Open-Source Cybersecurity Tools: Threat Intelligence

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 110 documented tools. It focuses on capabilities used for indicator ingestion, adversary tracking, and context enrichment of detections. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

# | A | B | C | D | E | F | G | H | I | J | M | N | O | P | R | S | T | U | V | Y | Z

Letter

This letter section contains 6 tools.

Abuse.ch

• Website: https://abuse.ch
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cyber Security Tools

What it does: Abuse.ch is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Provides threat feeds such as ransomware and malware campaign trackers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Threat Intelligence.

Back to Name Jump

ExifTool

• Website: https://exiftool.org
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cyber Security Tools, Awesome Forensics

What it does: ExifTool is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Reads, writes, and edits meta information in files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > IOC and Pattern Identification.

Back to Name Jump

OpenCTI

• Website: https://www.opencti.io
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cyber Security Tools

What it does: OpenCTI is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Open-source platform for managing cyber threat intelligence knowledge and observables.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Threat Intelligence.

Back to Name Jump

Recorded Future

• Website: https://www.recordedfuture.com
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cyber Security Tools

What it does: Recorded Future is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Commercial threat intelligence platform providing real-time threat analysis and risk scoring.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Threat Intelligence.

Back to Name Jump

ThreatConnect

• Website: https://threatconnect.com
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cyber Security Tools

What it does: ThreatConnect is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Threat intelligence platform combining data aggregation, analytics, and response workflows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Threat Intelligence.

Back to Name Jump

zipdump

• Website: https://github.com/nlitsme/zipdump
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cyber Security Tools

What it does: zipdump is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Analyzes zip files and runs YARA rules.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > IOC and Pattern Identification.

Back to Name Jump

Letter A

This letter section contains 6 tools.

abuse.ch

• Website: https://www.abuse.ch/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: abuse.ch is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: ZeuS Tracker / SpyEye Tracker / Palevo Tracker / Feodo Tracker tracks Command&Control servers (hosts) around the world and provides you a domain- and an IP-blocklist.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

AbuseHelper

• Website: https://github.com/abusesa/abusehelper
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: AbuseHelper is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: An open-source.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

AlienVault Open Threat Exchange

• Website: http://www.alienvault.com/open-threat-exchange/dashboard
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: AlienVault Open Threat Exchange is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: AlienVault Open Threat Exchange (OTX), to help you secure your networks from data loss, service disruption and system compromise caused by malicious IP addresses.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

AlienVault Open Threat Exchange

• Website: https://otx.alienvault.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome OSINT, Awesome Cyber Security Tools

What it does: AlienVault Open Threat Exchange is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Open Threat Exchange is the neighborhood watch of the global intelligence community. It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

AttackerKB

• Website: https://attackerkb.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team

What it does: AttackerKB is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.

Back to Name Jump

AutoShun

• Website: https://www.autoshun.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security, Awesome Malware Analysis

What it does: AutoShun is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: AutoShun is a Snort plugin that allows you to send your Snort IDS logs to a centralized server that will correlate attacks from your sensor logs with other snort sensors, honeypots, and mail filters from around the world.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Letter B

This letter section contains 1 tools.

Bambenek Consulting Feeds

• Website: http://osint.bambenekconsulting.com/feeds/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Bambenek Consulting Feeds is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Letter C

This letter section contains 12 tools.

CAPEC - Common Attack Pattern Enumeration and Classification

• Website: http://capec.mitre.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: CAPEC - Common Attack Pattern Enumeration and Classification is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

CI Army

• Website: http://cinsscore.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: CI Army is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: () -.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Combine

• Website: https://github.com/mlsecproject/combine
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome Cybersecurity Blue Team

What it does: Combine is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Gather and combine multiple threat intelligence feed sources into one customizable, standardized CSV-based format.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

Criminal IP

• Website: https://www.criminalip.io/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: Criminal IP is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Cyber Threat Intelligence Search Engine and Attack Surface Management(ASM) platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Speciality Search Engines.

Back to Name Jump

Critical Stack- Free Intel Market

• Website: https://intel.criticalstack.com
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Critical Stack- Free Intel Market is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Free.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Crypto Scam & Crypto Phishing URL Threat Intel Feed

• Website: https://github.com/spmedia/Crypto-Scam-and-Crypto-Phishing-Threat-Intel-Feed
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: Crypto Scam & Crypto Phishing URL Threat Intel Feed is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: A fresh feed of crypto phishing and crypto scam websites. Automatically updated daily.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

Cybercrime tracker

• Website: http://cybercrime-tracker.net/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Cybercrime tracker is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Multiple botnet active tracker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

CyberGordon

• Website: https://cybergordon.com
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: CyberGordon is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: CyberGordon is a threat intelligence search engine. It leverages 30+ sources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Other Tools.

