, among other fields, contacted domains, list of executed processes and dropped files by each sample. These feeds allow you to improve your monitoring and security tools. Free services are available for Security Researchers and Students. |
| Malpedia | The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research. |
| MalShare.com | The MalShare Project is a public malware repository that provides researchers free access to samples. |
| Maltiverse | The Maltiverse Project is a big and enriched IoC database where is possible to make complex queries, and aggregations to investigate about malware campaigns and its infrastructures. It also has a great IoC bulk query service. |
| MalwareBazaar | MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers. |
| Malware Domain List | A searchable list of malicious domains that also performs reverse lookups and lists registrants, focused on phishing, trojans, and exploit kits. |
| Malware Patrol | Malware Patrol provides block lists, data feeds and threat intelligence to companies of all sizes. Because our specialty is cyber threat intelligence, all our resources go into making sure it is of the highest quality possible. We believe a security team and it's tools are only as good as the data used. This means our feeds are not filled with scraped, unverified indicators. We value quality over quantity. |
| Malware-Traffic-Analysis.net | This blog focuses on network traffic related to malware infections. Contains traffic analysis exercises, tutorials, malware samples, pcap files of malicious network traffic, and technical blog posts with observations. |
| MalwareDomains.com | The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. These can be used for detection as well as prevention (sinkholing DNS requests). |
| MetaDefender Cloud | MetaDefender Cloud Threat Intelligence Feeds contains top new malware hash signatures, including MD5, SHA1, and SHA256. These new malicious hashes have been spotted by MetaDefender Cloud within the last 24 hours. The feeds are updated daily with newly detected and reported malware to provide actionable and timely threat intelligence. |
| NoThink! | SNMP, SSH, Telnet Blacklisted IPs from Matteo Cantoni's Honeypots |
| NormShield Services | NormShield Services provide thousands of domain information (including whois information) that potential phishing attacks may come from. Breach and blacklist services also available. There is free sign up for public services for continuous monitoring. |
| NovaSense Threats | NovaSense is the Snapt threat intelligence center, and provides insights and tools for pre-emptive threat protection and attack mitigation. NovaSense protects clients of all sizes from attackers, abuse, botnets, DoS attacks and more. |
| Obstracts | The RSS reader for cybersecurity teams. Turn any blog into structured and actionable threat intelligence. |
| OpenPhish Feeds | OpenPhish receives URLs from multiple streams and analyzes them using its proprietary phishing detection algorithms. There are free and commercial offerings available. |
| 0xSIf33d | Free service for detecting possbible phishing and malware domains, blacklisted IPs within the Portuguese cyberspace. |
| PhishTank | PhishTank delivers a list of suspected phishing URLs. Their data comes from human reports, but they also ingest external feeds where possible. It's a free service, but registering for an API key is sometimes necessary. |
| PickupSTIX | PickupSTIX is a feed of free, open-source, and non-commercialized cyber threat intelligence. Currently, PickupSTIX uses three public feeds and distributes about 100 new pieces of intelligence each day. PickupSTIX translates the various feeds into STIX, which can communicate with any TAXII server. The data is free to use and is a great way to begin using cyber threat intelligence. |
| Q-Feeds Threat Intelligence | Q-Feeds is a cybersecurity company that brings together data from OSINT, proprietary research, and commercial threat intelligence feeds to offer a well-rounded and highly actionable solution. Their Threat Intelligence Portal (TIP) makes it easy for organizations to access and manage this data in real-time. By integrating with firewalls, SIEMs, and other security platforms, Q-Feeds helps businesses proactively block connections to known malicious IPs, domains, and URLs—before threats can do harm. They also have a community version available on request. |
| REScure Threat Intel Feed | [RES]cure is an independant threat intelligence project performed by the Fruxlabs Crack Team to enhance their understanding of the underlying architecture of distributed systems, the nature of threat intelligence and how to efficiently collect, store, consume and distribute threat intelligence. Feeds are generated every 6 hours. |
| RST Cloud Threat Intel Feed | Aggregated Indicators of Compromise collected and cross-verified from multiple open and community-supported sources, enriched and ranked using our intelligence platform. |
