Critical infrastructure
Automate protection where minutes matter, not manual feed handling. Reduce toil and analyst fatigue, so your team can block threats faster and cut response time.
Cyber Threat Intelligence Feed
Threat intelligence from multiple sources, ready to integrate with SIEM, SOAR and IDS/IPS.
What is Cyber Threat Intelligence Feed?
Cyber Threat Intelligence Feed (CTI Feed) is a curated, multi-source stream of unique, high-quality threat intelligence designed for automated use in security pipelines. It provides indicators of compromise (IOCs) such as phishing and malicious URLs, threat domains, spam domains, attacker infrastructure IP addresses and malicious file hashes. CTI Feed integrates with SIEM, SOAR, IDS/IPS and is used by security teams, vendors, financial institutions, and other organizations with high security requirements to detect, prevent, and respond to threats faster.
Who is it designed for?
Critical infrastructure
Automate protection where minutes matter, not manual feed handling. Reduce toil and analyst fatigue, so your team can block threats faster and cut response time.
Security teams
Make faster, better decisions with threat context and stop drowning in alerts. CTI Feed helps you automate the right actions-not false alarms.
Security Vendors
Don’t let weak threat data make your product look blind. Customers won’t blame your data provider; they’ll blame your product.
Financial Institutions
Go beyond “everyone has the same intel.” Detect rare, local, finance-targeted campaigns that standard feeds miss.
How does CTI Feed support threat detection and response?
CTI Feed delivers up-to-date threat intelligence in the form of reports and indicators of compromise (IoCs). Data can be retrieved via a REST API or received as email alerts. With SIEM and IDS/IPS integrations, this intelligence can automatically power detection rules and accelerate incident response.
What sources does CTI Feed data come from?
CTI Feed is multi-source.
Data sources include Webcrawlers, Domains Radar, PhishingAV, and Spam. A significant part of the data also comes from PREBYTES SIRT work in incident response and threat research. The collection infrastructure includes a farm of 100+ crawlers and a dedicated webpage analysis pipeline for phishing detection.
What data formats are available?
The formats are designed for machine-to-machine integration.
Formats are tailored for seamless integration. Depending on your API configuration, data is available in STIX, CSV, JSON, XML, or TEXT, ensuring compatibility with virtually any SIEM, SOAR or IDS/IPS solution.
Can the data be filtered and prioritized?
Yes – the data scope can be aligned with operational needs.
Results can be filtered by source (e.g., SPAM, SIRT, or ALL), by risk threshold (e.g., a selected risk score level), and by time–such as entries updated in the last 30 days or within a specific date range.
How does CTI Feed work?
CTI Feed combines outputs from PREBYTES AI automation and expert validation by PREBYTES SIRT (Security Incident Response Team). Both streams feed into the central CTI Feed, which can be forwarded to SIEM, SOAR and IDS/IPS systems.
CTI Feed Integration with Your Infrastructure
01
REST API Access
CTI Feed is available via REST API for automated machine-to-machine processing.
02
Tool Integration
CTI Feed data feeds SIEM, SOAR and IDS/IPS and detection rules.
03
Operational Use by Security Teams
Runs in the background, supporting alerting, correlation, and faster response.
Reduce Alert Fatigue and Analyst Workload
In high-alert-volume environments, security teams lose time on manual triage and context building. High-quality CTI Feed data reduces noise from non-actionable signals, freeing up analyst hours and shortening response times without complex on-premise installation or the need to build an in-house data collection backbone.
Protecting mobile app users
CTI Feed also covers malicious Android applications as a distinct vector of online threat intelligence. This enables organizations to identify mobile threats faster and incorporate them operationally alongside phishing, malicious URLs, domains, IP addresses, and file hashes.
Feed updates and working with current indicators
Cyber Threat Intelligence Feed delivers online threat intelligence with real-time updates. Live IoCs can be immediately integrated into security controls to trigger instant blocks and alerts, before attack campaigns impact users and systems. Unlike semi-static feeds updated once per day, CTI Feed is built for immediate operational response.
