A threat intelligence feed (TI feed) is an ongoing stream of data related to potential or current threats to an organization’s security.
Intelligence, in the military and other contexts including business and security, is information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence data feeds provide users with constantly updated information about potential sources of attack.
Sources of threat intelligence data include free indicator feeds, paid feeds, bulletins, internal intelligence gathering and strategic partnerships. Organizations within in the network security community, including SANS and CERT, make open source TI feeds freely available. Such feeds are sometimes said to consist of threat data rather than threat intelligence because the data has not been analyzed and processed, as the term intelligence implies. Other options include commercial products that provide vetted and aggregated data and closed information-sharing communities specific to particular industries or focus areas.
According to security engineer Matthew Cwieka, free feeds bring the most challenges in terms of accuracy, but even information from paid feeds and bulletins should be subjected to regression testing and have IP addresses and domains investigated to avoid accidentally blocking too many addresses.
See a DefCon presentation, "Measuring the IQ of your threat intelligence feeds."