Threat intelligence feeds: which to subscribe to and how to use them
Threat intelligence is data, products, and processes — most companies pay for the data and ignore the process. Here is how to operationalize feeds.
Cyber threat intelligence (CTI) is the discipline of collecting, analyzing, and applying information about adversaries to inform defense. The community distinguishes strategic (board-level trends), operational (campaign and TTP level), tactical (TTP and procedure level), and technical (IOC level — IPs, domains, hashes). Most defenders need the operational and tactical layers most. The mistake is buying expensive feeds without the process to consume them.
Open-source feeds get most defenders most of the way. CISA Known Exploited Vulnerabilities catalog (KEV) — every CVE with confirmed in-the-wild exploitation, free, updated continuously, machine-readable. AlienVault OTX — community-shared IOCs across malware families. Abuse.ch URLhaus, MalwareBazaar, ThreatFox, FeodoTracker — botnet, malware, and command-and-control infrastructure. Shadowserver — daily reports on compromised hosts in your IP space delivered free if you subscribe. The Spamhaus DROP list and EmergingThreats Open ruleset for IDS. MISP communities, including the Cyber Security Center of Azerbaijan partner network, share indicator collections.
Commercial feeds add depth. Mandiant Advantage, Recorded Future, Group-IB Threat Intelligence, CrowdStrike Falcon Intelligence, and Anomali ThreatStream provide actor-attributed reporting, TTP analysis, and underground-forum collection that open-source cannot match. Pricing runs from 30,000 USD annually for entry-level access to 250,000 USD plus for full premium feeds. For an Azerbaijani organization, evaluate based on regional coverage — does the feed actually report on actors targeting your sector in this region — rather than on global volume.
Operationalize through automation. Pipe IOCs into your SIEM as a watchlist, your firewall and proxy as a blocklist, your EDR as a custom IOC list. The Threat Intelligence Platform (MISP, Anomali, Recorded Future TIP) is the integration point that normalizes formats (STIX 2.1) and pushes to enforcement points. Set retention rules so a year-old IP does not block a benign customer. Map adversary TTPs to MITRE ATT&CK and use the ATT&CK Navigator to track your detection coverage against the actors most relevant to your sector. Quarterly, review your top three actors' updated reports and validate detection with Atomic Red Team exercises. Threat intelligence pays back only when it triggers a configuration change in your defenses.
Related reading
DNS security: DNSSEC, DoH, DoT, and protective DNS
DNS is the unglamorous foundation that attackers abuse for C2, exfiltration, and phishing. Hardening it is cheap and catches a category of attacks no firewall sees.
Email authentication: SPF, DKIM, DMARC, and BIMI in practice
Email spoofing is a 30-year-old problem with a working solution. Here is how to deploy SPF, DKIM, and DMARC correctly so attackers cannot impersonate your domain.
Web Application Firewall: deploying WAF without breaking the app
A WAF blocks SQL injection, command injection, and bots — but only when tuned. Untuned WAF either lets attacks through or blocks legitimate users.