Back to Name Jump

Cyberowl

• Website: https://github.com/karimhabush/cyberowl
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: Cyberowl is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: A daily updated summary of the most frequent types of security incidents currently being reported from different sources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

CybOX - Cyber Observables eXpression

• Website: http://cyboxproject.github.io
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: CybOX - Cyber Observables eXpression is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Cymon

• Website: https://cymon.io/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Cymon is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Threat intelligence tracker, with IP/domain/hash.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

Cyware Threat Intelligence Feeds

• Website: https://cyware.com/community/ctix-feeds
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: Cyware Threat Intelligence Feeds is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Cyware’s Threat Intelligence feeds brings to you the valuable threat data from a wide range of open and trusted sources to deliver a consolidated stream of valuable and actionable threat intelligence. Our threat intel feeds are fully compatible with STIX 1.x and 2.0, giving you the latest information on malicious malware hashes, IPs and domains uncovered across the globe in real-time.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

Letter D

This letter section contains 1 tools.

DNS-BH

• Website: http://www.malwaredomains.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: DNS-BH is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

Letter E

This letter section contains 2 tools.

Emerging Threats - Open Source

• Website: http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: Emerging Threats - Open Source is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Emerging Threats began 10 years ago as an open source community for collecting Suricata and SNORT® rules, firewall rules, and other IDS rulesets. The open source community still plays an active role in Internet security, with more than 200,000 active users downloading the ruleset daily. The ETOpen Ruleset is open to any user or organization, as long as you follow some basic guidelines. Our ETOpen Ruleset is available for download any time.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

ESET's Malware IoCs

• Website: https://github.com/eset/malware-ioc
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team

What it does: ESET's Malware IoCs is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Indicators of Compromises (IOCs) derived from ESET's various investigations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence > Threat signature packages and collections.

Back to Name Jump

Letter F

This letter section contains 8 tools.

Fidelis Barncat

• Website: https://www.fidelissecurity.com/resources/fidelis-barncat
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Fidelis Barncat is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Fileintel

• Website: https://github.com/keithjjones/fileintel
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: Fileintel is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Pull intelligence per file hash.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

FireEye OpenIOCs

• Website: https://github.com/fireeye/iocs
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security, Awesome Malware Analysis

What it does: FireEye OpenIOCs is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: FireEye Publicly Shared Indicators of Compromise (IOCs).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

FireEye's Red Team Tool Countermeasures

• Website: https://github.com/fireeye/red_team_tool_countermeasures
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team

What it does: FireEye's Red Team Tool Countermeasures is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Collection of Snort and YARA rules to detect attacks carried out with FireEye's own Red Team tools, first released after FireEye disclosed a breach in December 2020.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence > Threat signature packages and collections.

Back to Name Jump

FireEye's Sunburst Countermeasures

• Website: https://github.com/fireeye/sunburst_countermeasures
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team

What it does: FireEye's Sunburst Countermeasures is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Collection of IoC in various languages for detecting backdoored SolarWinds Orion NMS activities and related vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence > Threat signature packages and collections.

Back to Name Jump

FireHOL IP Lists

• Website: https://iplists.firehol.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: FireHOL IP Lists is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Analytics for 350+ IP lists.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Focsec

• Website: https://focsec.com
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: Focsec is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Threat Intelligence API that detects if a IP address is associated with a VPN, Proxy, TOR or Bots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

Forager

• Website: https://github.com/opensourcesec/Forager
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Forager is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Multi-threaded threat intelligence gathering built with Python3 featuring simple text-based configuration and data storage for ease of use and data portability.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.

Back to Name Jump

Letter G

This letter section contains 3 tools.

GitGuardian - Public GitHub Monitoring

• Website: https://www.gitguardian.com/monitor-public-github-for-secrets
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: GitGuardian - Public GitHub Monitoring is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Monitor public GitHub repositories in real time. Detect secrets and sensitive information to prevent hackers from using GitHub as a backdoor to your business.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Threat Intelligence.

Back to Name Jump

GRASSMARLIN

• Website: https://github.com/nsacyber/GRASSMARLIN
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team

What it does: GRASSMARLIN is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) by passively mapping, accounting for, and reporting on your ICS/SCADA network topology and endpoints.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.

Back to Name Jump

Greynoise

• Website: https://greynoise.io/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: Greynoise is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: "Anti-Threat Intelligence" Greynoise characterizes the background noise of the internet, so the user can focus on what is actually important.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Other Tools.

