Threat Intelligence
67 toolsThreat intelligence platforms — IOC lookup and correlation, malware analysis, vulnerability intelligence, threat actor tracking, and dark web monitoring.
Pricing
Min Rating
Top-Rated Tools
Shodan
4.7/5Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.
freemiumurlscan.io
4.6/5Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL
freemiumBitdefender
4.5/5Award-winning antivirus and endpoint security suite with advanced threat detection for individuals and teams
paidMISP Warning Lists
4.5/5A structured false-positive filtering layer that helps analysts stop treating common benign infrastructure as malicious indicators.
freeVirusTotal
4.5/5Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains
freemiumcapa
4.4/5A malware triage tool that quickly tells analysts what an executable is capable of doing and where those behaviors appear.
freeComparisons & Buyer Guides
WorldMonitor vs Crucix vs OpenPlanter
WorldMonitor, Crucix, and OpenPlanter are three free, self-hosted tools that together cover the intelligence workflow space occupied by commercial platforms like Palantir and Recorded Future. WorldMonitor provides cross-domain situational awareness across 65+ live data sources on an interactive map. Crucix monitors 27 feeds persistently and pushes threshold-triggered alerts to Telegram or Discord. OpenPlanter is a recursive AI investigation agent that resolves entities across structured public record datasets. They are not substitutes — they are complementary tools at different stages of an intelligence workflow.
Best Threat Hunting Tools (2026)
Independent comparison of the best threat hunting tools for enterprise security teams. Evaluated on detection capability, analyst workflow, and integration depth.
Best Threat Intelligence Platforms (2026)
Independent comparison of the best threat intelligence platforms for enterprise and mid-market security teams. Evaluated for data quality, analyst workflow, and ROI.
Guides & Techniques
BioRxiv and PubMed as Intelligence Sources
PubMed and bioRxiv give investigators a structured, searchable view into the biomedical research ecosystem. Used together with ORCID, OpenAlex, NIH iSearch, and patent and securities databases, they help map expertise, affiliations, grants, and commercialization pathways with far more precision than ordinary web search.
SAM.gov and USASpending: Federal Contractor OSINT
SAM.gov and USASpending are complementary public data sources for investigating who does business with the US government, how much they are paid, and how their corporate identities are represented in official systems. Used together, they help analysts trace ownership clues, exclusions, award histories, and network patterns across prime contractors, subsidiaries, and potential shell entities.
SEC EDGAR Deep Dive: An OSINT Guide
SEC EDGAR is far more than a repository for annual and quarterly reports. For OSINT investigators, it is a free, primary-source intelligence platform that exposes ownership changes, insider transactions, proxy battles, executive turnover, and narrative disclosures that rarely appear in standard equity research workflows.
irs-form-990-intelligence-guide
IRS Form 990 filings are one of the richest public sources for investigating US nonprofits, foundations, and their cross-border relationships. For OSINT investigators, they expose governance, compensation, grants, related-party transactions, and structural links that rarely appear as clearly in a single public record.
osint-for-cybersecurity-analysts
This guide shows cybersecurity analysts how to turn passive open source intelligence into practical threat intelligence for hunting, response, and vulnerability prioritization. It focuses on safe, non-intrusive collection methods and highlights tools, workflows, and integration points that fit modern security operations.
osint-for-forensic-accountants
This guide shows forensic accountants how to use public data to support financial investigations, from corporate ownership research to property records, securities filings, and lifestyle evidence. It focuses on practical workflows and investigator-relevant sources that help corroborate documents, expose inconsistencies, and map connections across entities and assets.
osint-for-insurance-fraud-investigators
This guide shows insurance fraud investigators how to use open-source intelligence to verify claimant activity, validate business entities, and uncover cross-claim patterns. It focuses on practical, defensible workflows that help SIU teams prioritize surveillance resources and document findings for reports.
Dark Web Monitoring: How It Works and What to Watch For
A complete guide to dark web monitoring — what's actually on the dark web, how monitoring tools work, what they detect, and how to choose the right approach for your organization.
