awesome-threat-intelligence
A curated list of Awesome Threat Intelligence resources
8k stars
559 watching
1k forks
last commit: about 2 months ago
Linked from 10 awesome lists
awesomeawesome-listhacktoberfestsecurity
awesome-threat-intelligence / Sources | |||
AbuseIPDB | |||
Alexa Top 1 Million sites | |||
whitelist | The top 1 Million sites from Amazon(Alexa). Never use this as a | ||
APT Groups and Operations | |||
Binary Defense IP Banlist | |||
BGP Ranking | |||
Botnet Tracker | |||
BOTVRIJ.EU | |||
BruteForceBlocker | |||
http://danger.rulez.sk/projects/bruteforceblocker/blist.php | BruteForceBlocker is a perl script that monitors a server's sshd logs and identifies brute force attacks, which it then uses to automatically configure firewall blocking rules and submit those IPs back to the project site, | ||
C&C Tracker | |||
CertStream | |||
CCSS Forum Malware Certificates | |||
CI Army List | |||
CINS Score | A subset of the commercial list, focused on poorly rated IPs that are not currently present on other threatlists | ||
Cisco Umbrella | |||
Cloudmersive Virus Scan | |||
CrowdSec Console | |||
CrowdSec | The largest crowd-sourced CTI, updated in near real-time, thanks to CrowdSec a next-gen, open-source, free, and collaborative IDS/IPS software. is able to analyze visitor behavior & provide an adapted response to all kinds of attacks. Users can share their alerts about threats with the community and benefit from the network effect. The IP addresses are collected from real attacks and are not coming exclusively from a honeypot network | ||
Cyber Cure free intelligence feeds | |||
documentation | Cyber Cure offers free cyber threat intelligence feeds with lists of IP addresses that are currently infected and attacking on the internet. There are list of urls used by malware and list of hash files of known malware that is currently spreading. CyberCure is using sensors to collect intelligence with a very low false positive rate. Detailed is available as well | ||
Cyware Threat Intelligence Feeds | |||
DataPlane.org | |||
Focsec.com | |||
documentation | Focsec.com provides a API for detecting VPNs, Proxys, Bots and TOR requests. Always up-to-date data helps with detecting suspicious logins, fraud and abuse. Code examples can be found in the | ||
DigitalSide Threat-Intel | |||
STIX2 | Contains sets of Open Source Cyber Threat Intelligence indicators, mostly based on malware analysis and compromised URLs, IPs and domains. The purpose of this project is to develop and test new ways to hunt, analyze, collect and share relevants IoCs to be used by SOC/CSIRT/CERT/individuals with minimun effort. Reports are shared in three ways: , and . Reports are published also in the | ||
Disposable Email Domains | 2,909 | 8 days ago | |
DNS Trails | |||
IP and domain intelligence API available | Free intelligence source for current and historical DNS information, WHOIS information, finding other websites associated with certain IPs, subdomain knowledge and technologies. There is a as well | ||
Emerging Threats Firewall Rules | |||
Emerging Threats IDS Rules | |||
ExoneraTor | |||
Exploitalert | |||
FastIntercept | |||
ZeuS Tracker | |||
abuse.ch | The Feodo Tracker tracks the Feodo trojan | ||
FireHOL IP Lists | |||
FraudGuard | |||
GreyNoise | |||
HoneyDB | |||
HoneyPy | 459 | 7 months ago | HoneyDB provides real time data of honeypot activity. This data comes from honeypots deployed on the Internet using the honeypot. In addition, HoneyDB provides API access to collected honeypot activity, which also includes aggregated data from various honeypot Twitter feeds |
Icewater | 379 | over 5 years ago | |
Infosec - CERT-PA | |||