Back to Name Jump

Letter H

This letter section contains 4 tools.

HASSH

• Website: https://github.com/salesforce/hassh
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: HASSH is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Network fingerprinting standard which can be used to identify specific client and server SSH implementations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

HoneyDB

• Website: https://riskdiscovery.com/honeydb
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: HoneyDB is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Community driven honeypot sensor data collection and aggregation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Hostintel

• Website: https://github.com/keithjjones/hostintel
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: Hostintel is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Pull intelligence per host.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

hpfeeds

• Website: https://github.com/rep/hpfeeds
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: hpfeeds is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Lightweight authenticated publish-subscribe protocol.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Letter I

This letter section contains 10 tools.

Infosec - CERT-PA lists

• Website: https://infosec.cert-pa.it/analyze/statistics.html
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Infosec - CERT-PA lists is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: ( - - ) - Blocklist service.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

InQuest REPdb

• Website: https://labs.inquest.net/repdb
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: InQuest REPdb is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Continuous aggregation of IOCs from a variety of open reputation sources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Intel Owl

• Website: https://github.com/intelowlproject/IntelOwl
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Threat Detection

What it does: Intel Owl is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: An Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

IntelMQ

• Website: https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: IntelMQ is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

Internet Storm Center

• Website: https://www.dshield.org/reports.html
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: Internet Storm Center is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

Internet Storm Center (DShield)

• Website: https://isc.sans.edu/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome SOC

What it does: Internet Storm Center (DShield) is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Diary and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

IOC Editor

• Website: https://www.fireeye.com/services/freeware/ioc-editor.html
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: IOC Editor is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

ioc_writer

• Website: https://github.com/mandiant/ioc_writer
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: ioc_writer is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Python library for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

iocextract

• Website: https://github.com/InQuest/python-iocextract
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: iocextract is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Advanced Indicator.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

isMalicious

• Website: https://ismalicious.com
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: isMalicious is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Threat intelligence platform aggregating malicious IP and domain data from multiple security feeds with real-time reputation scoring and threat categorization.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

Letter J

This letter section contains 1 tools.

JA3

• Website: https://ja3er.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: JA3 is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Extracts SSL/TLS handshake settings for fingerprinting and communicating about a given TLS implementation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence > Fingerprinting.

Back to Name Jump

Letter M

This letter section contains 9 tools.

MAEC - Malware Attribute Enumeration and Characterization

• Website: http://maec.mitre.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: MAEC - Malware Attribute Enumeration and Characterization is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

malc0de

• Website: http://malc0de.com/database/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: malc0de is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Searchable incident database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

MalPipe

• Website: https://github.com/silascutler/MalPipe
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: MalPipe is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Malware/IOC ingestion and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

Malware Analysis, Threat Intelligence and Reverse Engineering

• Website: https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Malware Analysis, Threat Intelligence and Reverse Engineering is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Other.

Back to Name Jump

Malware Domain List

• Website: http://www.malwaredomainlist.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Malware Domain List is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Search and share.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Malware Information Sharing Platform and Threat Sharing (MISP)

• Website: https://misp-project.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Malware Information Sharing Platform and Threat Sharing (MISP) is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Open source software solution for collecting, storing, distributing and sharing cyber security indicators.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.

Back to Name Jump

MetaDefender Threat Intelligence Feed

• Website: https://www.opswat.com/developers/threat-intelligence-feed
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: MetaDefender Threat Intelligence Feed is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

MISP

• Website: https://github.com/MISP/MISP
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: MISP is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Malware Information Sharing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

MISP - Open Source Threat Intelligence Platform

• Website: https://www.misp-project.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security, Awesome Cyber Security Tools

What it does: MISP - Open Source Threat Intelligence Platform is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators. A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. The MISP project includes software, common libraries (, ), an extensive data model to share new information using and default .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

Letter N

This letter section contains 1 tools.

NSFOCUS

• Website: https://nti.nsfocus.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Web Security

What it does: NSFOCUS is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tools > Reconnaissance > OSINT - Open-Source Intelligence.

Back to Name Jump

Letter O

This letter section contains 5 tools.

onion-lookup

• Website: https://onion.ail-project.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: onion-lookup is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Free online service and API for checking the existence of Tor hidden services (.onion address) and retrieving their associated metadata. onion-lookup relies on an private AIL instance to obtain the metadata.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Threat Intelligence.

Back to Name Jump

OnionScan

• Website: https://github.com/s-rah/onionscan
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: OnionScan is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Free and open source tool for investigating the Dark Web. Its main goal is to help researchers and investigators monitor and track Dark Web sites.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Threat Intelligence.

