Skip to main content
ThreatBook CTI Threat Intelligence Feeds provide actionable threat intelligence in STIX 2.1 format.

ThreatBook CTI Threat Intelligence Feeds Bundles

  • IOC Bundle: This bundle includes curated domains and IP indicators (with ports when applicable) for compromise detection. It contains C&C addresses, malware distribution sites, fraud and phishing sites, crypto mining addresses, and DNS logs domains communicating with malware or threat actors/APT groups. Each indicator includes threat verdicts, threat labels (related malware, threat actors/groups, threat campaigns), and lifecycle times.
Samples Download
  • IP Reputation Bundle: This bundle provides IP reputation context for inbound visitors. It includes IP addresses with threat verdicts, threat labels (asset category, malicious behaviors, network information), geolocations, and lifecycle times.
Samples Download
  • File Bundle: This bundle contains malware hashes along with their threat verdicts, malware type, malware family name, and lifecycle times.

Update Frequency

The IOC bundle is updated hourly, while the File and IP Reputation bundles are updated daily.

Get the Data

You can fetch incremental data via the Feeds API (API key and subscription required). You can retrieve incremental packages by specifying time parameters and access data for up to 90 days.
I