| Rutgers Blacklisted IPs | IP List of SSH Brute force attackers is created from a merged of locally observed IPs and 2 hours old IPs registered at badip.com and blocklist.de |
| SANS ICS Suspicious Domains |
The Suspicious Domains Threat Lists by SANS ICS tracks suspicious domains. It offers 3 lists categorized as either high, medium or low sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an approved whitelist of domains. Finally, there is a suggested IP blocklist from DShield. |
| SecurityScorecard IoCs | Public access IoCs from technical blogs posts and reports by SecurityScorecard. |
| Stixify | Your automated threat intelligence analyst. Extract machine readable intelligence from unstructured data. |
| signature-base | A database of signatures used in other tools by Neo23x0. |
| The Spamhaus project | The Spamhaus Project contains multiple threatlists associated with spam and malware activity. |
| SophosLabs Intelix | SophosLabs Intelix is the threat intelligence platform that powers Sophos products and partners. You can access intelligence based on file hash, url etc. as well as submit samples for analysis. Through REST API's you can easily and quickly add this threat intelligence to your systems. |
| Spur | Spur provides tools and data to detect VPNs, Residential Proxies, and Bots. Free plan allows users to lookup an IP and get its classification, VPN provider, popular geolocations behind the IP, and some more useful context. |
| SSL Blacklist | SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists |
| Statvoo Top 1 Million Sites | Probable Whitelist of the top 1 million web sites, as ranked by Statvoo. |
| Strongarm, by Percipient Networks | Strongarm is a DNS blackhole that takes action on indicators of compromise by blocking malware command and control. Strongarm aggregates free indicator feeds, integrates with commercial feeds, utilizes Percipient's IOC feeds, and operates DNS resolvers and APIs for you to use to protect your network and business. Strongarm is free for personal use. |
| SIEM Rules | Your detection engineering database. View, modify, and deploy SIEM rules for threat hunting and detection. |
| Talos | Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools. Talos provides an easy to use web UI to check an observable's reputation. |
| threatfeeds.io | threatfeeds.io lists free and open-source threat intelligence feeds and sources and provides direct download links and live summaries. |
| threatfox.abuse.ch | ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. |
| Technical Blogs and Reports, by ThreatConnect | This source is being populated with the content from over 90 open source, security blogs. IOCs (Indicators of Compromise) are parsed out of each blog and the content of the blog is formatted in markdown. |
| Threat Jammer | Threat Jammer is a REST API service that allows developers, security engineers, and other IT professionals to access high-quality threat intelligence data from a variety of sources and integrate it into their applications with the sole purpose of detecting and blocking malicious activity. |
| ThreatMiner | ThreatMiner has been created to free analysts from data collection and to provide them a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment. The emphasis of ThreatMiner isn't just about indicators of compromise (IoC) but also to provide analysts with contextual information related to the IoC they are looking at. |
| WSTNPHX Malware Email Addresses | Email addresses used by malware collected by VVestron Phoronix (WSTNPHX) |
| UnderAttack.today | UnderAttack is a free intelligence platform, it shares IPs and information about suspicious events and attacks. Registration is free. |
| URLhaus | URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. |
| VirusShare | VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code. Access to the site is granted via invitation only. |
| VulDB CTI | VulDB is a vulnerability database which associates actor activities and attack details with vulnerabilities. The predictive approach helps to determine emerging research and attack activities by malicious actors. |
| Yara-Rules | An open source repository with different Yara signatures that are compiled, classified and kept as up to date as possible. |
| 1st Dual Stack Threat Feed by MrLooquer | Mrlooquer has created the first threat feed focused on systems with dual stack. Since IPv6 protocol has begun to be part of malware and fraud communications, It is necessary to detect and mitigate the threats in both protocols (IPv4 and IPv6). |
| Validin DNS Database | Free intelligence source for current and historical DNS information, finding other websites associated with certain IPs, and subdomain knowledge There is a free API for IP and domain intelligence as well. |
Formats
Standardized formats for sharing Threat Intelligence (mostly IOCs).