collection and analysis | Malware samples , and more. Created and managed by CERT-PA | ||
InQuest Labs | |||
I-Blocklist | |||
IPsum | |||
Miroslav Stampar | IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Created and managed by | ||
James Brine Threat Intelligence Feeds | |||
Kaspersky Threat Data Feeds | |||
Majestic Million | |||
blog | Probable Whitelist of the top 1 million web sites, as ranked by Majestic. Sites are ordered by the number of referring subnets. More about the ranking can be found on their | ||
Maldatabase | |||
Malpedia | |||
MalShare.com | |||
Maltiverse | |||
MalwareBazaar | |||
Malware Domain List | |||
Malware Patrol | |||
Malware-Traffic-Analysis.net | |||
MalwareDomains.com | |||
MetaDefender Cloud | |||
Netlab OpenData Project | |||
NoThink! | |||
NormShield Services | |||
NovaSense Threats | |||
Obstracts | |||
OpenPhish Feeds | |||
0xSI_f33d | |||
PhishTank | |||
PickupSTIX | |||
REScure Threat Intel Feed | |||
RST Cloud Threat Intel Feed | |||
Rutgers Blacklisted IPs | |||
SANS ICS Suspicious Domains | |||
SANS ICS | The Suspicious Domains Threat Lists by tracks suspicious domains. It offers 3 lists categorized as either , or sensitivity, where the high sensitivity list has fewer false positives, whereas the low sensitivity list with more false positives. There is also an of domains. Finally, there is a suggested from | ||
SecurityScorecard IoCs | 72 | 6 months ago | |
Stixify | |||
signature-base | 2,457 | 3 days ago | |
The Spamhaus project | |||
SophosLabs Intelix | |||
Spur | |||
SSL Blacklist | |||
Statvoo Top 1 Million Sites | |||
Strongarm, by Percipient Networks | |||
SIEM Rules | |||
Talos | |||
observable's reputation | Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools. Talos provides an easy to use web UI to check an | ||
threatfeeds.io | |||
threatfox.abuse.ch | |||
Technical Blogs and Reports, by ThreatConnect | |||
Indicators of Compromise | This source is being populated with the content from over 90 open source, security blogs. IOCs ( ) are parsed out of each blog and the content of the blog is formatted in markdown | ||
Threat Jammer | |||
ThreatMiner | |||
WSTNPHX Malware Email Addresses | |||
UnderAttack.today | |||
URLhaus | |||
VirusShare | |||
Yara-Rules | 4,146 | 6 months ago | |
1st Dual Stack Threat Feed by MrLooquer | |||
awesome-threat-intelligence / Formats | |||
CAPEC | |||
CybOX | |||
IODEF (RFC5070) | |||
IDMEF (RFC4765) | |||
MAEC | |||
OpenC2 | |||
STIX 2.0 | |||
here | The Structured Threat Information eXpression (STIX) language is a standardized construct to represent cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, and automatable. STIX does not only allow tool-agnostic fields, but also provides so-called that provide means for embedding tool-specific elements, including OpenIOC, Yara and Snort. STIX 1.x has been archived | ||
TAXII | |||
VERIS | |||
DBIR | The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. In addition to providing a structured format, VERIS also collects data from the community to report on breaches in the Verizon Data Breach Investigations Report ( ) and publishes this database online in a GitHub | ||
awesome-threat-intelligence / Frameworks and Platforms | |||
AbuseHelper | 117 | about 5 years ago | |
AbuseIO | |||
AIS | |||
Bearded Avenger | 182 | over 1 year ago | |
Blueliv Threat Exchange Network | |||
Cortex | 1,326 | 2 days ago | |
CRITS | |||
CIF | |||
GitHub | 227 | over 6 years ago | The Collective Intelligence Framework (CIF) allows you to combine known malicious threat information from many sources and use that information for IR, detection and mitigation. Code available on |
CTIX | |||
EclecticIQ Platform | |||
IntelMQ | |||
