Free Threat Intelligence Sources Ranked by Reliability: A Practitioner's Tier List

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Free threat intelligence is not a category, it is a spectrum. CISA's Known Exploited Vulnerabilities catalog is one of the highest-fidelity vulnerability signals available at any price. A generic IP blocklist from an aggregation site is noise that will generate false positives and erode trust in your alerting. Using both without distinguishing between them is worse than using neither. This guide ranks 14 free sources across four categories, vulnerabilities, IP reputation, URLs and domains, and malware samples, and tells you exactly what each source is reliable for, what it misses, and when to act without further investigation.
How to Evaluate a Threat Intelligence Source
Four criteria determine whether a free source is worth integrating: fidelity (how often indicators are genuine threats vs. false positives), freshness (how quickly the source reflects real-world activity), coverage (what percentage of actual threats the source captures), and actionability (whether the indicator format and context allow you to take defensive action without further research). No free source scores high on all four. The goal is to understand each source's strengths and limitations before you route its output into a detection or blocking rule.
Fidelity
percentage of indicators that represent genuine threat activity vs. false positives
Freshness
time between real-world activity and feed update (ranges from minutes for abuse.ch to days for some aggregators)
Coverage
how broadly the source catches threats vs. what it misses (e.g., CISA KEV has near-zero false positives but only covers confirmed-exploited CVEs)
Actionability
whether context is sufficient to block/alert immediately or requires enrichment first
Duplication overhead
whether the source substantially overlaps with feeds you already have, adding maintenance cost without marginal signal
Tier 1, Act Immediately, No Enrichment Required
Tier 1 sources produce high-fidelity indicators that warrant immediate action without additional investigation. These sources have low false positive rates because they are either government-curated, directly observed exploitation, or verified abuse reports with strong community consensus. CISA KEV is the strongest vulnerability signal available for free. Every CVE in the catalog has confirmed active exploitation evidence. Binding Operational Directive 22-01 requires federal agencies to patch KEV entries, treat that urgency level as your benchmark. The FIRST EPSS feed (available via API at api.first.org/data/1.0/epss) provides exploitation probability scores for every published CVE daily. Indicators with EPSS above 0.5 represent CVEs where exploitation tooling is confirmed or active campaigns are observed, these warrant the same urgency as KEV entries. URLhaus (urlhaus.abuse.ch) is maintained by abuse.ch and reflects malware distribution URLs with direct operator verification. False positive rates are exceptionally low because URLs are validated before listing. Block URLhaus entries at your proxy and DNS filter without manual review.
CISA KEV catalog
JSON feed at cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json, subscribe to daily diff, patch all entries within your organization's SLA
FIRST EPSS API
query epss score for any CVE at api.first.org/data/1.0/epss?cve=CVE-XXXX-YYYY, treat EPSS 0.5+ as equivalent urgency to KEV
URLhaus feed
download blocklist at urlhaus.abuse.ch/downloads/text/, import into DNS sinkholes and proxy blocklists; refresh every 30 minutes
MalwareBazaar (abuse.ch)
high-fidelity malware sample hashes with confirmed malware families, use for EDR hash-based blocking and hash enrichment in alerts
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Tier 2, Investigate Before Blocking (High Signal, Context Required)
Tier 2 sources have good signal quality but higher false positive rates than Tier 1, or require context to determine whether action is appropriate for your environment. These are valuable enrichment sources and detection inputs, but automated blocking on raw Tier 2 output will cause operational disruption. AlienVault OTX (Open Threat Exchange) aggregates community-submitted indicators from millions of sources. Quality varies significantly by pulse author, a pulse from a reputable vendor tagged to a specific APT campaign is Tier 1 quality, while a generic community pulse with no attribution is noise. Filter OTX output by author reputation, minimum subscriber count, and currency (indicators older than 90 days degrade rapidly). AbuseIPDB is a community IP reputation database. Filtering to Confidence Score 90+ reduces false positives substantially. Raw AbuseIPDB at default thresholds will block cloud provider egress IPs, CDN nodes, and legitimate scanner services, causing service disruptions. VirusTotal consensus provides strong malware verdict signal when 10+ engines flag a sample. Below that threshold, automated detection is unreliable, use VirusTotal for analyst enrichment, not automated pipeline feeds. Shodan and Censys provide internet-facing exposure context: what services your perimeter is running that match known-vulnerable software signatures. These are not traditional indicator feeds but are extremely high-value for your own attack surface management.
