Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/edoardottt/awesome-hacker-search-engines/llms.txt

Use this file to discover all available pages before exploring further.

Threat intelligence (TI) is the practice of collecting, analyzing, and operationalizing information about adversaries, their tools, and their techniques. In modern Security Operations Centers (SOCs), TI feeds and platforms are essential for contextualizing alerts, prioritizing incidents, and hunting for hidden threats before they escalate. During incident response, analysts pivot through IOC databases, sandbox reports, and actor profiles to understand the full scope of an intrusion. Threat hunters use TI proactively — querying malware repositories, YARA rule engines, and enrichment APIs to surface indicators of compromise that silent detections may have missed. The tools below span every layer of the intelligence cycle, from raw malware samples and live botnet trackers to curated actor profiles and MITRE ATT&CK-aligned detection rules, giving defenders a comprehensive edge.
Start with VirusTotal for quick IOC lookups, then pivot to specialized platforms like Cisco Talos or IBM X-Force for deeper threat actor context.
Many threat intelligence platforms operate on a freemium model. Core lookup capabilities are typically free, but higher-volume API access, historical data exports, and advanced correlation features are gated behind commercial subscriptions. Always verify current pricing and terms of service before integrating a platform into automated workflows.

Threat Intelligence Platforms

MITRE ATT&CK

Globally-accessible knowledge base of adversary tactics and techniques used as the foundation for threat-informed defense and detection engineering.

PulseDive

Threat intelligence made easy — search and enrich IOCs with risk scores, linked threats, and context aggregated from dozens of feeds.

ThreatMiner

Data mining for threat intelligence, pivoting across domains, IPs, SSL certificates, malware samples, and WHOIS records from a single interface.

VirusTotal

Analyze suspicious files, domains, IPs, and URLs to detect malware and other breaches using scores from 70+ antivirus engines and threat intelligence feeds.

Cisco Talos

The threat intelligence organization at the center of the Cisco Security portfolio, publishing research on active campaigns, vulnerabilities, and threat actors.

IBM X-Force Exchange

Threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers.

socradar.io

An extension to your SOC team — provides dark web monitoring, attack surface intelligence, and contextualized threat feeds for security operations.

ThreatBook

One step ahead of your adversary with high-fidelity, efficient and actionable cyber threat intelligence covering malware, actors, and infrastructure.

Team Cymru

Global leader in cyber threat intelligence and attack surface management, providing unique internet telemetry and adversary infrastructure insights.

Cybersixgill

Threat intelligence platform providing access to a wide range of cybersecurity information, including dark web monitoring and threat actor analysis.

OTX AlienVault

The World’s First Truly Open Threat Intelligence Community — share and receive IOCs, pulses, and threat research from a global contributor network.

ThreatCrowd

A search engine for threats that visually maps relationships between domains, IPs, email addresses, and malware samples.

PassiveTotal (RiskIQ)

Security intelligence that scales security operations and response through passive DNS, SSL, and WHOIS pivoting.

ShadowServer

Nonprofit security organization working altruistically behind the scenes to make the Internet more secure for everyone through scanning and reporting.

CIRCL

The Computer Incident Response Center Luxembourg — a government-driven initiative to gather, review, report and respond to computer security threats and incidents.

The DFIR Report

Real intrusions by real attackers — detailed technical write-ups of actual threat actor campaigns from initial access to ransomware deployment.

CyberCampaigns

Threat actor information and write-ups covering known APT groups, their tools, techniques, and attributed campaigns.

ORKL

The community-driven cyber threat intelligence library aggregating reports and research from the security community in a searchable format.

Hunt.io

Service that provides threat intelligence data about observed network scanning and cyberattacks, enabling defenders to track malicious infrastructure.

ThreatIntelligencePlatform.com

Data, tool, and API provider that specializes in automated threat detection, security analysis and threat intelligence solutions.

Rescure

Curated cyber threat intelligence for everyone — distilled, actionable intelligence feeds delivered in a consumable format.

Lupovis Prowl

Analyze and collect data on Internet-wide scans and attacks in real-time to identify and classify malicious actors targeting your infrastructure.