Back to Name Jump

Open Source Vulnerabilities (OSV)

• Website: https://osv.dev/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Penetration Testing

What it does: Open Source Vulnerabilities (OSV) is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.

Back to Name Jump

OpenIOC

• Website: https://www.fireeye.com/services/freeware.html
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: OpenIOC is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Framework for sharing threat intelligence.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

OpenVAS NVT Feed

• Website: http://www.openvas.org/openvas-nvt-feed.html
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: OpenVAS NVT Feed is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: The public feed of Network Vulnerability Tests (NVTs). It contains more than 35,000 NVTs (as of April 2014), growing on a daily basis. This feed is configured as the default for OpenVAS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

Letter P

This letter section contains 7 tools.

PhishingSecLists

• Website: https://github.com/spmedia/PhishingSecLists
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: PhishingSecLists is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: This list is to be used with web scanning tools (Gobuster, ffuf, Burp Suite, DirBuster). These lists are specifically tailored and designed for fuzzing phishing, crypto scam landing pages, and other malicious sketch af websites. You can gain vaulable intel on successful hits.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Threat Intelligence.

Back to Name Jump

PhishStats

• Website: https://phishstats.info/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security, Awesome Malware Analysis, Awesome OSINT

What it does: PhishStats is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Phishing Statistics with search for IP, domain and website title.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

PhishTank

• Website: http://www.phishtank.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: PhishTank is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

Project Honey Pot

• Website: http://www.projecthoneypot.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: Project Honey Pot is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

Proofpoint Threat Intelligence

• Website: https://www.proofpoint.com/us/products/et-intelligence
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Proofpoint Threat Intelligence is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Pulsedive

• Website: https://pulsedive.com
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome OSINT

What it does: Pulsedive is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

PyIOCe

• Website: https://github.com/pidydx/PyIOCe
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: PyIOCe is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: A Python OpenIOC editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

Letter R

This letter section contains 4 tools.

Ransomware overview

• Website: https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Ransomware overview is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Redline

• Website: https://fireeye.market/apps/211364
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Forensics

What it does: Redline is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Free endpoint security tool from FireEye.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > IOC Scanner.

Back to Name Jump

REScure Threat Intel Feed

• Website: https://rescure.fruxlabs.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: REScure Threat Intel Feed is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: REScure is an independent threat intelligence project which we undertook to enhance our understanding of distributed systems, their integration, the nature of threat intelligence and how to efficiently collect, store, consume, distribute it.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Threat Intelligence.

Back to Name Jump

RiskIQ

• Website: https://community.riskiq.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: RiskIQ is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Research, connect, tag and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

Letter S

This letter section contains 3 tools.

SBL / XBL / PBL / DBL / DROP / ROKSO

• Website: http://www.spamhaus.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: SBL / XBL / PBL / DBL / DROP / ROKSO is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: The Spamhaus Project is an international nonprofit organization whose mission is to track the Internet's spam operations and sources, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spam and malware gangs worldwide, and to lobby governments for effective anti-spam legislation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

STIX - Structured Threat Information eXpression

• Website: http://stixproject.github.io
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: STIX - Structured Threat Information eXpression is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

SystemLookup

• Website: https://www.systemlookup.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: SystemLookup is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: SystemLookup hosts a collection of lists that provide information on.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Letter T

This letter section contains 19 tools.

TAXII - Trusted Automated eXchange of Indicator Information

• Website: http://taxiiproject.github.io
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: TAXII - Trusted Automated eXchange of Indicator Information is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

The Coventry Conundrum of Threat Intelligence

• Website: https://summitroute.com/blog/2015/06/10/the_conventry_conundrum_of_threat_intelligence/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Threat Detection

What it does: The Coventry Conundrum of Threat Intelligence is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

THOR Lite

• Website: https://www.nextron-systems.com/thor-lite/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Forensics

What it does: THOR Lite is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Free IOC and YARA Scanner.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > IOC Scanner.

Back to Name Jump

Threat Actor Usernames Scrape

• Website: https://github.com/spmedia/Threat-Actor-Usernames-Scrape
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: Threat Actor Usernames Scrape is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: A collection of fresh intel and 350k+ threat actor usernames scraped from various cybercrime sources & forums.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Threat Intelligence.

Back to Name Jump

Threat Bus

• Website: https://github.com/tenzir/threatbus
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: Threat Bus is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Threat intelligence dissemination layer to connect security tools through a distributed publish/subscribe message broker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.

