Month: November 2025

In today’s cyber-threat environment, a SOC (Security Operations Center) cannot rely solely on internal logs or ad-hoc detection rules. Attackers continuously evolve, use new malware, phishing campaigns, command-and-control (C2) infrastructures, and exploit zero-day vulnerabilities. To keep pace, security teams need access to fresh, actionable intelligence about malicious IPs, domains, URLs, file hashes, and campaign data. This is where Threat Intelligence Feeds come into play. By feeding a stream of indicators of compromise (IOCs) and threat metadata into detection tools (e.g. SIEM, IDS/IPS, EDR), SOCs gain proactive visibility enabling rapid detection, triage, and response long before threats fully materialize.

Below I describe several prominent public community-based feeds what they offer, their strengths, and how a SOC might benefit from them. 

AlienVault OTX (Open Threat Exchange)

• AlienVault OTX is a crowd-sourced threat-sharing platform. Through OTX, thousands of threat researchers and security professionals worldwide share IOCs and threat reports.
• OTX publishes “Pulses” structured reports containing one or more IOCs (IPs, domains, URLs, file hashes, etc.), metadata about the threat (e.g. targeted software, malicious behavior, CVE references), and contextual information (who reported it, reliability indicators, descriptions).
• For SOCs and security teams, OTX offers free access (registration required). Data can be consumed via API, STIX/TAXII exports or integrated into third-party security tools.
• The collaborative nature of OTX helps democratize threat intelligence: even smaller organizations or teams with limited budgets can benefit from threat data comparable to that used by larger enterprises.

Use-Case for SOC: Integrate OTX pulses into your SIEM to enrich alerts automatically. Use IOCs from OTX to flag suspicious traffic or files, and subscribe to pulses relevant to your industry or region for early warning.

Link: https://otx.alienvault.com

 

abuse.ch

• abuse.ch is a long-standing, community-driven threat intelligence provider dedicated to tracking malware, botnets, and malicious infrastructure.
• Their offering includes multiple specialized feeds (platforms): among them URLhaus (malicious URLs used for malware distribution), MalwareBazaar (sharing confirmed malware samples), ThreatFox (IOCs related to malware campaigns), YARAify (repository of YARA rules), C2/botnet trackers, and others.
• The feeds are designed to be machine-readable and easily consumed by SIEMs, TIPs (Threat Intelligence Platforms), or SOC pipelines, facilitating automation of alert enrichment, threat detection, and triage workflows.
• Because abuse.ch is community-driven and shares many kinds of artefacts (URLs, hashes, SSL certificates, etc.), it provides high value especially for malware detection, IOC enrichment, and threat hunting.

Use-Case for SOC: Ingest URLhaus and ThreatFox feeds into your detection stack to flag malicious URLs or file hashes. Use MalwareBazaar to compare suspicious files against known malware. Use YARAify’s YARA rules to scan endpoints or network traffic for known malware patterns.

Link: https://abuse.ch

 

SOCRadar Free Edition

• SOCRadar is a commercial and platform-oriented threat intelligence service. It offers modules for external attack surface monitoring, dark-web monitoring, brand protection, and importantly IOC enrichment & SOAR integration, which suits SOC workflows.
• Their “IOC Radar” feature aggregates signals across multiple public feeds (including abuse.ch, OTX, URLhaus etc.) to give an aggregated risk assessment per IP and domain and observable helpful to prioritize which alerts deserve immediate attention.
• This approach helps reduce the noise and signal-to-noise ratio when dealing with many overlapping public feeds a common challenge for SOCs.

Use-Case for SOC: Use SOCRadar to centralize and correlate IOCs from multiple sources, triage and score threats, and feed high-confidence events into your SOAR or incident response pipelines for efficient handling.

Link: https://socradar.io

 

 CIRCL (Computer Incident Response Center Luxembourg)

• CIRCL is a CERT and CSIRT organization which among other services provides threat intelligence and OSINT-based feeds.
• Their focus includes the operation of a MISP-based sharing platform and providing historical DNS-record data, dynamic malware analysis, and community-based sharing of threat intelligence.
• For SOCs, feeds from CIRCL and TLP can serve as a source of vetted, quality intelligence especially useful for Europe-centric threat context, or for industries where CIRCL has visibility.

Use-Case for SOC: Integrate CIRCL’s MISP feeds or DNS-history feeds to enrich internal alerts, trace domain history, or conduct retrospective investigations when dealing with targeted attacks or persistent threats

Link: https://www.circl.lu

 

OpenPhish

• OpenPhish is a specialized service focusing on automated phishing intelligence for detection and listing of active phishing URLs and domains.
• For SOCs, phishing remains one of the most persistent initial vectors for compromise. Having access to an up-to-date feed of phishing URLs and domains helps detect and block phishing attempts before they reach users, or flag suspicious inbound traffic for further inspection.

