4 Threat Intelligence Feeds for Security Teams in 2026

This article was updated on April 1, 2026 and originally published on January 19, 2023.

Among the many available sources of cyber threat intelligence (CTI), threat intelligence feeds enable security teams to stay informed about the latest threats and potential Indicators of Compromise (IoCs). Whether sourced from real-world incident reports, researcher submissions, or sensor networks that observe attacker behavior directly, these feeds are a foundational layer of any cyber threat intelligence (CTI) program.

With so many available threat intelligence feeds, security teams can become overwhelmed trying to find the ones that provide the insight they need. This curated list can help you begin collecting and analyzing threat intelligence faster. 

What is a Threat Intelligence Feed?

Threat intelligence feeds are automated threat information streams that an organization’s security tools can ingest to enable faster threat detection and incident response. This information includes: 

• Indicators of Compromise (IoCs): Suspicious programs, processes, network traffic, or user account activity indicating a potential security incident. 
• Indicators of Attack (IoAs): Information about attacks in progress, like exploitation techniques, adversary behavior, and attacker intent.
• Threat actor information: Communication across the clear and dark web, as well as illicit Telegram channels, about attacker targets and tactics, techniques, and procedures (TTPs).

Threat intelligence feeds often focus on a specific attack vector, providing important but limited context. Security teams typically need to collect data from multiple feeds for comprehensive visibility.

4 Threat Intelligence Feeds to Consider

Threat intelligence feeds provide auto-updating, machine-readable indicators and context that security teams ingest into SIEMs, firewalls, IDS/IPS, and threat platforms to block, triage, or investigate malicious activity. Take a look at the following feeds:

1) GreyNoise: Scanning and exploitation context

GreyNoise is a sensor network providing primary scanning and exploitation data so organizations have context about vulnerability exploitation. Some examples of the IP context it provides include:

• Scanner profiling
• Observed services
• Noise labeling

Use case: Filter out benign scanners and known noisy hosts from alerts to reduce false positives and improve alert fidelity. 

2) Shadowserver Foundation: Network and sinkhole reporting feeds 

Shadowserver is a nonprofit that operates a sinkhole infrastructure and runs large-scale sensor networks of honeypots and honeyclients to collect raw data and analyze malware. It provides network threat data, including:

• Downloadable CSV/ZIP reports for infected hosts
• Spam sources
• Sinkhole referers

Use case: Support incident response, asset cleanup, and network hygiene. 

3) MISP Project: Technically not a feed, but a TIP containing free feeds

Originally called the Malware Information Sharing Project, the MISP Project is a community project led by a team of volunteers that covered malware indicators, fraud, and vulnerability information. As a threat intelligence sharing tool, it provides:

• IoCs
• Metadata tagging 
• Feeds
• Visualization capabilities

Use case: Stand up a centralized platform for ingesting, correlating, and sharing open-source intelligence (OSINT) across teams or organizations.

4) Flare Academy: Curated threat intelligence digest

Intel Feed is a channel in the Flare Academy Discord that aggregates and summarizes threat intelligence from a variety of sources including: 

• Vendor research blogs
• Security news publications
• Foreign-language media translated into English

Use case: Stay current on emerging threats and exploitation trends with analyst context rather than raw indicators.

Ransomware Alerts is also a channel in the Flare Academy Discord that pipes real-time ransomware leak site postings from Flare into a dedicated channel, including the:

• Victim organization
• Ransomware group
• Severity
• Leak preview

Use case: Monitor active ransomware campaigns and track threat actor publishing activity. Note: Available to verified community members only. Verify here.

Choosing the Right Feeds for Your Security Program

No single feed covers every threat vector. The feeds listed here span file and URL analysis, IP and domain reputation, malware distribution tracking, phishing detection, network hygiene, and broader threat context. When evaluating feeds for your program, consider:

• Coverage gaps: Which threat vectors or data types are you missing today?
• Integration requirements: Can the feed be ingested directly by your SIEM, SOAR, or firewall?
• Signal quality: Does the feed produce actionable indicators, or will it add noise?
• Maintenance burden: Is the feed actively maintained by a community or vendor you trust?

Starting with a few high-quality feeds and expanding based on gaps is an effective path forward.