Stop attacks in real-time
Test CTI Feed quality
BOOK A MEETING
How does CTI Feed differ
from standard Threat Intelligence lists?
The comparison below outlines the architecture, data coverage, and integration capabilities of CTI Feed versus typical market solutions.
COMPETITOR SOLUTIONS
DATA QUALITY
Hybrid Model: 100+ crawlers + SIRT expert verification
Automated only (High level of False Positives)
ISP & CLOAKING
Multi-ISP: Bypasses blocking & detects hidden content (cloaking)
Cloaking prone: Scanner sees "clean" content
PAYLOADS
Auto-Download: Safe threat file delivery for analysis
URL/Hash only. Risky manual retrieval required
COVERAGE
Phishing, URL, IP, Hash, Mobile Apps + Removal List
Often missing Mobile, Hashes & Removal List
UPDATES
Real-Time: Updates every minute
Periodic (batch) updates. Delayed data
FILTERING
Precise: By Source, Time & Risk Score
No filters – "all-or-nothing" stream
INTEGRATION
REST API: STIX, TAXII, CSV, JSON, XML
CSV, JSON (occasionally XML); file downloads, limited or no STIX/TAXII support
IMPACT
Reduced Noise: validated by SIRT, offloading SOC from manual verification
High noise forcing manual triage
BUSINESS VALUE
Risk Reduction: Proactive prevention of data breaches & attacks using high-fidelity data
Higher Exposure: Increased risk of successful attacks due to missed threats (False Negatives)
CTI Feed implementation results in numbers
Improved Protection
Better Threat Visibility
High Value for Vendors
94
%
95
%
90
%
of surveyed security teams confirmed improved protection levels and reduced cyber risk.
of surveyed security teams recommend CTI Feed for its full online threat context.
of security vendors selected our feeds for their 24/7 updates of unique, multi-source threat data.
Pricing suited for all business
Cyber Threat Intelligence
Plans
Professional
Perfect for protecting SME network and upgrading existing security
Enterprise
High performance and enhanced support for large organizations with security team
Business
Limitless, valuable source of cyberthreats for security providers and ISPs
Redistribution
Highly customizable and unlimited access to our databases for security vendors
ACCOUNTS
Nodes
1 node per user
Up to 1,000 nodes per user
Up to 5,000 nodes per user
Unlimited
API limits per user
1 request / min
10 000 requests / month
100 request / min
100 000 requests / month
500 requests / min
1 000 000 requests / mth
1000 requests / min
Unlimited
User limit
1 User
5 Users
Unlimited
Unlimited
Threats update time
24 hours
5 min
1 min
1 min
Threats limits per request
1000 items
10000 items
30000 items
Unlimited
SECURITY BOOSTER PACK
Access to archive IOCs
1 month or 10 000 items
3 months or 30 000 items
3 months or 30 000 items
3 months / unlimited items
Access to archive samples
-
30 days
30 days
30 days
DESIGN INTERACTIONS
High-throughput REST API
Self-defined customized output
Adjustable risk score filter
Samples repository
-
add-on
Real-time delivery executable samples
-
-
Fully automated (machine-to-machine)
On-demand samples API
-
-
Malicious URL feed
-
-
Phishing URLs with brand name
-
-
add-on
SaaS / SECaaS license
-
-
Redistribution license
-
-
-
INDICATORS OF COMPROMISE
Domain name
URL address
-
-
Extended URL metadata
-
-
IP address (basic)
-
add-on
File hash
-
add-on
SUPPORT
9:00 am- 5:00 pm (UTC)
Monday - Friday
24 h / 7
ACCOUNTS
Nodes
Up to 3 nodes per user
API limits per user
1 request / min
10 000 requests / month
User limit
1 User
SECURITY BOOSTER PACK
Access to archive IOCs
1 month or 10 000 items
Access to archive samples
-
DESIGN INTERACTIONS
High-throughput REST API
Self-defined customized output
Adjustable risk score filter
Samples repository
-
Real-time delivery executable samples
-
Fully automated (machine-to-machine)
On-demand samples API
-
Malicious URL feed
-
Phishing URLs with brand name
-
SaaS / SECaaS license
-
Redistribution license
-
INDICATORS OF COMPROMISE
Domain name
URL address
-
Extended URL metadata
-
IP address (basic)
-
File hash
-
SUPPORT
9:00 am- 5:00 pm (UTC)