Use-Case for SOC: Use OpenPhish feed in your email gateway, proxy, or web gateway to block or monitor access to known phishing domains. Enrich email-security logs to detect possible phishing victims or attempted phishing campaigns.

Link: https://openphish.com

 

Spamhaus

• Spamhaus is a long-established organization maintaining blocklists and threat intelligence data for spam, botnets, malware infrastructure, and more.
• Importantly, the real-time feeds produced by abuse.ch are now offered via Spamhaus Technology’s infrastructure meaning better reliability, performance, and integration support for enterprises and SOCs.
• Beyond abuse.ch data, Spamhaus provides other threat data (IP and domain reputation, passive DNS, etc.) that can add complementary context to SOC investigation and detection workflows.

Use-Case for SOC: Combine Spamhaus blocklists (IP, domain, DNS) with other feeds to improve detection and prevent spam, malware distribution, botnet communication. Use passive DNS data for infrastructure tracking and historical investigations.

Link: https://www.spamhaus.org

 

How SOCs Benefit from Threat Intelligence Feeds: Key Advantages & Best Practices

• Faster Detection & Response: By integrating external IOCs into SIEM, EDR or IDS/IPS, SOCs can detect malicious activity e.g. communication with known bad IPs, domain resolution to suspicious domains, or file hashes immediately.
• Enrichment & Context: Alerts enriched with threat metadata (e.g. threat actor, malware family, attack vectors) help analysts prioritize incidents, reduce false positives, and make informed decisions.
• Proactive Threat Hunting: Feeds help SOCs identify emerging threats before they hit their network e.g. new malware variants, C2 servers, phishing campaigns giving time to patch, block or monitor.
• Shared Community Intelligence: Community-driven platforms like OTX and abuse.ch democratize threat intelligence even organizations without large budgets can benefit from global collective defense.
• Automation & Integration: Many feeds support standard formats (STIX, TAXII, JSON, CSV), making it easier to integrate into SOC toolchains, SIEMs, SOAR, TIPs.
• Historical & Forensic Analysis: Feeds that include historical DNS data, past IOCs or archived samples help in retrospective investigations and understanding attacker infrastructure over time (especially relevant for persistent and advanced threats).

Best Practices:

• Use multiple complementary feeds (e.g. OTX + abuse.ch + OpenPhish + blocklists) rather than relying on a single source  this reduces blind spots.
• Carefully tune ingestion and alerting to avoid “noise overload”; not every IOC warrants immediate action  incorporate risk scoring and context-based prioritization.
• Regularly review and update feeds, and validate IOCs (e.g. cross-check across multiple sources) to avoid false positives.
• Combine external intelligence with internal telemetry (endpoint logs, network flows, email logs) for better detection accuracy.

Conclusion

Threat intelligence feeds are an essential pillar for any modern SOC. As attackers increasingly rely on automation, broad infrastructure, and rapidly changing techniques, relying solely on internal logs or legacy detection rules is no longer sufficient. By leveraging open and community-driven platforms like AlienVault OTX, abuse.ch, CIRCL, OpenPhish and Spamhaus, a SOC can gain a powerful advantage: timely, actionable, and context-rich intelligence about malware, phishing, C2 infrastructure, domain reputation, and more.

Integrating these feeds into your SOC’s SIEM, EDR, SOAR, or TIP drastically improves detection speed, reduces time-to-response, enables proactive threat hunting, and strengthens overall cyber-defense posture especially for organizations with limited resources.

WordPress is a popular, user-friendly platform for building websites and blogs. Think of it as a tool that lets you create and manage a website without needing to know much (or any) coding.

WordPress websites are the most targeted websites, the best way to protect your website is to scan it regularly to detect any exploited vulnerability.

Below, we will share with you the best WordPress website scanner for freely available online.

1. Free WordPress Scanner Report (Light) - Pentest-Tools.com

Pentest-Tools.com is a legitimate and quite powerful platform for automated, semi-automated, and continuous pentesting. It's especially useful for security teams who want:

• automated vulnerability assessments,
• verified (exploitable) findings,
• continuous scanning,
• streamlined reporting.

The tool has a dedicated option to scan WordPress website and provide a report:

WordPress Vulnerability Scanner with WPScan - Pentest-Tools.com

2. Website Security Checker | Malware Scan | Sucuri SiteCheck

Sucuri SiteCheck is a free remote website-security scanner provided by Sucuri Inc.

The tool can be used to detect if the site is running an outdated CMS (like WordPress, Joomla, Drupal, Magento) or vulnerable plugins/extensions.

By inputing a URL (for example “example.com”), and SiteCheck will scan the site’s publicly visible source code for signs of malware, viruses, malicious code like suspicious iframes/JavaScript/redirects.

