Threat intelligence feeds are structured data streams that deliver indicators of compromise (IOCs): IP addresses, domains, URLs, malware hashes and reputation signals you can push into your SIEM, your firewall or your SOC. Chosen well, they shorten the time it takes to detect an intrusion. Integrated poorly, they generate thousands of false-positive alerts that overwhelm the team and erode trust in the system. This guide treats feeds as what they really are, the data layer, rather than the platform that aggregates them, and explains how to choose between free and paid sources without drowning in noise.
The essentials
- A feed is the data layer (raw or enriched IOCs), distinct from the platform that aggregates and correlates them, such as MISP or OpenCTI.
- Free is not the worst option: abuse.ch, the CIRCL OSINT feed or AlienVault OTX offer high quality if you filter for relevance.
- The STIX 2.1 and TAXII 2.1 standards let you exchange indicators between tools without parsing proprietary formats.
- What matters is not the number of indicators, but relevance to your sector, timeliness, false-positive rate and coverage.
- A feed with no aging process and no enrichment turns into noise that degrades SOC performance.
What a threat intelligence feed is
A feed is a source that emits indicators continuously or periodically, usually in CSV, JSON or STIX format. Each indicator describes an observable artefact tied to malicious activity: the hash of a ransomware sample, the IP of a command and control server, the domain of a phishing campaign or the URL of an exfiltration panel. The feed is raw material. It decides nothing on its own, it only provides data that another layer will have to aggregate, correlate and contextualise.
It helps to place feeds correctly within the intelligence cycle. Below them sits collection (the feeds and OSINT sources themselves). Above them sits aggregation in a platform, then human analysis and threat hunting, and finally defensive action. Feeds occupy the most basic rung, and their value varies enormously by indicator type. David Bianco's Pyramid of Pain captures this well: blocking a hash barely inconveniences an attacker, who just recompiles, whereas detecting their tactics, techniques and procedures (TTPs) forces them to redesign the operation. Feeds shine at the base of the pyramid (hashes, IPs, domains) and rarely reach the apex, which belongs to threat hunting and to the graph-based investigation we describe in what is Maltego.
Free feeds versus paid feeds
The first buying decision is not which vendor, but how much of your intelligence can come from open sources.
Free and community sources
The open ecosystem is surprisingly solid. abuse.ch publishes several very high-signal feeds: URLhaus (malware distribution URLs), ThreatFox (IOCs tied to specific families), Feodo Tracker (C2 for botnets such as Emotet or Dridex) and SSL Blacklist. The CIRCL OSINT feed ships in MISP format and is a de facto standard across Europe. AlienVault OTX aggregates community-contributed pulses, useful as an early signal despite variable noise. On top of that sit the CISA Known Exploited Vulnerabilities (KEV) catalogue, Spamhaus DROP, Tor exit nodes and the Emerging Threats open ruleset. For many SMEs, a carefully curated selection of these sources covers a large part of the need.
Commercial feeds
What you pay for in a commercial feed is not more indicators, but curation. Vendors such as Recorded Future, Mandiant, CrowdStrike or Anomali provide actor context, finished intelligence, service level agreements, coverage of closed sources and, above all, a lower false-positive rate thanks to prior validation. For a NIS2-regulated organisation with a mature SOC, that context accelerates response. For anyone not yet processing free sources well, paying for more volume usually makes the problem worse.
Open-source platforms to manage feeds
Here is the most common confusion: MISP and OpenCTI are not feeds, they are the platforms that consume them. MISP is the standard for indicator sharing, with automatic correlation, taxonomies, TLP levels and dozens of preconfigured feeds you can enable and filter. OpenCTI is STIX 2.1 native, models knowledge as a graph (indicators, malware, actors, campaigns, ATT&CK techniques) and connects to sources through connectors. Both ingest free and paid feeds, deduplicate, score confidence and export a cleaned subset to your controls. Treating the platform as if it were the feed, or the other way around, is the root of many badly sized intelligence programmes.
Standards: IOCs, STIX and TAXII
Interoperability rests on two OASIS standards. STIX 2.1 is the language: it defines objects such as indicator (with its detection pattern), malware, threat-actor, campaign and the relationships between them, so an indicator travels with its context rather than as a loose line of text. TAXII 2.1 is the transport: it defines collections and channels that a client polls to receive those objects over an API, instead of downloading loose files. Add to that the Traffic Light Protocol (TLP), which marks how each piece of data may be shared, and detection formats such as YARA for files or Sigma for logs. Prioritising feeds that speak STIX/TAXII saves you from writing and maintaining a proprietary parser for every source.