IntelOwl | 3,784 | 15 days ago | |
pyintelowl | 59 | 5 days ago | Intel Owl is an OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. Intel Owl is composed of analyzers that can be run to retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internal analyzers (like Yara or Oletools). It can be integrated easily in your stack of security tools ( ) to automate common jobs usually performed, for instance, by SOC analysts manually |
Kaspersky Threat Intelligence Portal | |||
Malstrom | 46 | over 6 years ago | |
ManaTI | 111 | over 5 years ago | |
MANTIS | |||
Megatron | 41 | over 7 years ago | |
MineMeld | 379 | about 7 years ago | |
MISP | |||
n6 | 121 | 8 months ago | |
CERT Polska | n6 (Network Security Incident eXchange) is a system to collect, manage and distribute security information on a large scale. Distribution is realized through a simple REST API and a web interface that authorized users can use to receive various types of data, in particular information on threats and incidents in their networks. It is developed by | ||
OpenCTI | |||
OpenIOC | |||
OpenTAXII | 189 | 6 months ago | |
OSTrICa | 306 | over 7 years ago | |
OTX - Open Threat Exchange | |||
Open Threat Partner eXchange | |||
PassiveTotal | |||
Pulsedive | |||
Recorded Future | |||
Scumblr | 2,642 | almost 5 years ago | |
STAXX (Anomali) | |||
stoQ | |||
here | stoQ is a framework that allows cyber analysts to organize and automate repetitive, data-driven tasks. It features plugins for many other systems to interact with. One use case is the extraction of IOCs from documents, an example of which is shown , but it can also be used for deobfuscationg and decoding of content and automated scanning with YARA, for example | ||
TARDIS | 121 | about 9 years ago | |
ThreatConnect | |||
ThreatCrowd | |||
ThreatPipes | |||
ThreatExchange | |||
GitHub | 1,173 | 4 days ago | Facebook created ThreatExchange so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups. This project is still in . Reference code can be found at |
TypeDB CTI | 144 | about 1 year ago | |
blog post | TypeDB Data - CTI is an open source threat intelligence platform for organisations to store and manage their cyber threat intelligence (CTI) knowledge. It enables threat intel professionals to bring together their disparate CTI information into one database and find new insights about cyber threats. This repository provides a schema that is based on STIX2, and contains MITRE ATT&CK as an example dataset to start exploring this threat intelligence platform. More in this | ||
VirusBay | |||
threatnote.io | |||
XFE - X-Force Exchange | |||
Yeti | |||
awesome-threat-intelligence / Tools | |||
ActorTrackr | 27 | about 7 years ago | |
GitHub | 27 | about 7 years ago | ActorTrackr is an open source web application for storing/searching/linking actor related data. The primary sources are from users and various public repositories. Source available on |
AIEngine | |||
AIOCRIOC | 30 | 7 months ago | |
Analyze (Intezer) | |||
Automater | 531 | about 2 months ago | |
BlueBox | 39 | over 2 years ago | |
BotScout | |||
bro-intel-generator | 75 | almost 9 years ago | |
cabby | 97 | about 3 years ago | |
cacador | 135 | about 6 years ago | |
Combine | 654 | over 5 years ago | |
CrowdFMS | 129 | almost 6 years ago | |
CyberGordon | |||
CyBot | 315 | over 4 years ago | |
Cuckoo Sandbox | 5,540 | over 2 years ago | |
Fenrir | 688 | over 2 years ago | |
FireHOL IP Aggregator | 32 | almost 2 years ago | |
blocklist-ipsets | 3,167 | 3 days ago | Application for keeping feeds from FireHOL with IP addresses appearance history. HTTP-based API service is developed for search requests |
Forager | 169 | over 6 years ago | |