OpSecFailure

Site that lists how individuals messed up their operational security — useful for understanding attacker tradecraft mistakes and red team awareness.

InfoTrail

Advanced OSINT search engine helping security professionals and researchers uncover critical intelligence across multiple data sources.

Malware Analysis & Sandboxes

bazaar.abuse.ch

Malware sample database operated by abuse.ch — submit and search malware samples with rich metadata including hashes, tags, and threat families.

Joe Sandbox

Threat hunting and search engine featuring deep malware analysis powered by a multi-platform sandbox environment with extensive behavioral analysis.

tria.ge

Fully automated solution for high-volume malware analysis using advanced sandboxing technology — browse and search public sandbox reports.

Hybrid Analysis

Free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology combining static and dynamic methods.

AnyRun

Browse thousands of malware samples in an interactive online sandbox where you can observe malware behavior in real time and collaborate with the community.

VirusShare

System currently containing 48 million malware samples — a repository providing researchers with access to current, live malicious code for analysis.

MalShare

Community-driven public malware repository that works to provide free access to malware samples and related source code for security researchers.

Malwares.com

Search malwares online — a searchable database of malware samples, hashes, and behavioral reports for threat researchers.

Filescan.io

Search reports for file name, URL, IP, domain or hash — an OPSWAT-powered sandbox platform for rapid malware triage and IOC extraction.

vx-underground.org

The largest collection of malware source code, samples, and papers on the internet — a valuable research archive for malware analysts.

Scumware

Find latest reports about malware and other threats — a search engine for malware intelligence and threat reports.

urlquery.net

Service for detecting and analyzing web-based malware — submits URLs to a sandbox and reports on network activity, IDS alerts, and detected threats.

KleenScan

Analyze files to detect malware. Analyze URLs, domains, and IPs to detect malware and blacklist status using multi-engine scanning.

opensourcemalware.com

A community database, API and collaboration platform to help identify and protect against open-source malware packages in software supply chains.

ApkLab

Mobile threat intelligence platform designed to provide the most relevant information for Android security researchers analyzing malicious APKs.

BeVigil

Search engine for mobile application security testing — uncover security issues, leaked secrets, and vulnerabilities in mobile apps at scale.

Abuse & IOC Feeds

feodotracker.abuse.ch

List of botnet Command & Control servers tracked by abuse.ch — covers Emotet, Dridex, TrickBot, and other major banking trojan infrastructure.

sslbl.abuse.ch

SSL Blacklist by abuse.ch — tracks all malicious SSL certificates associated with botnet C&C servers and malware distribution infrastructure.

urlhaus.abuse.ch

Propose new malware URLs and browse the abuse.ch database of URLs actively distributing malware to enable rapid blocking and researcher awareness.

threatfox.abuse.ch

Indicator of Compromise (IOC) database by abuse.ch — a platform for sharing IOCs associated with malware with the infosec community.

yaraify.abuse.ch

Scan suspicious files such as malware samples or process dumps against a large repository of YARA rules contributed by the security community.

PhishTank

Collaborative clearing house for data and information about phishing on the Internet — verify, track, and share phishing URLs in real time.

OpenPhish

Actionable intelligence data on active phishing threats — provides real-time phishing URL feeds for integration into security controls.

AbuseIPDB

Check the report history of any IP address to see if anyone else has reported malicious activities — a community-driven IP reputation database.

Spamhaus

Protect and investigate using IP and domain reputation data — the internet’s most trusted blocklist authority for spam, malware, and botnets.

scamsearch.io

Find your scammer online and report them — aggregates scam reports across multiple platforms to help victims and researchers identify fraud actors.

scamdb.net

Report and search online scams — a community-driven database for identifying and exposing scam domains, phone numbers, and email addresses.

ransomlook.io

Open-source project providing real-time ransomware intelligence, tracking active ransomware groups, their victims, and dark web leak site activity.

seized.fyi

List of seized websites — tracks law enforcement takedowns of cybercriminal infrastructure, dark web markets, and ransomware operations.

