11 Free Threat Intelligence Tools for 2023

When knowing is more than half the battle, you need reliable tools. With a limited budget, finding inexpensive – or better yet free – cyber threat intelligence technologies is critical. 

The offering of free cyber threat intelligence tools includes everything from feeds to blogs to open source intelligence platforms. Also, you should know what type of threat intelligence you’re getting from the tool:

If you’re looking to incorporate threat intelligence software into your security monitoring, you may want to try one of these eleven free cyber intelligence tools. 

3 Free Technical Threat Intelligence Tools

Technical threat intelligence platforms help you monitor for new threats or investigate a security alert by providing information like Indicators of Compromise (IoCs). Security operations center (SOC) staff get the most value from technical threat intelligence. 

Cybersecurity and Infrastructure Agency (CISA) Automated Indicator Sharing (AIS)

AIS is a free service that provides machine-readable cyber threat indicators. Run by the U.S. agency designated as the hub for sharing cyber threat indicators and defensive measures, AIS uses open standards to share threat activity context, like TTPs, vulnerabilities, and indicators of compromise. This real-time data exchange enables collaboration between public- and private-sector entities. 

ReversingLabs YARA Rules

Written by the company’s threat analysts, these malware detection rules are regularly updated as new threats arise. Threat hunters can use them to proactively look for IoCs in their environments. ReversingLabs continuously tests the rules in its cloud, evaluating them to ensure they detect threats within layered objects, like PE files, documents, and archives. 

MISP Threat Sharing

Formerly called the Malware Information Sharing Platform, MISP is an open source threat sharing platform that enables you to correlate IoC in its database with attributes and indicators from malware, attacks, or campaigns. The default configuration includes 63 different feeds, with as little overlap between them as possible. Recognizing that threat intelligence is more than IoCs, MISP uses open protocols and data formats so that you can integrate it with other tools while also providing metadata tagging, feed, and visualizations. 

3 Tactical Threat Intelligence Tools

Although tactical and technical threat intelligence are often confused, tactical threat intelligence focuses on TTPS rather than IoCs. While you can use IoCs to look for remnants of an attack, the tactical threat intelligence tells you about the attacker’s activity. IT service administrators and SOC managers use tactical threat intelligence to do their jobs. 


BlockList.de reports more than 70,000 attacks every twelve hours, so you can search for known malicious IP addresses. Run by volunteers, the service says its mission is to report any and all attacks to fraud/abuse departments so that providers can inform their customers about infections, hopefully disabling the attacker. So that recipients can automatically parse reports, BlockList.de uses the open standard XARF for sharing data. 


OpenPhish feeds provide phishing intelligence that gives you information about ongoing phishing attacks including:

  • Targeted brand
  • Phishing URL
  • Time

Its Global Phishing Activity page provides real-time insight with data about live phishing pages that the service observed. Updated every five minutes with information about the previous twenty-four hours, the page gives you insight into:

  • Top 10 Targeted Brands 
  • Top 10 Sectors
  • Top 10 ASNs

The map gives quick insight into geographic areas experiencing high volumes of phishing links.


This open-source antivirus engine helps detect trojans, viruses, malware, and other malicious threats. Although you can use it in various ways, people usually use it for email and web scanning or endpoint security. 

ClamAV updates the signature database multiple times per day, offering built-in support for standard mail file formats, various archive formats, ELF executables, Portable Executable files, and other popular document formats, like MS Office and PDF. 

The project distributes a collection of signatures in its ClamAV Virus Database (CVD) file format, and Cisco Talos maintains the database.

2 Strategic Threat Intelligence Tools

Strategic threat intelligence provides high-level business impact information. Typically used by senior leadership and boards of directors, strategic threat intelligence enables decision-making by helping people understand risk and the potential business impact their actions can have. 

CISA Cybersecurity Best Practices

Filtered by cybersecurity best practices, CISA’s news and events page can be further filtered by:

  • Identify theft and personal cyber threats
  • Multi Factor authentication
  • Online shopping
  • Organizations and cyber safety

The feed includes blog posts and press releases, giving you insight into everything from framework updates to blogs about additional security measures. 


Owned by OneTrust, DataGuidance provides information about global privacy laws. The news section provides updates on:

  • Case law
  • Laws and regulations
  • Official decisions 
  • Official guidelines

The daily updates cover various topics like:

  • Status of new laws at the state and federal levels
  • Agency actions against companies
  • Announcements on regulatory agency draft rules

3 Operational Threat Intelligence Tools

Operational threat intelligence consists of actionable details about attacks like to affect the company, typically related to nature, motive, timing, and methods. Found by monitoring the clear, dark, and deep web, this data helps security managers, defenders, SOC teams, and incident response teams protect assets. 

have i been pwned (HIBP)

Created by Troy Hunt, HIBP aggregates data collected from data breach so that victims can search for compromised account data. Users can research by email address, phone number, and domain. They can also ask to get notified of future account compromises by providing their email address. Users can build HIBP into their threat intelligence collection through either the API or the RSS feed. 


ImmuniWeb, an application security company, offers a free tool so that organizations can monitor and measure their dark web exposure. With this tool, you can:

  • Scan a URL 
  • Monitor up to three domains
  • Incorporate the free command line toolkit into your CI/CD pipelines and DevOps
  • Use the free API to run up to four dark web exposure tests per day


Users with a Google One account can set up monitoring profiles to scan the dark web for their personal information. The dark web monitoring reports scan for any of the following information:

  • One name
  • One address
  • Ten phone numbers
  • Ten emails
  • One social security number

The dark web monitoring reports tell you:

  • How many data breaches for each category
  • Names of data breaches
  • Dates of data breaches

If you have specific emails or phone numbers that you want to monitor, this could be a useful option. 

Threat Intelligence with Flare

Flare monitors the clear & dark web and illicit Telegram channels so that your team can act quickly on alerts, without the noise. Our easy-to-use Continuous Threat Exposure Management (CTEM) platform enables security professionals of all experience levels, upskilling entry level analysts and providing experienced analysts the technical information to respond to any threats. 

To get started in just 15 minutes, try a Flare free trial today.

Share This Article

Related Content