Liberty91
A continuous paper tape spooling out of a vintage stock ticker into a neat coil, deep navy tones with warm orange light, suggesting a steady automated stream of incoming data
Education9 min read

What Is a Threat Intelligence Feed? Types, Examples and Limits.

A threat intelligence feed is a continuously updated stream of threat data, most often indicators of compromise such as malicious IP addresses, domains, URLs and file hashes, delivered in a machine-readable format so that security tools can ingest it automatically. A feed is the raw material of threat intelligence: it tells you that something is known to be bad, but on its own it has not been assessed for relevance to your organisation and it carries no judgement about what you should do.

That distinction, between a feed as data and intelligence as something assessed, runs through everything below. This piece covers what a feed actually contains, the main types of feed, real examples, where a raw feed reaches its limits, and how to tell a useful feed from noise.

What does a threat intelligence feed contain?

Most feeds are built around indicators of compromise: the atomic artefacts left behind by malicious activity. In the language of the four types of threat intelligence, a feed is usually technical intelligence. Typical contents include:

  • Network indicators. IP addresses, domains and URLs tied to command-and-control, phishing or malware distribution.
  • File indicators. Hashes (MD5, SHA-1, SHA-256) of known malicious files, and sometimes signatures.
  • Context, when you are lucky.Some feeds tag each indicator with the related malware family, threat actor, or MITRE ATT&CK technique. Many do not, and hand you a bare list.

Feeds are usually delivered in formats designed for machines: STIX over TAXII, MISP, or plain CSV and JSON. That machine-readability is the whole point. A feed exists to flow straight into a SIEM, SOAR, firewall or threat intelligence platform without anyone re-keying it.

Types of threat intelligence feed

Open-source and free feeds

Plenty of high-quality threat data is free. The abuse.ch projects (URLhaus for malicious URLs, Feodo Tracker for botnet command-and-control, MalwareBazaar for samples) are widely used, as are AlienVault OTX, Spamhaus blocklists, and government sharing programmes such as CISA's Automated Indicator Sharing. These are genuinely useful, and a small team can get a long way on open feeds alone.

Commercial and premium feeds

Paid feeds from intelligence vendors typically offer more curation, more context per indicator, faster delivery, and coverage of sources a free feed will not reach, such as closed forums or dark-web markets. The trade-off is cost, and the fact that a premium feed is still a feed: more and better data, but data nonetheless.

Community and sector feeds

Information Sharing and Analysis Centres (ISACs) and trust groups distribute indicators among members of a sector. Because the sharing is scoped to organisations with similar threats, the relevance can be high. Your own internal telemetry, the indicators you observe on your own network, is arguably the most relevant feed of all.

Where a raw feed reaches its limits

A feed is valuable, but it is the beginning of the work, not the end of it. The same properties that make feeds easy to consume also make a raw feed difficult to rely on:

Relevance. A global feed knows nothing about your sector, region, suppliers or technology stack. Most of what it carries will never be relevant to you, and finding the part that is becomes a triage problem.

Decay. Technical indicators age quickly. An IP address can be reassigned and a file recompiled within hours, so an indicator that was accurate yesterday can be a false positive today. Without scoring and a way to age indicators out, a feed slowly fills with noise.

Volume and duplication. Subscribe to enough feeds and the same indicator arrives many times, alongside a great deal that does not apply to you. More feeds can mean more noise rather than more signal.

Turning feeds into intelligence means deduplicating across sources, enriching each indicator with context, scoring it, ageing it out as it decays, and assessing what is relevant to your organisation specifically. That processing is exactly the work a threat intelligence platform exists to do.

How to choose a threat intelligence feed

If you are evaluating feeds, the useful questions are less about how many indicators a feed carries and more about whether you can act on them:

  • Relevance to you. Does it cover your sector, region and the technologies you actually run?
  • Freshness and accuracy. How quickly are indicators added and retired, and what is the false-positive rate?
  • Context. Does each indicator arrive with the malware, actor or technique behind it, or as a bare value?
  • Format and integration. Does it deliver in STIX/TAXII, MISP, CSV or JSON that your tooling can consume cleanly?
  • Licensing. Are you allowed to use and redistribute the data the way you intend to?