AlienVault OTX
filter by pulse author reputation and date; export via Python SDK for SIEM integration; subscribe to pulses from vendors whose threat reports you trust
AbuseIPDB
set minimum Confidence Score 90, filter to reports in last 30 days, exclude cloud provider IP ranges before blocking
VirusTotal
use for hash enrichment and file analysis; automate lookup for new process hashes in EDR telemetry; do not automate blocking on single-engine detections
Shodan/Censys free tier
run weekly scans for your organization's IP ranges and ASN to identify exposed services matching vulnerable software versions
Tier 3, Context and Background Research Only
Tier 3 sources provide useful research context but should not be used as direct indicator feeds for detection or blocking. The signal quality is too variable, the false positive rate too high, or the freshness insufficient for operational use. Generic IP blacklists from aggregation sites without curation (for example, lists that combine honeypot hits, scanning IPs, and abuse reports without any weighting) produce false positives at rates that will generate alert fatigue. Threat research blogs and vendor reports are excellent for TTP awareness and ATT&CK technique mapping, but their IoCs (hashes, IPs, domains) have short shelf lives, infrastructure rotates within hours to days for sophisticated actors. Use them to update detection logic and ATT&CK coverage, not to maintain static blocklists. Recorded Future free community edition and similar vendor freemium tiers provide useful context for single-indicator lookups but lack the bulk feed access and API capabilities needed to operationalize them in automated pipelines.
Generic IP blocklists
useful as a last-resort enrichment check, not as primary blocking; always cross-reference against business-critical service IP ranges before deploying
Vendor report IoCs
extract ATT&CK technique IDs and update detection logic; treat IP/domain IoCs as indicators to monitor, not to block, infrastructure ages out within days
Have I Been Pwned (domain search)
excellent for credential exposure monitoring but requires domain verification; not an operational feed, check weekly or subscribe to notifications
Threat intel sharing platforms (ISAC feeds, InfraGard)
sector-specific intelligence of high quality but access is gated, if you qualify for your sector's ISAC, prioritize enrollment
Building a Free Threat Intelligence Stack
A functional free threat intelligence stack covers four domains: vulnerability prioritization, IP reputation, malicious URLs and domains, and malware indicators. Combining CISA KEV + EPSS covers vulnerability prioritization with near-zero false positives. URLhaus + MalwareBazaar covers malware URLs and hashes with daily-updated high-fidelity feeds. AbuseIPDB at Confidence Score 90 covers IP reputation with manageable false positive rates. AlienVault OTX filtered by trusted pulse authors covers campaign-level TTP intelligence. Add a weekly Shodan check against your own IP ranges and you have a stack that covers the primary threat categories a practitioner needs to monitor. The key discipline is source lifecycle management: set retention windows for each indicator type (IP reputation degrades in 30 days, hash-based indicators are more durable, domain indicators expire within 7-14 days for sophisticated actors), review feed quality quarterly, and deprecate sources that generate operational disruption without proportional signal.
Vulnerability
CISA KEV JSON feed (daily diff) + FIRST EPSS API (daily query for your open CVEs)
Malware URLs and domains
URLhaus blocklist (30-minute refresh) + Emerging Threats Open ruleset (IDS/IPS signatures)
Malware hashes
MalwareBazaar daily export + VirusTotal enrichment for analyst triage
IP reputation
AbuseIPDB Confidence 90+ (daily pull) + Shodan weekly scan of your own IP ranges
Campaign TTP intelligence
AlienVault OTX filtered pulses + CISA advisories + MITRE ATT&CK technique updates
Retention policy
IP reputation 30 days, domain indicators 14 days, malware hashes 90 days, vulnerability entries until patched
The bottom line
Free threat intelligence is sufficient to build a functional operational security program when used with source discipline. The mistake is treating all free feeds as equivalent, CISA KEV and URLhaus warrant immediate action; generic IP blocklists from community aggregators require filtering and context before operational use. Build your stack around the four Tier 1 sources (CISA KEV, EPSS, URLhaus, MalwareBazaar), add Tier 2 sources (OTX, AbuseIPDB) with appropriate filtering thresholds, and use Tier 3 sources only for research enrichment. Review feed quality quarterly and retire sources that generate more noise than signal.
