Complete Guide to Cyberthreat Intelligence Feeds And Sources

Popular Cyberthreat Intelligence Feeds and Sources – Explained 

October 26, 2023
| Ryan Clancy
| Threat Intelligenc

Threat intelligence has become incredibly popular in recent years. This is largely a result of how sophisticated and pervasive cyberthreats have become. To identify and protect against these attacks, enterprises increasingly turn to threat intelligence and analysts. This blog sheds light on two well-known cyberthreat intelligence feeds and how they can help your organization protect itself from cyberattacks.

What Are Threat Intelligence Feeds?

Threat intelligence feeds are a vital part of any organization’s security posture. They provide real-time information on the latest threats, allowing organizations to identify and respond quickly to attacks (Wigmore, 2021).

Many types of threat intelligence sources are available, each with its strengths and weaknesses. Finding a feed that meets your organization’s needs is the most important thing.

  • One of the most popular threat intelligence feeds is the IP blacklist. This feed provides a list of known malicious IP addresses involved in attacks. You can prevent attacks by blocking these addresses before they even start.
  • Another popular type of threat intelligence feed is the domain blacklist. This feed provides a list of known malicious domains that are often used in phishing attacks. By blocking these domains, you can protect your users from being tricked into giving away their passwords or personal information.
  • The third type of threat intelligence feed is the URL blacklist. This feed provides a list of known malicious URLs that are often used in web-based attacks. You can protect your users from being redirected to malicious websites by blocking these URLs.
  • Finally, the fourth type of threat intelligence feed is the email blacklist. This feed provides a list of known malicious email addresses that are often used in spam or phishing attacks. By blocking these email addresses, you can protect your users from receiving unwanted emails.

Organizations should carefully consider their specific needs when choosing a threat intelligence feed. Unfortunately, there is no one-size-fits-all solution, so finding a feed that meets your organization’s specific requirements is essential. However, all four of these feeds can provide valuable information that can help protect your network from attack.

Types of Threat Intelligence Feed Formats

The type of threat intelligence feed format that you choose will have a big impact on how effective your overall security strategy is. Here, we look at some of the most popular formats to help you make the best decision for your organization.

STIX and TAXII are two of the most prevalent threat intelligence feed formats. STIX, which stands for Structured Threat Information eXchange, is a structured language for exchanging cyber threat intelligence. TAXII, which stands for Trusted Automated eXchange of Indicator Information, is a protocol to exchange cyber threat intelligence over HTTPS.

Open loC is another popular format for storing and sharing threat intelligence. It uses JSON-LD to describe indicted activities in a machine-readable format.

MAEC, or Malware Attribute Enumeration and Characterization, is an XML-based language that describes malware in great detail (Cooper, 2022).

All of these formats have their strengths and weaknesses. STIX and TAXII are both well-suited for exchanging large amounts of data but may need help to parse for some users. Open loC is easy to parse but does not provide as much detail as STIX or TAXII. MAEC is very detailed but can be challenging to use for exchange purposes.

Your organization’s best threat intelligence feed format will ultimately depend on your specific needs and goals. For example, STIX and TAXII are good options if you need to quickly exchange large amounts of data. If you need to parse data easily, Open loC is a good choice. And if you need very detailed information, MAEC is a good option. Choose the format that best meets your needs, and you’ll be well on your way to an effective security strategy.

Understanding STIX and TAXII

When used together, STIX and TAXII can help organizations share threat intelligence more effectively, allowing them to defend themselves better against cyberattacks. Below we’ll take a closer look at STIX and TAXII, how they work, and why they’re so important for cybersecurity.

What is STIX?

STIX stands for Structured Threat Information Expression. It’s a language for expressing cybersecurity threat information in a standardized way. This allows different organizations to share threat intelligence more effectively, making it easier to defend against cyberattacks.

STIX consists of an information model and a set of XML schemas. The information model defines the data types represented in STIX, while the XML schemas define how that data should be structured.

STIX is designed to be flexible, so it can be used to represent any threat information. This includes information about attacks, malware, vulnerabilities, and indicators of compromise.

What is TAXII?

TAXII stands for Trusted Automated eXchange of Indicator Information. It’s a set of protocols for exchanging cybersecurity threat information. TAXII is built on top of STIX, so it can be used to exchange any threat information that can be represented in STIX.

TAXII consists of two parts: a transport layer and a message layer. The transport layer defines how messages are exchanged between TAXII clients and servers, while the message layer defines the format of those messages.

TAXII uses HTTPS to encrypt and authenticate all message exchanges. This ensures that only authorized TAXII clients and servers can exchange messages and that those messages are protected from eavesdropping and tampering.

Start Your Journey in Information Security Today

Suppose you want to learn more about threat intelligence feeds. In that case, EC-Council’s Certified Threat Intelligence Analyst (C|TIA) program will equip you with the knowledge and skills to leverage these feeds and threat intelligence standards to prevent and mitigate cyberattacks.

Industry experts have developed the C|TIA certification to help train learners to identify and mitigate business risks by converting unknown internal and external threats into quantifiable threat entities and nipping them in the bud.

So, what are you waiting for?  Get started on your path to a successful career in information security today!


Cooper, S. (2022, August 5). Five best threat intelligence feeds. Comparitech.

Wigmore, I. (2021, August 24). What is a threat intelligence feed?; TechTarget.

About the Author

Ryan Clancy is a writer and blogger. With 5+ years of mechanical engineering experience, he’s passionate about all things engineering and tech. He also loves bringing engineering (especially mechanical) down to a level that everyone can understand. Ryan lives in New York City and writes about everything engineering and tech.

Share this Article
You may also like
Recent Articles
Become a Certified Threat Intelligence Analyst (C|TIA)

"*" indicates required fields