Monday - Friday
Chat
-
ACCOUNTS
Nodes
Up to 1,000 nodes per user
API limits per user
100 request / min
100 000 requests / month
User limit
5 Users
SECURITY BOOSTER PACK
Access to archive IOCs
3 months or 30 000 items
Access to archive samples
30 days
DESIGN INTERACTIONS
High-throughput REST API
Self-defined customized output
Adjustable risk score filter
Samples repository
add-on
Real-time delivery executable samples
-
Fully automated (machine-to-machine)
On-demand samples API
-
Malicious URL feed
-
Phishing URLs with brand name
-
SaaS / SECaaS license
-
Redistribution license
-
INDICATORS OF COMPROMISE
Domain name
URL address
-
Extended URL metadata
-
IP address (basic)
File hash
SUPPORT
9:00 am- 5:00 pm (UTC)
Monday - Friday
Chat
ACCOUNTS
Nodes
Up to 5,000 nodes per user
API limits per user
500 requests / min
1 000 000 requests / mth
User limit
Unlimited
SECURITY BOOSTER PACK
Access to archive IOCs
3 months or 30 000 items
Access to archive samples
30 days
DESIGN INTERACTIONS
High-throughput REST API
Self-defined customized output
Adjustable risk score filter
Samples repository
Real-time delivery executable samples
Fully automated (machine-to-machine)
On-demand samples API
Malicious URL feed
add-on
Phishing URLs with brand name
add-on
SaaS / SECaaS license
Redistribution license
-
INDICATORS OF COMPROMISE
Domain name
URL address
add-on
Extended URL metadata
add-on
IP address (basic)
File hash
add-on
SUPPORT
24 h / 7
ACCOUNTS
Nodes
Unlimited
API limits per user
1000 requests / min
Unlimited
User limit
Unlimited
SECURITY BOOSTER PACK
Access to archive IOCs
3 months / unlimited items
Access to archive samples
30 days
DESIGN INTERACTIONS
High-throughput REST API
Self-defined customized output
Adjustable risk score filter
Samples repository
Real-time delivery executable samples
Fully automated (machine-to-machine)
On-demand samples API
Malicious URL feed
add-on
Phishing URLs with brand name
add-on
SaaS / SECaaS license
Redistribution license
INDICATORS OF COMPROMISE
Domain name
URL address
add-on
Extended URL metadata
add-on
IP address (basic)
File hash
SUPPORT
24 h / 7
Chat
Professional
IOCs for upgrading security
This license allows every organization upgrade their existing security. The Cyber Threat Intelligence DOMAINS feed will instantly boost your protection level without spending time selecting the right Cyber Threat Intelligence provider.
$2000
month billed annually
Get StartedEnterprise
Perfect for protecting your network
This license is perfect for every organization demanding access to real-time cyber threat intelligence. Multiple output formats from an API allow you to integrate it into almost every purpose. You may not redistribute the feed or provide any commercial or free service.
$3200
month billed annually
Get StartedBusiness
Threat intelligence for your product
This version is best for Managed Security Service Providers who provide SIEM analysis, an on-access filtering service. Also, select this option if you are ISP or Security Vendor so you can incorporate the feed into your software or SaaS product.
Contact us
Get StartedRedistribution
Best for CTI providers
This allows you to use feed in your filtering database and redistribute directly to your clients.
You may change the format and branding is not required. This is most flexible version of Cyber Threat Intelligence.
Contact us
Get StartedProfessional
IOCs for upgrading security
This license allows every organization upgrade their existing security. The Cyber Threat Intelligence DOMAINS feed will instantly boost your protection level without spending time selecting the right Cyber Threat Intelligence provider.
$2250
month billed quarterly
Get StartedEnterprise
Perfect for protecting your network
This license is perfect for every organization demanding access to real-time cyber threat intelligence. Multiple output formats from an API allow you to integrate it into almost every purpose. You may not redistribute the feed or provide any commercial or free service.
