Sign in Get a demo

Curated IOC feeds your SIEM and SOAR can ingest directly.

Detection engineering teams need stable, low-noise feeds of indicators ready to plug into the systems they already operate. Deepinfo's IOC Feeds deliver curated streams of malicious domains, phishing infrastructure, command-and-control endpoints, and other indicators of compromise. Refreshed continuously, scoped by feed type, and delivered in formats your SIEM, SOAR, and threat-intel platform speak natively.

Request a demo Get a free threat exposure report
WHAT THIS DOES

Stable IOC streams for direct integration.

Each feed is scoped to a specific indicator type: malicious domains, phishing domains, C2 endpoints, malware-distribution infrastructure, IOC packages tied to specific threat actors. Curation is continuous: false positives get filtered, decayed indicators get removed, new indicators get added as they're observed.

Delivery formats include STIX/TAXII for threat-intel platforms, JSON/CSV for direct ingestion into SIEMs, and a polled API for SOAR integrations. Feed cadence is configurable per consumer; standard refresh intervals are continuous (every few minutes for active threat feeds) to daily (for slower-moving indicator categories).

HOW IT WORKS

Three layers of feed engineering.

Curation against false positives. Scope by indicator type so each feed fits a specific integration target. Standard formats so each feed plugs into the systems your team already runs.

Curated, not aggregated.

Each feed is curated against false positives and noise. Indicators decay out of feeds as they stop being observed, so consumer SIEMs aren't drowning in stale rules.

Scoped by indicator type.

Separate feeds for separate use cases. A phishing-domain feed for email-security tooling. A C2-endpoint feed for network-detection rules. A malicious-IP feed for edge filtering. Subscribe to what fits the integration target.

Standard formats, multiple delivery patterns.

STIX/TAXII for threat-intel platforms. JSON/CSV for SIEM direct ingestion. Polled API for SOAR. Choose the format your downstream system already speaks.

WHAT IT SURFACES

Feed types currently available.

Malicious domains

Domains observed in attack chains, phishing kits, and malware distribution.

Phishing infrastructure

Active phishing domains and their hosting infrastructure.

C2 endpoints

Command-and-control infrastructure observed in active campaigns.

Malware-distribution IPs

IPs hosting active malware payloads.

Actor-attributed IOC packages

Indicators tied to specific threat actor groups, paired with Threat Actor Intelligence.

Newly registered suspicious domains

Domains registered with patterns matching attack precursors.

PART OF CTI

IOC Feeds are the direct-integration output.

While most CTI sub-features alert into your SOC inbox or dashboard, IOC Feeds output directly into the systems that block, detect, and route: your SIEM, your SOAR, your firewall, your email gateway. The same intelligence that powers Threat Actor Intelligence and the Data Breach Index also flows out as feed-format streams ready for automated consumption.

CTI · THREAT ACTOR INTELLIGENCE

Threat Actor Intelligence

Learn more CTI · CYBERSECURITY NEWS

Cybersecurity News

Learn more CTI · DATA BREACH INDEX

Data Breach Index

Learn more
← Back to CTI

“Curated, low-noise feeds plug straight into our SIEM and SOAR without the cleanup step. Detection engineering spends time tuning rules instead of grooming feeds.”

— SOC Manager, Managed Security Services Provider
CONTINUE EXPLORING

Explore the full platform.

EASM · EXTERNAL ATTACK SURFACE MANAGEMENT

See your entire attack surface. Act on what matters.

Continuous discovery and monitoring of every internet-facing asset, including subsidiaries and acquired companies.

See module CTI · CYBER THREAT INTELLIGENCE

See what’s exposed. Act before it’s exploited.

Dark-web monitoring, breach corpora, infostealer logs, and threat-actor activity tied to your organization.

See module BRP · BRAND RISK PROTECTION

Keep an eye on the internet. Protect your brand.

Lookalike domains, fake apps, fraudulent listings, and brand abuse caught in hours, not weeks.

See module TPRM · THIRD-PARTY RISK MANAGEMENT

Every third party carries risk. See all of it.

Continuous external monitoring of every approved vendor with the same depth as your own surface.

See module DSI · DEEP SEARCH AND INSIGHTS

Explore the entire internet. See every layer.

400M domains, 2B subdomains, 200B DNS records, 30B SSL certificates. All queryable directly.

See module
WIRE IT IN

See sample feeds and walk through integration patterns.

Book a demo. We'll show sample feed contents, walk through STIX/TAXII vs JSON/CSV vs API delivery, and scope a fit to your detection stack.

Request a demo