ReqoData
Cybersecurity 2026Updated

List of Threat Intelligence Feed Vendors for SOC Teams

Comprehensive database of commercial and open-source threat intelligence feed providers, covering IOC feeds, APT tracking, dark web monitoring, and vulnerability intelligence tailored for SOC operations and SIEM enrichment.

Available Data Fields

Vendor Name
Feed Types
IOC Categories
STIX/TAXII Support
SIEM Integrations
Delivery Format
Specialization
Headquarters
Update Frequency
API Access
Pricing Model
Coverage Scope

Data Preview

* Full data requires registration
VendorFeed TypesSTIX/TAXIIHeadquarters
Recorded FutureIP, Domain, Hash, Vulnerability, MalwareYesSomerville, MA
CrowdStrike Falcon IntelligenceIOC, Adversary, Malware SandboxYesAustin, TX
Anomali ThreatStreamIOC Aggregation, OSINT, Dark WebYesRedwood City, CA
Mandiant (Google)APT, Malware, Vulnerability, CampaignYesReston, VA
Intel 471Adversary, Underground, VulnerabilityYesAmsterdam, NL

100+ records available for download.

* Continue from free preview

Evaluating Threat Intelligence Feeds for SOC Operations

Threat intelligence feeds are the backbone of modern SOC operations, transforming raw security alerts into contextualized, actionable insights. With the threat intelligence market exceeding $13 billion in 2024 and projected to surpass $36 billion by 2030, the vendor landscape has grown significantly—making structured evaluation essential for SOC managers choosing the right feed providers.

Commercial vs. Open-Source Feeds

The market splits broadly into two categories. Commercial feeds from vendors like Recorded Future, CrowdStrike, and Mandiant (now under Google Cloud) provide curated, high-fidelity indicators with rich context—attribution, TTPs mapped to MITRE ATT&CK, and confidence scoring. These feeds typically deliver lower false-positive rates and come with SLAs. Open-source feeds such as Abuse.ch (URLhaus, MalwareBazaar), AlienVault OTX, and CISA KEV offer free access to community-driven indicators but require more internal curation and deduplication effort.

Key Selection Criteria for SOC Teams

Integration Depth
The feed must integrate natively with your SIEM (Splunk, Sentinel, Chronicle) and SOAR platforms. Look for pre-built connectors, not just raw API access. Vendors like ThreatQuotient and Anomali specialize in aggregating multiple feeds into a single normalized stream via STIX/TAXII.
IOC Relevance and Timeliness
High-volume feeds are useless if they lack context or arrive too late. Evaluate feeds on their time-to-detect for emerging threats, false-positive rates, and how well they map to your threat profile. Recorded Future processes over 900 billion data points daily; CrowdStrike draws on first-party telemetry from millions of endpoints.
Specialization
Some vendors focus on specific domains: Intel 471 specializes in underground and adversary intelligence, Digital Shadows in external attack surface risks, and Mandiant in APT group tracking. Match vendor specialization to your primary threat concerns.

STIX/TAXII Adoption

The STIX 2.1 / TAXII 2.1 standards have become the de facto interoperability layer. Most major vendors now support these formats, enabling SOC teams to mix and match feeds from multiple providers without vendor lock-in. Platforms like EclecticIQ (Amsterdam) and ThreatQuotient (acquired by Securonix in 2025) are built specifically around these standards.

Market Consolidation Trends

Recent acquisitions signal consolidation: Mastercard acquired Recorded Future in 2024, Dataminr announced plans to acquire ThreatConnect for $290M in late 2025, and Securonix acquired ThreatQuotient. This consolidation is integrating standalone TIP vendors into larger security ecosystems, which SOC teams should factor into long-term vendor selection.

Frequently Asked Questions

Q.What types of IOCs are typically included in these feeds?

Feeds commonly include IP addresses, domain names, file hashes (MD5, SHA-1, SHA-256), URLs, email addresses, CVE identifiers, and YARA rules. Premium feeds also include contextual metadata such as threat actor attribution, confidence scores, and MITRE ATT&CK mapping.

Q.How does Datapository collect and structure vendor data?

When you submit a request, our AI crawls public sources including vendor websites, documentation, integration marketplaces, and industry reports to compile and structure the latest information. This is not a static database—data is gathered on demand from publicly available sources.

Q.Can I filter by feeds that integrate with my specific SIEM?

Yes. You can specify your SIEM platform (e.g., Splunk, Microsoft Sentinel, Google Chronicle, IBM QRadar) in the customization prompt, and the results will be filtered to vendors with confirmed integrations for that platform.

Q.Are pricing details included in the dataset?

Pricing models (per-seat, per-endpoint, flat license, usage-based) are noted where publicly available. Most enterprise threat intel vendors require contacting sales for exact quotes, so the dataset focuses on pricing model type rather than exact figures.