Liberty91
Stack of open editorial reference books and hardcover volumes with orange-ink article layouts, the top book embossed with a geometric Liberty91 bull head, dramatically lit on a deep navy surface
Guide13 min read

The Top Cybersecurity and Threat Intelligence Blogs (2025 Edition).

Ask ten threat intelligence analysts where they get their information and you'll get ten different answers — usually with a sheepish “and a lot of Twitter” tacked on at the end. That's not a failure of the field. It's a reflection of how fragmented and fast-moving the cybersecurity information landscape actually is.

This guide is a curated map of that landscape: the blogs, research labs, national CERTs, and vulnerability feeds that consistently produce signal rather than noise. It's organised by what each source is actually good for, because the question isn't “which blog is best?” — it's “which blog helps me answer the question I have right now?”

Everything on this list is a source Liberty91 ingests, parses, and correlates in real-time, so the list reflects something more than one person's taste — it's what 81 curated sources look like when you stop trying to read them individually and start treating them as one giant intelligence corpus.

How to evaluate a threat intelligence blog

Before the list, a quick filter. A good threat intelligence source should do at least one of the following better than its peers:

  • Break news. First to report on active campaigns, incidents, or vulnerabilities.
  • Explain the mechanics. Show how an attack works technically, not just that it happened.
  • Attribute and contextualise. Connect observed activity to known actors, campaigns, or strategic trends.
  • Support decision-making.Give you something actionable — IOCs, detection rules, hunting hypotheses, or strategic framing for a stakeholder conversation.

Most sources are strong in one or two of these categories. Very few are strong in all four. The trick is knowing which source to open for which question.

Daily cybersecurity news aggregators

Start here if you need a single morning read to stay current on what's happening in the industry. These outlets cover breaches, policy, law enforcement action, vulnerabilities, and the general heartbeat of the field.

  • The Record — Curated by Recorded Future. Strong on nation-state activity, ransomware ecosystems, and cybercrime takedowns. The accompanying “Click Here” podcast is one of the few security podcasts that treats its audience as adults.
  • The Hacker News — By far the highest-volume security news outlet. Not the place for deep technical analysis, but excellent for awareness of what's trending.
  • BleepingComputer — Lawrence Abrams and team have a reputation for being the first to publish on emerging ransomware families, often with IOCs and technical detail the general press misses.
  • Dark Reading — Broad coverage with a lean toward enterprise security practitioners. Good for the intersection of technical and organisational security topics.
  • The Cyber Express — Cyble's news arm. Heavy on dark web and cybercrime reporting, with a global perspective.
  • Ars Technica Security — Dan Goodin's work in particular is consistently the clearest writing in the field. Ars covers fewer stories than aggregators but goes deeper on each one.
  • SC Magazine — Industry-focused reporting with strong CISO-level analysis and regulatory coverage.
  • Security Affairs — Pierluigi Paganini's long-running blog with strong European coverage and fast turnarounds on breaking stories.
  • GBHackers — Dense technical news coverage with an emphasis on vulnerability disclosures and exploit write-ups.

Independent security researchers worth following

The outlets above are publications. These next ones are individual voices — researchers whose perspective matters because of who they are and how long they've been in the field. Their output tends to be less frequent but more opinionated, which is often exactly what you need when you're trying to think through a problem rather than just track events.

  • Krebs on Security — Brian Krebs has broken more major cybercrime stories than anyone else in journalism. His investigative work on bulletproof hosting, payment fraud, and ransomware ecosystems is in a category of its own.
  • Schneier on Security — Bruce Schneier writes about the intersection of security, policy, cryptography, and society. If you want to think about security at the strategic level rather than the IOC level, this is the blog.
  • Troy Hunt's Blog — Behind-the-scenes writing from the creator of Have I Been Pwned. Consistently thoughtful on credential exposure, data breach disclosure, and the operational realities of running security infrastructure at scale.

Technical analysis and incident response write-ups

When you need to understand how an attack actually worked — the specific commands, the lateral movement path, the C2 infrastructure — these are the sources that get into the weeds.

