Threat intelligence (TI) is the practice of collecting, analyzing, and operationalizing information about adversaries, their tools, and their techniques. In modern Security Operations Centers (SOCs), TI feeds and platforms are essential for contextualizing alerts, prioritizing incidents, and hunting for hidden threats before they escalate. During incident response, analysts pivot through IOC databases, sandbox reports, and actor profiles to understand the full scope of an intrusion. Threat hunters use TI proactively — querying malware repositories, YARA rule engines, and enrichment APIs to surface indicators of compromise that silent detections may have missed. The tools below span every layer of the intelligence cycle, from raw malware samples and live botnet trackers to curated actor profiles and MITRE ATT&CK-aligned detection rules, giving defenders a comprehensive edge.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/edoardottt/awesome-hacker-search-engines/llms.txt
Use this file to discover all available pages before exploring further.
Many threat intelligence platforms operate on a freemium model. Core lookup capabilities are typically free, but higher-volume API access, historical data exports, and advanced correlation features are gated behind commercial subscriptions. Always verify current pricing and terms of service before integrating a platform into automated workflows.
Threat Intelligence Platforms
MITRE ATT&CK
Globally-accessible knowledge base of adversary tactics and techniques used as the foundation for threat-informed defense and detection engineering.
PulseDive
Threat intelligence made easy — search and enrich IOCs with risk scores, linked threats, and context aggregated from dozens of feeds.
ThreatMiner
Data mining for threat intelligence, pivoting across domains, IPs, SSL certificates, malware samples, and WHOIS records from a single interface.
VirusTotal
Analyze suspicious files, domains, IPs, and URLs to detect malware and other breaches using scores from 70+ antivirus engines and threat intelligence feeds.
Cisco Talos
The threat intelligence organization at the center of the Cisco Security portfolio, publishing research on active campaigns, vulnerabilities, and threat actors.
IBM X-Force Exchange
Threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers.
socradar.io
An extension to your SOC team — provides dark web monitoring, attack surface intelligence, and contextualized threat feeds for security operations.
ThreatBook
One step ahead of your adversary with high-fidelity, efficient and actionable cyber threat intelligence covering malware, actors, and infrastructure.
Team Cymru
Global leader in cyber threat intelligence and attack surface management, providing unique internet telemetry and adversary infrastructure insights.
Cybersixgill
Threat intelligence platform providing access to a wide range of cybersecurity information, including dark web monitoring and threat actor analysis.
OTX AlienVault
The World’s First Truly Open Threat Intelligence Community — share and receive IOCs, pulses, and threat research from a global contributor network.
ThreatCrowd
A search engine for threats that visually maps relationships between domains, IPs, email addresses, and malware samples.
PassiveTotal (RiskIQ)
Security intelligence that scales security operations and response through passive DNS, SSL, and WHOIS pivoting.
ShadowServer
Nonprofit security organization working altruistically behind the scenes to make the Internet more secure for everyone through scanning and reporting.
CIRCL
The Computer Incident Response Center Luxembourg — a government-driven initiative to gather, review, report and respond to computer security threats and incidents.
The DFIR Report
Real intrusions by real attackers — detailed technical write-ups of actual threat actor campaigns from initial access to ransomware deployment.
CyberCampaigns
Threat actor information and write-ups covering known APT groups, their tools, techniques, and attributed campaigns.
ORKL
The community-driven cyber threat intelligence library aggregating reports and research from the security community in a searchable format.
Hunt.io
Service that provides threat intelligence data about observed network scanning and cyberattacks, enabling defenders to track malicious infrastructure.
ThreatIntelligencePlatform.com
Data, tool, and API provider that specializes in automated threat detection, security analysis and threat intelligence solutions.
Rescure
Curated cyber threat intelligence for everyone — distilled, actionable intelligence feeds delivered in a consumable format.
Lupovis Prowl
Analyze and collect data on Internet-wide scans and attacks in real-time to identify and classify malicious actors targeting your infrastructure.
