Skip to main content

Threat Intelligence Tools

Threat intelligence tools help security teams understand adversary behavior, track campaigns, and enrich alerts with context. These platforms and services provide indicators, reputation data, and correlations that turn raw events into actionable insights for detection and response.

AlienVault OTX

AlienVault Open Threat Exchange (OTX) is a community-driven threat intelligence platform where researchers share indicators of compromise, malware families, and campaigns. It provides pulse-based collections of related indicators.

Why it’s useful: Helps learners see how threat intel is shared, consumed, and operationalized in real environments.

Difficulty: Beginner

IOCCommunityFeeds

AbuseIPDB

AbuseIPDB is a database of reported malicious IP addresses, aggregating abuse reports from users and systems. It allows lookups and submissions of abusive behavior tied to IPs.

Why it’s useful: Useful for quickly checking whether an IP has a history of abuse and understanding how reputation systems work.

Difficulty: Beginner

IP ReputationAbuseLookup

GreyNoise

GreyNoise analyzes internet-wide scan and noise traffic to distinguish background scanning from targeted activity. It labels IPs associated with common scanners, research, and benign noise.

Why it’s useful: Teaches analysts how to filter out background noise from real threats, improving signal-to-noise in alert triage.

Difficulty: Intermediate

NoiseScanningAttribution

VirusTotal

VirusTotal aggregates antivirus detections, sandbox behavior, and metadata for files, URLs, and domains. It is widely used for quick reputation checks and malware triage.

Why it’s useful: Shows how multi-engine reputation and sandboxing can accelerate triage and enrich investigations.

Difficulty: Beginner

ReputationMalwareSandbox

Pulsedive

Pulsedive is a threat intelligence platform that aggregates and enriches indicators such as domains, IPs, and URLs. It provides risk scores, context, and related indicators.

Why it’s useful: Helps learners understand enrichment workflows and how context turns raw indicators into actionable intel.

Difficulty: Intermediate

EnrichmentIndicatorsRisk

MISP

MISP (Malware Information Sharing Platform) is an open-source platform for sharing, storing, and correlating threat intelligence. It supports structured events, attributes, and taxonomies.

Why it’s useful: Demonstrates how organizations collaborate on threat intel and how structured data enables automation.

Difficulty: Advanced

SharingPlatformStructured Intel