Gigasheet | |||
GoatRider | 137 | almost 6 years ago | |
Google APT Search Engine | |||
this | APT Groups, Operations and Malware Search Engine. The sources used for this Google Custom Search are listed on GitHub gist | ||
GOSINT | 536 | over 1 year ago | |
hashdd | |||
Harbinger Threat Intelligence | 82 | almost 9 years ago | |
Hippocampe | 166 | about 4 years ago | |
Hiryu | 47 | almost 2 years ago | |
IOC Editor | |||
IOC Finder | 157 | 11 months ago | |
IOC Fanger (and Defanger) | 55 | about 1 year ago | |
ioc_parser | 428 | over 1 year ago | |
ioc_writer | 200 | over 1 year ago | |
iocextract | 500 | about 2 months ago | |
IOCextractor | 135 | over 8 years ago | |
ibmxforceex.checker.py | 25 | about 8 years ago | |
jager | 82 | about 1 year ago | |
Kaspersky CyberTrace | |||
KLara | 695 | 3 months ago | |
libtaxii | 70 | over 3 years ago | |
Loki | 3,364 | 7 months ago | |
LookUp | |||
Machinae | 503 | 5 months ago | |
MalPipe | 103 | almost 6 years ago | |
MISP Workbench | 28 | almost 8 years ago | |
MISP-Taxii-Server | 81 | about 2 years ago | |
MSTIC Jupyter and Python Security Tools | 1,761 | 19 days ago | |
nyx | 30 | almost 9 years ago | |
OneMillion | 8 | over 1 year ago | |
openioc-to-stix | 89 | almost 6 years ago | |
Omnibus | 327 | 5 months ago | |
OSTIP | 28 | over 7 years ago | |
poortego | 116 | over 6 years ago | |
PyIOCe | 61 | over 9 years ago | |
QRadio | 95 | over 8 years ago | |
rastrea2r | 116 | about 6 years ago | |
Redline | |||
RITA | 2,506 | 3 months ago | |
Softrace | 2 | over 3 years ago | |
sqhunter | |||
SRA TAXII2 Server | 12 | almost 2 years ago | |
Stixvalidator.com | |||
Stixview | 72 | 1 day ago | |
stix-viz | 107 | about 6 years ago | |
TAXII Test Server | |||
threataggregator | 79 | over 8 years ago | |
threatcrowd_api | 9 | over 7 years ago | |
threatcmd | 19 | over 7 years ago | |
Threatelligence | 144 | over 10 years ago | |
ThreatIngestor | 823 | 8 months ago | |
ThreatPinch Lookup | |||
ThreatTracker | 66 | over 9 years ago | |
threat_intel | 273 | about 1 year ago | |
Threat-Intelligence-Hunter | 148 | 5 months ago | |
tiq-test | 169 | almost 9 years ago | |
YETI | 46 | over 5 years ago | |
awesome-threat-intelligence / Research, Standards & Books | |||
APT & Cyber Criminal Campaign Collection | 3,661 | 3 months ago | |
APTnotes | 3,476 | 9 months ago | |
ATT&CK | |||
Building Threat Hunting Strategies with the Diamond Model | |||
Cyber Analytics Repository by MITRE | |||
Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) | |||
Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) | A new using a stakeholder-first approach and aligned with the to empower your team and create lasting value | ||
Cyber Threat Intelligence Repository by MITRE | 1,726 | 5 months ago | |
Cyber Threat Intelligence: A Product Without a Process? | |||
Definitive Guide to Cyber Threat Intelligence | |||
The Detection Maturity Level (DML) | |||
The Diamond Model of Intrusion Analysis | |||
The Targeting Process: D3A and F3EAD | |||
Guide to Cyber Threat Information Sharing by NIST | |||
Intelligence Preparation of the Battlefield/Battlespace | |||
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains | |||
ISAO Standards Organization | |||
Joint Publication 2-0: Joint Intelligence | |||
Microsoft Research Paper | |||
MISP Core Format (draft) | |||
NECOMA Project | |||
Pyramid of Pain | |||
Structured Analytic Techniques For Intelligence Analysis | |||
Threat Intelligence: Collecting, Analysing, Evaluating | |||
Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives | |||
Traffic Light Protocol | |||
Unit42 Playbook Viewer | |||
Who's Using Cyberthreat Intelligence and How? | |||
WOMBAT Project |