Threat Feeds

import { Aside } from ‘@astrojs/starlight/components’;

Threat feeds require no API key and are available in real-time.

What are threat feeds

Threat feeds are updated lists of IOCs (IPs, URLs, domains) known to be malicious, maintained by the security community. OSINT AI One can:

1. Query whether a specific IOC appears in the feeds
2. Analyze IOCs from a feed directly (batch mode)

Available feeds

Feodo Tracker

Maintained by abuse.ch, lists IPs of Command & Control of active botnets (Emotet, QakBot, Dridex, etc.).

# Analyze the 5 most recent C2 IPs
osint-agent --feed feodo --limit 5

# In the interactive CLI
osint> /feeds feodo --limit 10

Update: every hour.

URLhaus

Database of active URLs distributing malware.

osint-agent --feed urlhaus --limit 3

Update: every few hours.

IPsum

List of malicious IPs sorted by number of blocklists they appear in. The higher the position, the more confirmed its malice.

osint-agent --feed ipsum --limit 5

C2IntelFeeds

Known C2 infrastructure of multiple malware families.

osint-agent --feed c2intel --limit 5

Cloudflare Radar

Summary of traffic trends and threats from the Cloudflare network.

osint-agent --feed cloudflare --limit 3

Batch mode usage

Batch mode combines feeds with the agent to automatically investigate each IOC:

# Investigate the 5 most recent Feodo C2s, with JSON output
osint-agent --feed feodo --limit 5 --json

# Save results to file
osint-agent --feed urlhaus --limit 10 --json > results.json

Batch from your own file

If you have your own IOC list:

# iocs.txt — one IOC per line
# IPs, domains, URLs mixed
cat iocs.txt
185.220.101.34
evil-phishing.com
http://malware-host.net/payload.exe

# Investigate all
osint-agent --batch iocs.txt --limit 20
osint-agent --batch iocs.txt --limit 20 --json

fetch_threat_feed as a tool

The underlying function is fetch_threat_feed, which the agent can call directly:

from src.tools.threat_feeds import fetch_threat_feed

# Get the first 10 IOCs from the feed
iocs = await fetch_threat_feed("feodo", limit=10)
# → list of dicts with ip, malware_family, country, etc.

Rate limiting

Feeds are downloaded completely and filtered locally — there are no individual calls per IOC. Rate limiting applies to analysis tools invoked on each IOC in the feed (VirusTotal, AbuseIPDB, etc.).

BATCH_DELAY_SECONDS=2  # Pause between IOCs to respect rate limits

Feed limit configuration

THREAT_FEED_LIMIT=10  # Maximum IOCs per feed fetch (default: 10)

You can override this limit with --limit N in the CLI.