Where Liberty91 fits

Liberty91 is not another feed. It consumes them. The platform pulls in feeds across open-source, premium and dark-web sources alongside vendor reports and your own context, then does the processing that turns that raw data into finished, per-organisation intelligence: deduplication, enrichment, relevance assessment against your Intelligence Requirements, and scoring with decay so stale indicators age out instead of piling up.

The output is intelligence rather than a longer list: written reports for the people who need the narrative, plus scored IOC lists, Sigma rules and STIX bundles for the tooling downstream. If you are weighing up which feeds to buy, it is worth asking whether the harder problem is really more data, or the work of turning the data you already have into something your team can act on. Our platform overview covers how Liberty91 approaches that.

Start for free.

Point Liberty91 at your own Intelligence Requirements and let it do the deduplicating, scoring and relevance assessment that turns raw feeds into finished intelligence. A free tier is on the way: register now and we will tell you the moment it opens.

Start for free →

Prefer the command line?

Our open-source CTI Skills pack gives analysts free, MIT-licensed tools for enriching IOCs, profiling threat actors and writing Sigma, YARA and KQL detections inside your own AI coding agent.

Explore the free CTI Skills pack →

Frequently asked questions.

What is a threat intelligence feed?

A threat intelligence feed is a continuously updated stream of threat data, most often indicators of compromise such as malicious IP addresses, domains, URLs and file hashes, delivered in a machine-readable format so security tools can ingest it automatically. A feed is raw material. It tells you that something is bad, but on its own it has not been assessed for relevance to your organisation and carries no judgement about what to do.

What is an example of a threat feed?

A common example is a continuously updated list of IP addresses currently hosting malware command-and-control, pulled into a firewall to block outbound connections. Others include phishing-URL feeds, malware file-hash feeds, and feeds of indicators tied to a specific campaign. Well-known open feeds include abuse.ch projects such as URLhaus and Feodo Tracker, AlienVault OTX, Spamhaus blocklists, and CISA's Automated Indicator Sharing.

Are there free or open-source threat intelligence feeds?

Yes, and many are good. Widely used free and open-source sources include the abuse.ch projects (URLhaus, Feodo Tracker, MalwareBazaar), AlienVault OTX, Spamhaus, and government sharing programmes like CISA's Automated Indicator Sharing. They are valuable raw material. The work that turns them into intelligence, deduplicating across sources, scoring, ageing out stale indicators, and assessing relevance to you, is the part you still have to do or automate.

What is the difference between a threat intelligence feed and a platform?

A feed is one input: a stream of data. A threat intelligence platform is the system that consumes many feeds, alongside reports and your own telemetry, then enriches, assesses relevance, and produces finished intelligence on top. Put simply, a feed is data and a platform is what turns data into intelligence. We cover this in detail in our explainer on what a threat intelligence platform is.

Are more threat intelligence feeds always better?

No. Past a point, adding feeds adds noise, duplication and false positives faster than it adds signal. What matters is relevance to your sector, region and technology stack, the freshness and accuracy of the data, and whether the indicators arrive with enough context and scoring to act on. A few well-chosen, well-processed sources usually beat a large pile of raw, unassessed ones.

Related Blog.

A brass nautical telescope, binoculars, a magnifying glass and a jeweller's loupe arranged largest to smallest on dark cloth, deep navy tones with warm orange light, suggesting four levels of magnification from the broad view down to fine detail
Education

The Four Types of Threat Intelligence: Strategic, Operational, Tactical, Technical

The four types of threat intelligence are strategic, operational, tactical and technical. Here is what each one answers, who consumes it, how long it stays useful, and how they fit together.

A vintage telephone switchboard with many cables converging into one ordered hub, deep navy tones with warm orange light, suggesting many sources aggregated into one platform
Education

What Is a Threat Intelligence Platform (TIP)? A Clear Definition

A threat intelligence platform (TIP) collects, enriches and assesses threat data, then turns it into finished intelligence people and tools can act on. Here is what a TIP does, and how it differs from a feed or a service.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.