Using OSINT for Prediction Market Research
How open-source intelligence techniques give prediction market traders an edge — tracking geopolitical events, sanctions, flight data, and public records to inform smarter bets.
More Threat Intelligence Tools
Cortex Analyzers
A modular enrichment engine that lets TheHive analysts analyze observables in place instead of pivoting across dozens of external CTI tools.
Cortex
An enrichment and response engine that lets TheHive analysts analyze observables and trigger actions without leaving the case workflow.
destroylist
A continuously updated phishing and scam domain feed that helps defenders block fraud infrastructure through DNS, hosts files, or API lookups.
MISP Galaxy
A structured cluster library that gives threat intelligence events actor, malware, and technique context instead of leaving them as unlabeled IOC collections.
MISP
An open source threat intelligence platform built for structured IOC management, community sharing, and fast operational distribution.
Anthropic Cybersecurity Skills
A structured open skill library that gives AI agents concrete cybersecurity workflows mapped to ATT&CK, D3FEND, ATLAS, and NIST frameworks.
C2 Tracker
A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.
Crucix
27 parallel intelligence feeds, push alerts to your phone, and LLM-powered briefings on demand — self-hosted, no cloud dependency.
Awesome Lists (mthcht)
A blue-team-first security directory that helps SOC and CTI teams find relevant feeds, rule sources, and detection references without wading through offensive tooling.
OpenCTI
Store, correlate, and visualize structured threat intelligence using STIX2 as the native data model — with a 150+ connector ecosystem and graph-based investigation workflows designed for serious TI programs.
Web Check
Paste a URL and get DNS records, SSL details, security headers, tech stack, WHOIS, and 100+ more domain intelligence checks in a single browser view — in under thirty seconds.
WorldMonitor
Correlated multi-domain intelligence across conflicts, maritime, aviation, infrastructure, finance, and climate on a single open source map surface.
Cti-Expert
A Claude Code CTI skill that gives analysts reusable investigation playbooks, faster triage structure, and report-ready workflow scaffolding without mandatory API setup.
IntelOwl
Orchestrate IOC enrichment across 100+ threat intelligence sources through a single API — with automated multi-hop correlation and direct output to MISP, OpenCTI, or DFIR-IRIS.
PatrowlManager
An open source orchestration layer that helps security teams run multiple analysis tools against tracked assets from one central platform.
robin
An AI-assisted dark web investigation tool that helps analysts refine queries, reduce result noise, and summarize findings in one workflow.
ShadowNet
An experimental privacy-framed OSINT project for analysts willing to verify routing and anonymity claims themselves.
sicat
A multi-source exploit lookup tool that helps pentesters check public exploit availability and Metasploit coverage from one query.
signature-base
A trusted community YARA and IOC repository that gives DFIR teams immediate detection coverage for malware, webshells, and attacker tooling.
SpiderFoot
Map a target's full digital footprint automatically — domains, IPs, emails, names, and ASNs across 500+ sources.
Sucuri
Website security platform used by investigators to analyze site integrity, malware, and CDN infrastructure
Taranis AI
A self-hosted OSINT platform that helps threat intelligence teams turn noisy source monitoring into structured, reviewable reporting.
tcpflow
A bulk TCP stream reconstruction tool that turns packet captures into searchable application-layer conversations for faster forensic analysis.
Velociraptor
A fleet-scale DFIR platform that helps investigators hunt, collect artifacts, and run live response across endpoints without imaging them one by one.
Arkham Intel
On-chain intelligence platform that deanonymizes blockchain addresses and maps crypto fund flows
Awesome Incident Response
A categorized DFIR directory that helps responders discover forensic, malware, and case-management tools with added adoption signals from GitHub metadata.
Censys
Internet-wide scanner with certificate transparency coverage no other tool matches.
cyberbro
A paste-and-submit IOC triage tool that extracts indicators from messy text and checks their reputation across multiple CTI services.