Back to Name Jump

Threat Intelligence

• Website: https://github.com/hslatman/awesome-threat-intelligence
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: Threat Intelligence is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Related Awesome Lists.

Back to Name Jump

Threat intelligence

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/threat_intelligence.md
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome SOC

What it does: Threat intelligence is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.

Back to Name Jump

Threat Jammer

• Website: https://threatjammer.com
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: Threat Jammer is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: REST API service that allows developers, security engineers, and other IT professionals to access curated threat intelligence data from a variety of sources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

threataggregator

• Website: https://github.com/jpsenior/threataggregator
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: threataggregator is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

ThreatConnect

• Website: https://threatconnect.com/free/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: ThreatConnect is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: TC Open allows you to see and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

ThreatCrowd

• Website: https://www.threatcrowd.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing

What it does: ThreatCrowd is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: A search engine for threats,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Open Sources Intelligence (OSINT) > Data Broker and Search Engine Services.

Back to Name Jump

ThreatIngestor

• Website: https://github.com/InQuest/ThreatIngestor/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome Cybersecurity Blue Team

What it does: ThreatIngestor is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Extendable tool to extract and aggregate IOCs from threat feeds including Twitter, RSS feeds, or other sources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

ThreatMiner

• Website: https://www.threatminer.org/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: ThreatMiner is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Data mining portal for threat.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

threatRECON

• Website: https://threatrecon.co/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: threatRECON is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Search for indicators, up to 1000.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

ThreatShare

• Website: https://threatshare.io/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: ThreatShare is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: C2 panel tracker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

ThreatTracker

• Website: https://github.com/michael-yip/ThreatTracker
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: ThreatTracker is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: A Python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

TIQ-test

• Website: https://github.com/mlsecproject/tiq-test
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: TIQ-test is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Data visualization.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

Tor Bulk Exit List

• Website: https://metrics.torproject.org/collector.html
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: Tor Bulk Exit List is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: CollecTor, your friendly data-collecting service in the Tor network. CollecTor fetches data from various nodes and services in the public Tor network and makes it available to the world. If you're doing research on the Tor network, or if you're developing an application that uses Tor network data, this is your place to start. / /.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.

Back to Name Jump

Trust Scan

• Website: https://github.com/undeadlist/trust-scan
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security

What it does: Trust Scan is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: URL security scanner with WHOIS, SSL, threat intelligence (URLhaus, PhishTank, Spamhaus), and 40+ scam/phishing pattern detection. Includes optional AI analysis via Ollama. ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Scanning / Pentesting.

Back to Name Jump

Letter U

This letter section contains 1 tools.

Unfetter

• Website: https://nsacyber.github.io/unfetter/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Unfetter is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.

Back to Name Jump

Letter V

This letter section contains 2 tools.

virustotal

• Website: https://www.virustotal.com/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Incident Response, Awesome Honeypots, Awesome Penetration Testing, Awesome OSINT, Awesome Cyber Security Tools

What it does: virustotal is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Open Sources Intelligence (OSINT) > Data Broker and Search Engine Services.

Back to Name Jump

Visual Threat Intelligence

• Website: https://www.amazon.fr/Visual-Threat-Intelligence-Illustrated-Researchers/dp/B0C7JCF8XD
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome SOC

What it does: Visual Threat Intelligence is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Letter Y

This letter section contains 4 tools.

YARA

• Website: https://github.com/VirusTotal/yara
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Cyber Security Tools

What it does: YARA is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples, described as "the pattern matching swiss army knife" for file patterns and signatures.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > IOC and Pattern Identification.

Back to Name Jump

Yara rules

• Website: https://github.com/Yara-Rules/rules
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis, Awesome Cybersecurity Blue Team, Awesome SOC

What it does: Yara rules is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Project covering the need for IT security researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence > Threat signature packages and collections.

Back to Name Jump

YARAif

• Website: https://yaraify.abuse.ch/scan/
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome OSINT

What it does: YARAif is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Collaborative YARA engine providing open threat intelligence through file pattern matching.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Speciality Search Engines.

Back to Name Jump

YETI

• Website: https://github.com/yeti-platform/yeti
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: YETI is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump

Letter Z

This letter section contains 1 tools.

ZeuS Tracker

• Website: https://zeustracker.abuse.ch/blocklist.php
• Model: Open Source
• Category: Threat Intelligence
• Source Lists: Awesome Malware Analysis

What it does: ZeuS Tracker is used in threat intelligence programs to support indicator ingestion, adversary tracking, and context enrichment of detections. Source summaries describe it as: ZeuS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Other Resources.

Back to Name Jump