OpSecFailure
Site that lists how individuals messed up their operational security — useful for understanding attacker tradecraft mistakes and red team awareness.
InfoTrail
Advanced OSINT search engine helping security professionals and researchers uncover critical intelligence across multiple data sources.
Malware Analysis & Sandboxes
bazaar.abuse.ch
Malware sample database operated by abuse.ch — submit and search malware samples with rich metadata including hashes, tags, and threat families.
Joe Sandbox
Threat hunting and search engine featuring deep malware analysis powered by a multi-platform sandbox environment with extensive behavioral analysis.
tria.ge
Fully automated solution for high-volume malware analysis using advanced sandboxing technology — browse and search public sandbox reports.
Hybrid Analysis
Free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology combining static and dynamic methods.
AnyRun
Browse thousands of malware samples in an interactive online sandbox where you can observe malware behavior in real time and collaborate with the community.
VirusShare
System currently containing 48 million malware samples — a repository providing researchers with access to current, live malicious code for analysis.
MalShare
Community-driven public malware repository that works to provide free access to malware samples and related source code for security researchers.
Malwares.com
Search malwares online — a searchable database of malware samples, hashes, and behavioral reports for threat researchers.
Filescan.io
Search reports for file name, URL, IP, domain or hash — an OPSWAT-powered sandbox platform for rapid malware triage and IOC extraction.
vx-underground.org
The largest collection of malware source code, samples, and papers on the internet — a valuable research archive for malware analysts.
Scumware
Find latest reports about malware and other threats — a search engine for malware intelligence and threat reports.
urlquery.net
Service for detecting and analyzing web-based malware — submits URLs to a sandbox and reports on network activity, IDS alerts, and detected threats.
KleenScan
Analyze files to detect malware. Analyze URLs, domains, and IPs to detect malware and blacklist status using multi-engine scanning.
opensourcemalware.com
A community database, API and collaboration platform to help identify and protect against open-source malware packages in software supply chains.
ApkLab
Mobile threat intelligence platform designed to provide the most relevant information for Android security researchers analyzing malicious APKs.
BeVigil
Search engine for mobile application security testing — uncover security issues, leaked secrets, and vulnerabilities in mobile apps at scale.
Abuse & IOC Feeds
feodotracker.abuse.ch
List of botnet Command & Control servers tracked by abuse.ch — covers Emotet, Dridex, TrickBot, and other major banking trojan infrastructure.
sslbl.abuse.ch
SSL Blacklist by abuse.ch — tracks all malicious SSL certificates associated with botnet C&C servers and malware distribution infrastructure.
urlhaus.abuse.ch
Propose new malware URLs and browse the abuse.ch database of URLs actively distributing malware to enable rapid blocking and researcher awareness.
threatfox.abuse.ch
Indicator of Compromise (IOC) database by abuse.ch — a platform for sharing IOCs associated with malware with the infosec community.
yaraify.abuse.ch
Scan suspicious files such as malware samples or process dumps against a large repository of YARA rules contributed by the security community.
PhishTank
Collaborative clearing house for data and information about phishing on the Internet — verify, track, and share phishing URLs in real time.
OpenPhish
Actionable intelligence data on active phishing threats — provides real-time phishing URL feeds for integration into security controls.
AbuseIPDB
Check the report history of any IP address to see if anyone else has reported malicious activities — a community-driven IP reputation database.
Spamhaus
Protect and investigate using IP and domain reputation data — the internet’s most trusted blocklist authority for spam, malware, and botnets.
scamsearch.io
Find your scammer online and report them — aggregates scam reports across multiple platforms to help victims and researchers identify fraud actors.
scamdb.net
Report and search online scams — a community-driven database for identifying and exposing scam domains, phone numbers, and email addresses.
ransomlook.io
Open-source project providing real-time ransomware intelligence, tracking active ransomware groups, their victims, and dark web leak site activity.
seized.fyi
List of seized websites — tracks law enforcement takedowns of cybercriminal infrastructure, dark web markets, and ransomware operations.