  • The DFIR Report — Arguably the best free resource for end-to-end intrusion narratives. Each report walks through an incident from initial access through impact, with commands, tooling, and timelines. If you're building detection content, start here.
  • Google Threat Intelligence (Mandiant) — Research from the team that investigates the biggest incidents on the planet. Strong on nation-state tradecraft, particularly around China-nexus and Iran-nexus activity.
  • SecureList — Kaspersky's research arm. Long-running coverage of APT groups and malware families, with historical depth that's hard to match.
  • Microsoft Threat Intelligence — Unique telemetry from the company that sees a huge share of global endpoint and identity activity. Particularly strong on cloud and identity-based attacks.
  • Cisco Talos — Talos's combination of network telemetry and malware reverse engineering produces consistently strong technical write-ups, especially on commodity malware and exploitation of edge devices.
  • Unit 42 (Palo Alto Networks) — Prolific coverage of nation-state and cybercriminal activity, with an emphasis on campaigns Unit 42 is actively tracking in customer environments.
  • Volexity — Smaller volume, but Volexity is often first to report on sophisticated intrusions, particularly those involving edge-device zero-days.
  • WithSecure Labs — Strong on red-team adjacent research and the kind of offensive tradecraft that informs better defensive detection.
  • Elastic Security Labs — Research paired with detection rules you can actually deploy, which is a rare and valuable combination.
  • watchTowr Labs — Newer on the scene but rapidly established as one of the sharpest voices on exploitation of enterprise software and network appliances.
  • Silent Push — DNS-centric research that surfaces infrastructure patterns other vendors miss.
  • Team Cymru — Internet-scale telemetry and long-standing expertise in tracking malicious infrastructure.

Vendor threat research labs

Every major security vendor publishes research. The signal-to-noise ratio varies, but the good ones use their telemetry and customer base to produce findings no independent researcher could match. Here are the labs whose output is consistently worth reading — organised alphabetically because ranking vendor research is a good way to start an argument.

  • ANY.RUN — Interactive sandbox findings with plenty of visual walkthroughs of malware behaviour.
  • Arctic Wolf — MDR-flavoured research with a focus on what mid-market defenders are actually dealing with.
  • Avast Threat Labs — Consumer-scale telemetry surfaces broad trends in commodity malware and stalkerware.
  • Check Point Research — Regular technical drops on APT activity, mobile malware, and network-layer threats.
  • CloudSEK — Strong on dark web monitoring, supply-chain attacks, and brand-abuse intelligence.
  • CrowdStrike — Detailed adversary profiling, particularly around eCrime and state-nexus groups they track by name.
  • CyberPeace Institute — Research on attacks against humanitarian organisations and critical civilian infrastructure — an angle most vendor research misses.
  • Cyble — Dark web and cybercrime forum intelligence with rapid reporting on emerging threats.
  • Flashpoint — Long-standing expertise in illicit online communities and cyber-physical convergence.
  • Group-IB — Strong coverage of APAC threats and financially-motivated groups operating in emerging markets.
  • HarfangLab — French EDR vendor with sharp, detail-rich incident write-ups.
  • Malwarebytes Labs — Accessible analysis of consumer and small-business threats — particularly strong on malvertising and tech-support scams.
  • Sophos News — The Sophos X-Ops team puts out consistently good ransomware and initial-access reporting.
  • Proofpoint — The go-to source for email-borne threats, phishing kit evolution, and TA-tracked actor groups.
  • SentinelLabs — Original research that frequently breaks new ground on APT tooling and macOS-specific threats.
  • SOCRadar — External attack surface and dark web monitoring findings.
  • ReversingLabs — The leading voice on software supply chain attacks and malicious packages in open-source ecosystems.
  • Socket — Fast reporting on malicious npm, PyPI, and other package ecosystem attacks.
  • Trend Micro Research — Global telemetry and long-term tracking of commodity and targeted threats.
  • WeLiveSecurity (ESET) — ESET's research blog. Particularly strong on Eastern European threat activity and Linux malware.
  • Wiz — Cloud-native threat research and cloud infrastructure vulnerability disclosures.
  • The Shadowserver Foundation — A non-profit whose scanning and sinkholing data underpins a huge amount of defensive intelligence worldwide.

That's not the full list of vendor labs Liberty91 tracks — other strong voices include Abstract Security, Analyst1, Arctic Wolf, CyberReason, Cyble, Heimdal Security, Imperva, Lookout, MorphiSec, Resecurity, Security Joes, SecurityScorecard, and more. The point isn't to read them all. The point is knowing which one to reach for when a specific question lands on your desk.

Government and national CERT advisories

National cyber security centres and government advisories are often the most underused source in the entire threat intelligence landscape. They carry the weight of official attribution and the visibility of national-level telemetry, yet many CTI teams only check them when a vendor blog links to one.