| CAPEC | The Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses. |
| CybOX | The Cyber Observable eXpression (CybOX) language provides a common structure for representing cyber observables across and among the operational areas of enterprise cyber security that improves the consistency, efficiency, and interoperability of deployed tools and processes, as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping, detection, and analysis heuristics. |
| IODEF (RFC5070) | The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. |
| IDMEF (RFC4765) | Experimental - The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. |
| MAEC | The Malware Attribute Enumeration and Characterization (MAEC) projects is aimed at creating and providing a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns. |
| OpenC2 | OASIS Open Command and Control (OpenC2) Technical Committee. The OpenC2 TC will base its efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC and specification, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency (NSA). The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner. |
| STIX 2.0 | The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called test mechanisms that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort. STIX 1.x has been archived here. |
| TAXII | The Trusted Automated eXchange of Indicator Information (TAXII) standard defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. |
| VERIS | The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report (DBIR) and publishes this database online in a GitHub repository.org. |
Frameworks and Platforms
Frameworks, platforms and services for collecting, analyzing, creating and sharing Threat Intelligence.
| AbuseHelper | AbuseHelper is an open-source framework for receiving and redistributing abuse feeds and threat intel. |
| AbuseIO | A toolkit to receive, process, correlate and notify end users about abuse reports, thereby consuming threat intelligence feeds. |
| AIS | The Cybersecurity and Infrastructure Security Agency (CISA) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated). |
| Bearded Avenger | The fastest way to consume threat intelligence. Successor to CIF. |
| Blueliv Threat Exchange Network | Allows participants to share threat indicators with the community. |
| Cortex | Cortex allows observables, such as IPs, email addresses, URLs, domain names, files or hashes, to be analyzed one by one or in bulk mode using a single web interface. The web interface acts as a frontend for numerous analyzers, removing the need for integrating these yourself during analysis. Analysts can also use the Cortex REST API to automate parts of their analysis. |
| CRITS | CRITS is a platform that provides analysts with the means to conduct collaborative research into malware and threats. It plugs into a centralized intelligence data repository, but can also be used as a private instance. |
| CIF | The Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection and mitigation. Code available on GitHub. |
| CTIX | CTIX is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network. |
| EclecticIQ Platform | EclecticIQ Platform is a STIX/TAXII based Threat Intelligence Platform (TIP) that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine-speed. |
| IntelMQ | IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. |
| IntelOwl | Intel Owl is an OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. Intel Owl is composed of analyzers that can be run to retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internal analyzers (like Yara or Oletools). It can be integrated easily in your stack of security tools (pyintelowl) to automate common jobs usually performed, for instance, by SOC analysts manually. |
| Kaspersky Threat Intelligence Portal | A website that provides a knowledge base describing cyber threats, legitimate objects, and their relationships, brought together into a single web service. Subscribing to Kaspersky Lab’s Threat Intelligence Portal provides you with a single point of entry to four complementary services: Kaspersky Threat Data Feeds, Threat Intelligence Reporting, Kaspersky Threat Lookup and Kaspersky Research Sandbox, all available in human-readable and machine-readable formats. |
| Malstrom | Malstrom aims to be a repository for threat tracking and forensic artifacts, but also stores YARA rules and notes for investigation. Note: Github project has been archived (no new contributions accepted). |
| ManaTI | The ManaTI project assists threat analyst by employing machine learning techniques that find new relationships and inferences automatically. |
| MANTIS | The Model-based Analysis of Threat Intelligence Sources (MANTIS) Cyber Threat Intelligence Management Framework supports the management of cyber threat intelligence expressed in various standard languages, like STIX and CybOX. It is not ready for large-scale production though. |