$3600
month billed quarterly
Get StartedBusiness
Threat intelligence for your product
This version is best for Managed Security Service Providers who provide SIEM analysis, an on-access filtering service. Also, select this option if you are ISP or Security Vendor so you can incorporate the feed into your software or SaaS product.
Contact us
Get StartedRedistribution
Best for CTI providers
This allows you to use feed in your filtering database and redistribute directly to your clients.
You may change the format and branding is not required. This is most flexible version of Cyber Threat Intelligence.
Contact us
Get StartedProfessional
IOCs for upgrading security
This license allows every organization upgrade their existing security. The Cyber Threat Intelligence DOMAINS feed will instantly boost your protection level without spending time selecting the right Cyber Threat Intelligence provider.
$2500
monthly
Get StartedEnterprise
Perfect for protecting your network
This license is perfect for every organization demanding access to real-time cyber threat intelligence. Multiple output formats from an API allow you to integrate it into almost every purpose. You may not redistribute the feed or provide any commercial or free service.
$4000
monthly
Get StartedBusiness
Threat intelligence for your product
This version is best for Managed Security Service Providers who provide SIEM analysis, an on-access filtering service. Also, select this option if you are ISP or Security Vendor so you can incorporate the feed into your software or SaaS product.
Contact us
Get StartedRedistribution
Best for CTI providers
This allows you to use feed in your filtering database and redistribute directly to your clients.
You may change the format and branding is not required. This is most flexible version of Cyber Threat Intelligence.
Contact us
Get Started6 key reasons to choose PREBYTES
Instant access to always up-to-date threat intelligence
Phishing pages
Malicious file hashes
Domains used in spam campaigns
Malware distribution pages
Malicious Android applications
IP addresses used in infrastructure attacks
Frequently asked questions about CTI Feed (FAQ)
Who uses CTI Feed?
CTI Feed is used by organizations that need up-to-date online threat intelligence to support detection and response especially security teams, critical infrastructure operators, banks, and security vendors.
Can I get samples?
Yes. You can request on-demand samples via our contact form.
After integration, do I need to wait for data?
No. Data is available immediately. You can start working right away with the already collected database. In the redistribution plan, a single query can return up to 30,000 entries to help kick-start processing.
Can CTI Feed be integrated with MISP?
Yes. Integration of PREBYTES threat feeds with MISP is available.
Do I need to build my own data collection infrastructure (crawling/acquisition)?
No. CTI Feed provides ready access to threat intelligence data, so your organization does not need to build and maintain its own acquisition infrastructure. This allows your team to focus on operations instead of creating and maintaining data collection systems.
Where does CTI Feed data come from?
CTI Feed uses a hybrid model that combines automation with human expertise. Data comes from PREBYTES AI (analyzing over 350 million domains daily) and a farm of more than 100 web crawlers. A key element is verification by PREBYTES SIRT experts, who analyze incidents and conduct threat research, helping reduce false positives.
How do I know the IOCs are “production-ready” and not just a raw list?
CTI Feed combines automated collection with expert verification and analysis by PREBYTES SIRT. You can also tailor what you ingest using filters (source, time, risk threshold) to support a safe rollout and reduce noise and false positives.
How does CTI Feed reduce SOC costs and analyst workload?
CTI Feed reduces manual triage and enrichment by delivering multi-source, filtered IOCs with context and automated delivery into SIEM, SOAR and IDS/IPS. This helps teams respond faster and spend less time on non-actionable signals.
Can I filter the data I retrieve?
Yes. The API enables precise filtering of results. You can select data by source (e.g., SPAM, SIRT, PhishingAV, Webcrawlers, ALL), risk level (risk score), and time (e.g., only entries from the last 30 days). This way, you retrieve only the information relevant to your operational processes.
Does CTI Feed cover both domains and URLs?
Yes. CTI Feed includes both domain and URL data as part of threat intelligence. The dataset includes, among others, malicious and suspicious domains and URLs (including phishing and malware indicators) for detection and response.