Frequently asked questions
What is threat intelligence?
Threat intelligence is information about adversaries and their capabilities, infrastructure, and techniques that enables defenders to make faster, more accurate decisions. Tactical threat intelligence covers specific indicators like malicious IP addresses, domains, and file hashes used in active campaigns. Operational intelligence covers the TTPs (tactics, techniques, and procedures) adversaries use, documented in frameworks like MITRE ATT&CK. Strategic intelligence covers broader trends, threat actor motivations, and sector targeting patterns. Free sources primarily deliver tactical indicators and some operational TTP context; strategic intelligence typically requires analyst-curated paid platforms.
What is the difference between free and paid threat intelligence?
Free threat intelligence covers community-contributed and government-curated indicators with high breadth but variable depth. Paid intelligence platforms add: analyst-curated context that explains why an indicator matters and what campaign it belongs to, proprietary collection infrastructure (dark web monitoring, underground forum access, exclusive honeypot networks), bulk API access for automated pipeline integration, alert and prioritization services tuned to your specific sector, and SLA-backed freshness guarantees. For most organizations, a well-configured free stack combined with your sector's ISAC feed provides sufficient operational coverage. Paid platforms add value when you have dedicated analysts who can consume the richer context.
How often should I refresh threat intelligence feeds?
Refresh frequency depends on indicator type. IP reputation indicators should refresh every 30 minutes to 4 hours, scanning and abuse infrastructure rotates rapidly and stale IP blocklists generate false positives as legitimate services move into previously-flagged IP ranges. Malware URL feeds (URLhaus) should refresh every 30 minutes for active campaign coverage. Malware hash feeds update daily and daily refresh is sufficient. Domain reputation data refreshes daily for most sources. Vulnerability feeds (CISA KEV, EPSS) should be checked daily, new KEV entries require same-day prioritization review, and EPSS scores for your open CVEs change as exploitation activity evolves.
How do I integrate free threat intel feeds into my SIEM?
Three integration approaches by technical complexity: log shipping from CLI scripts (download feeds to CSV/JSON, parse into syslog or HEC format, forward to SIEM, works for any SIEM but requires maintenance), STIX/TAXII via an open-source threat platform (MISP or OpenCTI ingests feeds and exposes a normalized TAXII endpoint that most enterprise SIEMs support natively), and native connector (Splunk, Sentinel, and Elastic all have built-in connectors for AlienVault OTX, CISA KEV, and VirusTotal that require no custom scripting). MISP is the recommended middle layer: it normalizes indicators from multiple sources, applies your retention policies, and provides a single TAXII endpoint for your SIEM.
What is MISP and should I use it?
MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform that acts as a central hub for ingesting, normalizing, correlating, and sharing threat indicators. It supports automated ingestion from hundreds of free and commercial feeds, STIX/TAXII export for SIEM integration, and correlation across events to identify overlapping indicators across campaigns. MISP is worth deploying if you are consuming more than 3 feeds and want normalized output, if you participate in an ISAC or threat sharing community, or if you want to correlate internally-observed indicators against external intelligence. It requires a dedicated server and initial configuration time, but eliminates ongoing per-feed integration maintenance.
What free tools exist for dark web monitoring?
Free dark web monitoring is limited to specific categories. Have I Been Pwned (haveibeenpwned.com) covers credential breaches, search by email or verify your domain for automated breach notifications. RansomLook (ransomlook.io) and ransomwatch aggregate ransomware group leak site listings and provide searchable victim indexes. Dehashed offers limited free searches by domain or email for credential exposure. No free tool provides comprehensive dark web forum monitoring (criminal marketplaces, initial access broker listings, data sale discussions), that requires paid platforms like Flare, Intel 471, Cybersixgill, or Recorded Future. For a full comparison of free vs. paid dark web monitoring capabilities, see the Decryption Digest guide to dark web monitoring tiers.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