Zone-H Archive

Online archive dedicated to collecting and publishing records of defaced websites — useful for tracking hacktivism campaigns and threat actor tagging.

RuleHound

An index of publicly available and open-source threat detection rulesets — find Sigma, YARA, and Suricata rules across multiple community repositories.

ClickFix Wiki

ClickFix lures can lead to malware and computer viruses — a reference documenting social engineering lures that trick users into running malicious commands.

Living Off the Land & Detection

malapi.io

Windows APIs used for malicious purposes — a reference mapping API calls to known malicious techniques for detection engineering and malware analysis.

filesec.io

Latest file extensions being used by attackers — tracks file type abuse for malware delivery to keep detection rules current.

bootloaders.io

Curated list of known malicious bootloaders for various operating systems — assists in detection and forensic triage of pre-OS persistence mechanisms.

WTFBins

Catalogue of benign applications that exhibit suspicious behavior — helps reduce false positives in threat hunting and automated detections.

HijackLibs

Project for tracking publicly disclosed DLL Hijacking opportunities — documents vulnerable application paths for red team operations and defensive coverage.

Detection.FYI

Search Sigma rules across a broad repository of community-contributed detection logic for SIEM and EDR platforms.

Living off the False Positive

Autogenerated collection of false positives sourced from popular rule sets — helps analysts tune detections by cataloging known benign trigger conditions.

LOFLCAB

Document every cmdlet, binary, script, and WMI class that can be used for Living Off the Foreign Land techniques targeting remote systems.

LOLC2

Collection of C2 frameworks that leverage legitimate services to evade detection — documents abuse of platforms like cloud storage and SaaS for command and control.

Living Off Trusted Sites (LOTS)

Cataloging how cyber attackers abuse legitimate platforms like GitHub or Google Docs to host malware, C2 infrastructure, or exfiltrate data.

lolrmm.io

Curated list of Remote Monitoring and Management (RMM) tools that could potentially be abused by threat actors for persistence and lateral movement.

Living Off The WebHooks

Community-driven project documenting webhooks that may be exploited for data exfiltration and C2 communications using legitimate services.

LOLEXFIL

Reference for data exfiltration methods using trusted tools — documents how legitimate binaries and services can be weaponized for data theft.

TrailDiscover

An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents, references, and security implications.

PromptIntel

A collaborative threat intel platform to identify patterns and artifacts indicating potential exploitation or misuse of Large Language Models.

IntelOwl

Open Source Intelligence solution to get threat intelligence data about a specific file, IP or domain from a single API at scale using many analyzers.

Reconnaissance & Enrichment

leakix.net

Search engine indexing public information and an open reporting platform linked to the results — surfaces exposed services and data leaks across the internet.

Polyswarm

Launchpad for new technologies and innovative threat detection methods — a decentralized threat intelligence marketplace with diverse engine coverage.

Maltiverse

Data from more than 100 different threat intelligence sources consolidated into a single platform for IOC lookup and correlation.

Inquest Labs

Threat intelligence from hundreds of public, private, and internal sources used to develop new file detection and response (FDR) signatures and rules.

MetaDefender Cloud

Advanced threat detection and prevention platform by OPSWAT — scan files, URLs, and IPs against multiple engines with deep file analysis capabilities.

Kaspersky TIP

Scan files, domains, IP addresses, and URLs for threats, malware, and viruses using Kaspersky’s global threat intelligence database.

Sucuri SiteCheck

Check websites for known malware, viruses, blacklisting status, website errors, out-of-date software, and malicious code from an external perspective.

WhoisXMLAPI

Domain and IP data intelligence for greater enterprise security — provides WHOIS, DNS, threat intelligence, and infrastructure mapping APIs.

APIVoid

Threat analysis centered on IP and domain reputation, along with additional services including email verification and URL scanning.

IPGeolocation.io

Accurate IP geolocation API and databases with threat intelligence — enrich IP addresses with location, ASN, and threat reputation data.

ClawSearch

Security-first AI agent skill search engine — find safe skills with Trust Score, 10-language search, and pre-install security checks for AI agent ecosystems.

Build docs developers (and LLMs) love