  • CISA Advisories — The US Cybersecurity and Infrastructure Security Agency publishes joint advisories (often with NSA, FBI, and international partners) that are typically the authoritative public write-up on major campaigns. The separate ICS Advisories stream is essential for anyone in OT security.
  • NCSC UK — The UK National Cyber Security Centre produces guidance and advisories that are unusually well-written for government output. Their threat reports and technical notes are worth treating as baseline reading.
  • NCSC-NL — The Dutch NCSC. Publishes in Dutch and English, with a strong track record on vulnerability coordination and advisories relevant to European critical infrastructure.
  • Canadian Centre for Cyber Security — Alerts and advisories with a pragmatic defender-first tone.
  • CERT-FR — The French national CERT (operated by ANSSI). Detailed technical bulletins and a valuable European perspective.
  • JPCERT/CC — Japan's CERT is one of the strongest sources on APAC-specific threat activity and targeted campaigns against Japanese organisations.
  • CERT Polska — Particularly relevant post-2022 given the threat landscape in the region.
  • CERT.at — Austria's national CERT with consistent advisory output.
  • NIST — Not a news source, but essential for the frameworks, standards, and vulnerability data (NVD) that underpin most programme-level security work.
  • US Department of Justice — Indictments, takedown announcements, and sanctions filings frequently reveal attribution details and operational context that no commercial vendor has access to.

Vulnerability intelligence

Vulnerability data is its own category. Most CVEs don't matter to any given organisation. A few do, and knowing which ones — and when they're being actively exploited — is what separates useful vulnerability intelligence from noise.

  • Zero Day Initiative (Published Advisories) — ZDI's published advisories are authoritative write-ups on vulnerabilities they've coordinated disclosure for. The Upcoming Advisories feed is a rare look at what's coming before the details land — valuable for risk planning.
  • Have I Been Pwned — Troy Hunt's breach notification service. Not a blog in the traditional sense, but an authoritative source on credential exposure and breach disclosures.

The meta-problem: signal collapse at scale

Here's the uncomfortable truth about a list like this one. If you try to read all 81 sources Liberty91 ingests, you'll have read about 400 articles per day and analysed none of them. The people who get real value from this landscape aren't the ones who read the most blogs — they're the ones who have systems for turning blog reading into something operational.

That might look like:

  • A well-scoped collection plan that decides in advance which sources matter for which intelligence requirements.
  • Keyword and entity monitoring across sources, rather than reading chronologically.
  • A workflow that pulls IOCs, TTPs, and CVEs out of blog posts and into detection engineering and vulnerability management processes.
  • Regular review of which sources are actually informing decisions — and dropping the ones that aren't.

The more sources you have, the more important the filtering gets. This is the gap Liberty91 was built to close: the platform ingests all 81 sources above (and more), extracts the structured intelligence from every new post in real-time, and surfaces only what's relevant to your specific threat profile. Instead of reading 400 articles a day, you read the three that matter to your organisation, already enriched with the IOCs, detection logic, and context your team needs.

The blogs on this list don't need Liberty91 to be worth reading. They're genuinely some of the best work being done in security. But if you've ever opened a dozen tabs on a Monday morning and felt the dread of knowing you won't get to most of them, this is what Liberty91 exists to solve.

What's missing from this list

No list is complete, and two things are deliberately missing. First, Twitter / X and Mastodon — still where a lot of breaking research happens first, but curating individual accounts is a personal exercise rather than something a public list can usefully capture. Second, specialist podcasts and conference talks — worth a separate post in their own right.

If there's a blog you rely on that isn't on this list, there's a decent chance Liberty91 already tracks it — and if not, it's probably worth adding. The field moves fast, and this list will age. Expect an updated edition when the delta between what's here and what's actually worth reading starts to matter.

This post was originally published on the Liberty91 blog in November 2025 and has been rewritten and expanded for the new site. If you arrived here from an old bookmark or search result, welcome back.

Related Blog.

Leather-bound intelligence dossier with a geometric Liberty91 bull head embossed as an official seal on the cover, structured chart and matrix pages protruding from the side, dramatically side-lit on a deep navy surface
Guide

How to Build a Threat Profile: A Worked Example for Mid-Market Security Teams

A walkthrough of building a threat profile for a fictional mid-market fintech, from PIRs to TTP-level detection coverage with a one-page artefact.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.