How to choose a feed: selection criteria
Evaluate each source with measurable criteria, not marketing:
- Relevance. Does it cover your sector, geography and technology stack? A feed focused on North American banking adds little to a European industrial company.
- Timeliness. The latency between an IOC being observed and reaching your feed. A phishing domain is worth hours, not weeks.
- False-positive rate. Measure how many indicators generate alerts with no value. A noisy source costs more in analyst hours than it saves.
- Coverage and overlap. Adding a feed that replicates 90% of another gives you no extra coverage, only duplicated work. Measure overlap before you subscribe.
- Context and confidence. Does each indicator arrive with a score, source, TLP and first-seen date? Without context you cannot prioritise.
- Format and integration. STIX/TAXII or MISP integrate themselves. A CSV with no stable schema forces you to maintain it.
The honest way to validate a feed is to measure its true positives during a trial period before paying for it, rather than trusting the advertised indicator count.
SIEM/SOC integration and the overload trap
The most expensive mistake is dumping raw feeds straight into SIEM correlation. The result is a false-positive storm that burns out the on-call team. The correct flow goes through an intermediate platform: feeds enter over TAXII into MISP or OpenCTI, there they are deduplicated, scored and enriched with services like VirusTotal or GreyNoise, and only a high-confidence subset is pushed to the SIEM, the EDR or the firewall as watchlists.
Three controls make the difference. Aging retires expiring indicators, because an IP that is malicious today may be a legitimate cloud provider IP a month from now. Whitelisting protects the highest-traffic legitimate domains and IPs (for example with the Tranco list or CDN ranges) so they never trigger an alert. And a confidence threshold filters out anything below a certain score. That cleaned intelligence is what then feeds the proactive work we explain in what is threat hunting and the daily operations of what is a SOC. Without this process, more feeds mean less security, not more.
Feeds also add valuable context when crossed with other intelligence layers, such as dark web monitoring or the tracking of credential-theft families we cover in what is an infostealer.
Frequently asked questions
What is the difference between a feed and a threat intelligence platform?
The feed is the data source, the stream of IOCs. The platform (MISP, OpenCTI) is where that data is aggregated, deduplicated, scored and correlated. A feed with no platform is a list without context, and a platform with no feeds is empty. You need both layers, but they are different things and should not be confused when designing the programme.
Are free feeds worth it?
Yes, and for many organisations they are the ideal starting point. Sources like abuse.ch, the CIRCL OSINT feed or the CISA KEV catalogue have an excellent signal-to-noise ratio. The key is not how much you pay, but how much process you put behind it. A well-filtered free feed beats an expensive feed dumped in raw.
What are STIX and TAXII?
STIX 2.1 is a standardised language for describing threats (indicators, malware, actors and their relationships). TAXII 2.1 is the transport protocol that lets you poll and receive those objects over an API. Together they save you from maintaining a separate parser for each vendor and make it easier to share intelligence between organisations.
How many feeds should I integrate?
Fewer than you think. A handful of relevant, well-processed sources beats dozens of overlapping ones. Measure the overlap and true positives of each, and drop those that add no new signal. The quality of your process matters far more than the number of subscriptions.
How do I avoid false-positive overload?
Do not ingest raw feeds into the SIEM. Run them first through a platform that deduplicates, scores and enriches, apply aging to expired indicators, protect your highest-traffic legitimate assets with whitelists, and push only indicators above a confidence threshold into your detection controls.
Related resources
- What is threat hunting: methodology and proactive process
- What is a SOC: security operations center
- Dark web monitoring for business
- What is Maltego: OSINT graph investigation
- What is the cyber kill chain: phases and defence
Threat intelligence feeds with Secra
At Secra we integrate threat intelligence feeds within a full threat intelligence programme: we select the sources relevant to your sector, aggregate them in a platform that deduplicates and scores, apply aging and whitelists to control the noise, and connect the cleaned intelligence to your SIEM, your EDR and your response process. All of it with NIS2 alignment and traceability for the record.
Discover our managed cybersecurity service and let us design an intelligence layer that reduces noise instead of amplifying it.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