The tool is a perfect match for those who want to check their WP website.

3. Site Check - WP Safe AI

wpsafe.ai/sitecheck is a service from WPSafe.ai that offers a free website security scan, especially geared toward WordPress sites.

The tool can help identify the following issues:

You enter a URL, and the SiteCheck tool scans the public-facing source code of the site for signs of malware, viruses, and other malicious code.

• It checks for blacklisting by security authorities (e.g. Google, PhishTank).
• It can identify out-of-date CMS software, plugins, or extensions.
• It also reports on general security issues, configuration anomalies, and gives recommendations.

4. WordPress Security Scan | HackerTarget.com

The WordPress Security Scan on HackerTarget.com is a tool for externally checking WordPress sites for common vulnerabilities and misconfigurations.

Here’s a breakdown of what it is, how it works, and its pros & limitations:

Free Passive Scan

• For free users, it runs a “low-impact” test: the scanner downloads a few publicly accessible pages from your site and analyzes the raw HTML.
• It looks for: WordPress core version, detectable plugins/themes (from the HTML), potential directory indexing, JS or iframes, and whether Google Safe Browsing flags the site.
• It tries to enumerate up to the first 2 WordPress users.
• It also checks if “directory indexing” (i.e. file listing) is enabled on key locations.
• It gives a “site reputation” check (e.g. via Google Safe Browsing).

More Aggressive / Advanced Scanning (Paid / Membership)

• If you pay / have a membership, the tool can run Nmap NSE scripts tailored for WordPress to enumerate plugins, themes, and users more thoroughly.
• It can use WPScan (a well-known WP vulnerability scanner) under the hood.
• With membership you also get other vulnerability tools like OpenVAS and Nikto to scan the server / WordPress for deeper issues.
• It can “fingerprint” plugin/theme versions and check them against a database of known vulnerable versions.
• You can do user-enumeration (finding user names) more thoroughly (up to 50 users).

Purpose & Use Cases

• Designed to give a high-level security posture of a WordPress site from the outside (i.e. what an attacker remote to your site might see).
• Helps identify “attack surface”: by knowing which plugins/themes are present, which users exist, etc., you can better understand possible entry points.
• Useful as a first step or reconnaissance tool before doing more in-depth testing or a full security audit.

Limitations / Things to Be Careful About

• The free scan is passive, so it doesn’t try to brute-force anything or deeply probe — it’s limited.
• Aggressive enumeration (when you use Nmap / WPScan via membership) can generate a lot of HTTP 404s and might show up in your access logs or trigger security measures on the server.
• Because the scan is external, it cannot see server-side backdoors, malware in the database, or deeply embedded malicious code that doesn’t manifest in the public HTML.
• It’s not a replacement for a full penetration test or manual security audit — it gives you an “outsider’s view,” not everything.

5. Online WordPress Security Scan for Vulnerabilities | WP Sec

WPSEC.com (sometimes written WPSec) is a web service that provides WordPress vulnerability scanning. Here’s a breakdown of what it is, how it works, and what its pros/limitations are:

WordPress Security Scanner

• WPSEC.com lets you scan a WordPress site (even without having WP-admin access) to check for known vulnerabilities.
• It uses a “deep scan” technology based on WPScanner plus its own custom scanning algorithms.
• It maintains a database of known WordPress bugs, core issues, plugin vulnerabilities, and “security features” to compare against.

Plans / Pricing

• Free Plan: You can scan 1 WordPress site, get up to 20 scan reports, and schedule weekly or monthly
• Premium Plan (~€39 / month): Includes unlimited scan locations, unlimited reports, email notifications, more advanced dashboard & reports, and daily scans.
• White-Label Plan (for companies): Offers branded scanning, custom domain, design, unlimited scans & reports.

Features / Functionality

• • Instant Scans: You can run one-off scans quickly via their “instant scan” feature.
  • Automated Scheduled Scans: With a registered account, you can set scans to run daily, weekly, or monthly.
  • Dashboard: If you manage multiple WP sites, you can see them all in one place and track which sites are more vulnerable.

• Push Notifications: They support email notifications and webhooks, so you can be alerted when vulnerabilities are found.
• API / Webhooks: For premium customers, they even offer a JSON-webhook API to integrate scan results with other tools (e.g., Slack, your own dashboards).

Vulnerability Reporting Program

• They have a responsible disclosure program: security researchers can report vulnerabilities in WPSEC’s own site or services.
• They provide a PGP key for secure reporting of bugs.

Blog / Educational Content

• WPSec maintains a blog where they publish about new WordPress vulnerabilities, security best practices, and bug reports.
• They also write about how site-owners can harden their WordPress installations.

If you never scan your Word Press website, its the time for you to do it.

Continue reading