Zone-H Archive
Online archive dedicated to collecting and publishing records of defaced websites — useful for tracking hacktivism campaigns and threat actor tagging.
RuleHound
An index of publicly available and open-source threat detection rulesets — find Sigma, YARA, and Suricata rules across multiple community repositories.
ClickFix Wiki
ClickFix lures can lead to malware and computer viruses — a reference documenting social engineering lures that trick users into running malicious commands.
Living Off the Land & Detection
malapi.io
Windows APIs used for malicious purposes — a reference mapping API calls to known malicious techniques for detection engineering and malware analysis.
filesec.io
Latest file extensions being used by attackers — tracks file type abuse for malware delivery to keep detection rules current.
bootloaders.io
Curated list of known malicious bootloaders for various operating systems — assists in detection and forensic triage of pre-OS persistence mechanisms.
WTFBins
Catalogue of benign applications that exhibit suspicious behavior — helps reduce false positives in threat hunting and automated detections.
HijackLibs
Project for tracking publicly disclosed DLL Hijacking opportunities — documents vulnerable application paths for red team operations and defensive coverage.
Detection.FYI
Search Sigma rules across a broad repository of community-contributed detection logic for SIEM and EDR platforms.
Living off the False Positive
Autogenerated collection of false positives sourced from popular rule sets — helps analysts tune detections by cataloging known benign trigger conditions.
LOFLCAB
Document every cmdlet, binary, script, and WMI class that can be used for Living Off the Foreign Land techniques targeting remote systems.
LOLC2
Collection of C2 frameworks that leverage legitimate services to evade detection — documents abuse of platforms like cloud storage and SaaS for command and control.
Living Off Trusted Sites (LOTS)
Cataloging how cyber attackers abuse legitimate platforms like GitHub or Google Docs to host malware, C2 infrastructure, or exfiltrate data.
lolrmm.io
Curated list of Remote Monitoring and Management (RMM) tools that could potentially be abused by threat actors for persistence and lateral movement.
Living Off The WebHooks
Community-driven project documenting webhooks that may be exploited for data exfiltration and C2 communications using legitimate services.
LOLEXFIL
Reference for data exfiltration methods using trusted tools — documents how legitimate binaries and services can be weaponized for data theft.
TrailDiscover
An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents, references, and security implications.
PromptIntel
A collaborative threat intel platform to identify patterns and artifacts indicating potential exploitation or misuse of Large Language Models.
IntelOwl
Open Source Intelligence solution to get threat intelligence data about a specific file, IP or domain from a single API at scale using many analyzers.
Reconnaissance & Enrichment
leakix.net
Search engine indexing public information and an open reporting platform linked to the results — surfaces exposed services and data leaks across the internet.
Polyswarm
Launchpad for new technologies and innovative threat detection methods — a decentralized threat intelligence marketplace with diverse engine coverage.
Maltiverse
Data from more than 100 different threat intelligence sources consolidated into a single platform for IOC lookup and correlation.
Inquest Labs
Threat intelligence from hundreds of public, private, and internal sources used to develop new file detection and response (FDR) signatures and rules.
MetaDefender Cloud
Advanced threat detection and prevention platform by OPSWAT — scan files, URLs, and IPs against multiple engines with deep file analysis capabilities.
Kaspersky TIP
Scan files, domains, IP addresses, and URLs for threats, malware, and viruses using Kaspersky’s global threat intelligence database.
Sucuri SiteCheck
Check websites for known malware, viruses, blacklisting status, website errors, out-of-date software, and malicious code from an external perspective.
WhoisXMLAPI
Domain and IP data intelligence for greater enterprise security — provides WHOIS, DNS, threat intelligence, and infrastructure mapping APIs.
APIVoid
Threat analysis centered on IP and domain reputation, along with additional services including email verification and URL scanning.
IPGeolocation.io
Accurate IP geolocation API and databases with threat intelligence — enrich IP addresses with location, ASN, and threat reputation data.
ClawSearch
Security-first AI agent skill search engine — find safe skills with Trust Score, 10-language search, and pre-install security checks for AI agent ecosystems.