| Megatron | Megatron is a tool implemented by CERT-SE which collects and analyses bad IPs, can be used to calculate statistics, convert and analyze log files and in abuse & incident handling. |
| MineMeld | An extensible Threat Intelligence processing framework created Palo Alto Networks. It can be used to manipulate lists of indicators and transform and/or aggregate them for consumption by third party enforcement infrastructure. |
| MISP | The Malware Information Sharing Platform (MISP) is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and malware analysis. |
| n6 | n6 (Network Security Incident eXchange) is a system to collect, manage and distribute security information on a large scale. Distribution is realized through a simple REST API and a web interface that authorized users can use to receive various types of data, in particular information on threats and incidents in their networks. It is developed by CERT Polska. |
| Open Cybersecurity Schema Framework (OCSF) | The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes. |
| OpenCTI | OpenCTI, the Open Cyber Threat Intelligence platform, allows organizations to manage their cyber threat intelligence knowledge and observables. Its goal is to structure, store, organize and visualize technical and non-technical information about cyber threats. Data is structured around a knowledge schema based on the STIX2 standards. OpenCTI can be integrated with other tools and platforms, including MISP, TheHive, and MITRE ATT&CK, a.o. |
| OpenIOC | OpenIOC is an open framework for sharing threat intelligence. It is designed to exchange threat information both internally and externally in a machine-digestible format. |
| OpenTAXII | OpenTAXII is a robust Python implementation of TAXII Services that delivers a rich feature set and a friendly Pythonic API built on top of a well designed application. |
| OSTrICa | An open source plugin-oriented framework to collect and visualize Threat Intelligence information. |
| OTX - Open Threat Exchange | AlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source. |
| Open Threat Partner eXchange | The Open Threat Partner eXchange (OpenTPX) consists of an open-source format and tools for exchanging machine-readable threat intelligence and network security operations data. It is a JSON-based format that allows sharing of data between connected systems. |
| PassiveTotal | The PassiveTotal platform offered by RiskIQ is a threat-analysis platform which provides analysts with as much data as possible in order to prevent attacks before they happen. Several types of solutions are offered, as well as integrations (APIs) with other systems. |
| Pulsedive | Pulsedive is a free, community threat intelligence platform that is consuming open-source feeds, enriching the IOCs, and running them through a risk-scoring algorithm to improve the quality of the data. It allows users to submit, search, correlate, and update IOCs; lists "risk factors" for why IOCs are higher risk; and provides a high level view of threats and threat activity. |
| Recorded Future | Recorded Future is a premium SaaS product that automatically unifies threat intelligence from open, closed, and technical sources into a single solution. Their technology uses natural language processing (NLP) and machine learning to deliver that threat intelligence in real time — making Recorded Future a popular choice for IT security teams. |
| Scumblr | Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster. |
| STAXX (Anomali) | Anomali STAXX™ gives you a free, easy way to subscribe to any STIX/TAXII feed. Simply download the STAXX client, configure your data sources, and STAXX will handle the rest. |
| stoQ | stoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. One use case is the extraction of IOCs from documents, an example of which is shown here, but it can also be used for deobfuscationg and decoding of content and automated scanning with YARA, for example. |
| TARDIS | The Threat Analysis, Reconnaissance, and Data Intelligence System (TARDIS) is an open source framework for performing historical searches using attack signatures. |
| ThreatConnect | ThreatConnect is a platform with threat intelligence, analytics, and orchestration capabilities. It is designed to help you collect data, produce intelligence, share it with others, and take action on it. |
| ThreatCrowd | ThreatCrowd is a system for finding and researching artefacts relating to cyber threats. |
| ThreatPipes |
Stay two steps ahead of your adversaries. Get a complete picture of how they will exploit you.
ThreatPipes is a reconnaissance tool that automatically quer README truncated. View on GitHub 🔗 More in this category
|