Essential Tools and Platforms for Cyber Threat Intelligence (CTI)
Essential Tools and Platforms for Cyber Threat Intelligence (CTI)
π§ Introduction
This guide provides a curated list of the most relevant tools, platforms, and services for Cyber Threat Intelligence (CTI) analysts. The tools are categorized by functionality and provide references and descriptions to help you integrate them into your threat intelligence workflows.
π Breach and Credential Leak Intelligence
π Have I Been Pwned (HIBP)
- Checks if email addresses or domains have appeared in known data breaches.
- API available for automated checks and alerting.
π΅οΈ LeakLooker (when available)
- Search engine for exposed data across paste sites and misconfigured services.
- Useful for identifying leaked credentials and documents.
π¦ Hudson Rock β Cavalier
- Tracks infected devices and stolen credentials via infostealers.
- Offers organizational visibility into compromised employees, assets, and third-party risks.
π Dehashed
- Breach database search engine.
- Supports IPs, emails, usernames, hashes, domains, and more.
π LeakPeak
- Provides visibility into infostealer logs, credentials, and files.
- Enables domain monitoring and IOC enrichment.
πΈοΈ Dark Web Monitoring & Marketplace Intelligence
π DarkOwl Vision
- Real-time and historical darknet data access for threat hunting.
- API and dashboard access to indexed darknet marketplaces and forums.
π·οΈ IntSights (now Rapid7 Threat Command)
- Dark web intelligence platform with alerting, brand protection, and fraud detection.
- Integrated with external monitoring and remediation workflows.
π§ CyberSixgill
- Deep and dark web monitoring with automated alerting and contextual analysis.
- Threat actor profiling, CVE exploitation tracking, and TTP mapping.
π§° General CTI Platforms & Enrichment Services
π MISP β Malware Information Sharing Platform
- Open-source threat intelligence sharing platform.
- Supports structured data (IOCs, TTPs) and collaborative sharing between orgs.
𧱠AlienVault OTX
- Free threat intelligence community platform.
- Allows users to submit and consume pulse-based indicators (IPs, domains, hashes).
π§ VirusTotal
- Aggregates antivirus scan results, network behavior, and metadata for files and URLs.
- Widely used for quick triage and IOC analysis.
π§ Recorded Future
- Commercial threat intelligence platform with real-time alerting, graph analysis, and risk scoring.
- Covers technical, operational, and strategic CTI.
π‘ Shodan
- Search engine for Internet-connected devices.
- Used for infrastructure fingerprinting and exposure assessment.
π§ͺ Malware, Infrastructure & IOC Analysis
𧬠Any.run
- Interactive malware sandbox for dynamic analysis.
- Supports PE, Office files, scripts, and more.
πΈοΈ MalwareBazaar
- IOC repository focused on malware samples and YARA rules.
- Maintained by abuse.ch.
π ThreatFox
- Aggregated repository of threat intelligence IOCs.
- Strong focus on real-time feeds and community submissions.
π§ Threat Actor & Campaign Intelligence
π§βπ» MITRE ATT&CK
- Knowledge base of adversary tactics and techniques.
- Used for mapping threat actor behaviors and detection engineering.
π¬ APT & Threat Group Index β Malpedia
- Profiles of APT groups and malware families.
- Focus on linking tools, actors, and campaigns.
β Conclusion
This collection represents a solid foundation for building or enriching a CTI workflow across strategic, operational, and tactical levels. Integration and automation with platforms such as MISP, TheHive, or custom dashboards can elevate these tools into a powerful intelligence ecosystem.
This post is licensed under CC BY 4.0 by the author.