FOFA
A web-focused internet asset search engine that helps analysts pivot from one exposed fingerprint to broader infrastructure quickly.
Hudson Rock
Infostealer intelligence platform exposing compromised credentials from malware-infected machines worldwide
openSquat
An open source monitoring tool that helps defenders catch brand lookalike domains before phishing campaigns go live.
Ransomware Tool Matrix
A group-centric ransomware reference that helps defenders translate gang attribution into concrete tools, hunt leads, and detection priorities.
Recorded Future
The leading threat intelligence platform for enterprise security teams
SkyOSINT
Real-time satellite tracking and space intelligence platform combining orbital data with geopolitical analysis
Awesome Forensics
A curated DFIR resource directory that helps investigators find relevant forensic tools quickly when unfamiliar evidence types appear.
Babel Street
Global multilingual intelligence platform for government, law enforcement, and enterprise
DFIRTrack
A focused incident response tracking app that helps teams manage systems, artifacts, tasks, and timelines without relying on spreadsheets.
IVRE
Turn your Nmap and Masscan output into a persistent, queryable network intelligence database with Shodan-style query capabilities against your own infrastructure.
mihari
A rule-driven OSINT hunting engine that automates recurring infrastructure queries and alerts only on what is newly discovered.
Open Source Threat Intel Feeds
A practical reference directory for finding, comparing, and operationalizing free IOC feeds across MISP, SIEM, and enrichment pipelines.
Pulsedive
Community-driven threat intelligence platform with enriched IOC data and free analyst-grade lookups
SEMrush
Competitive intelligence and web footprint analysis for digital investigators
Sploitus
A centralized exploit search engine that helps analysts check public exploit availability across multiple sources in one place.
TGStat
Telegram channel analytics platform covering 50+ million channels with growth data and content search
ArkhamMirror
A local-first AI document analysis platform that helps investigators extract entities and map relationships without exposing sensitive files to the cloud.
Avilla Forensics
A free Android forensic utility that simplifies ADB-based extraction and app analysis for investigators without a commercial mobile suite.
Hacking Tools (aw-junaid)
A multi-language security tool collection that helps researchers study how offensive and analysis utilities are built across different ecosystems.
Criminal IP
IP and domain scanner that scores addresses by malicious activity and maps CVEs to exposed service banners.
deepdarkCTI
A structured reference of dark web and deep web CTI sources — ransomware tracking sites, IOC feeds, paste monitors, and threat actor Telegram channels — organized for feed coverage auditing.
Intelligence X
A search engine and permanent data archive that indexes dark web content, full breach records, historical WHOIS, and deleted documents — content that disappeared from the public web still lives here.
Netlas
Internet scanning platform with 8 billion+ indexed IP addresses for attack surface and infrastructure analysis
Norton Small Business
Endpoint protection and threat detection for small OSINT teams and security firms
OpenPlanter
Autonomous AI investigation agent that resolves entities across corporate registries, campaign finance, lobbying disclosures, and government contracts — surfacing non-obvious connections with evidence citations.
Defense.com
Operationalize OSINT-sourced threat intelligence inside a managed XDR and SOC platform built for enterprise security teams.
Mitaka
A browser extension that turns highlighted indicators into instant OSINT and threat intelligence lookups without breaking analyst flow.
SecurityTrails
Historical DNS and domain intelligence database covering 10+ years of infrastructure changes
TorBot
A Tor-routed OSINT crawler that helps analysts map .onion infrastructure, collect contact details, and preserve volatile dark web content.
GreyNoise
Internet noise classifier that separates mass-scanning background traffic from targeted activity so you can stop chasing ghosts in your SIEM.
Onyphe
Cyber defense search engine indexing internet-wide scan data, threat intelligence feeds, and passive DNS
Maltego
The gold standard for visual link analysis and OSINT pivoting
ZoomEye
Chinese-operated internet search engine for cyberspace — maps exposed services and devices globally