Blocked?See Live ThreatsCommunity
Customer Portal Login
Spamhaus Technology and abuse.ch Logo
Solutions
Data
Email & Network
Cyber Threat Intelligence
Resources
About

abuse.ch
Real-Time Feeds

Accessing the abuse.ch Malware Data via real-time feeds provides security teams with a high-value, low-friction source of threat intelligence. Easy to use and quick to deploy, these feeds directly enhance threat detection, triage, hunting, and enrichment workflows. Gain immediate access to fresh IOCs to proactively identify threats before they cause damage.

Sign up for a trial

Improve Threat Detection and Response

Of-the-moment IOCs (IPs, domains, hashes etc.) so analysts can act faster on alerts and reduce time-to-detection.

Easy Integration and Automation

Feeds are lightweight and work seamlessly with SIEMs and other TIPs - ideal for automating enrichment.

Proactive Threat Hunting and IOC Pivoting

Discover emerging threats and trace related infrastructure to support deeper investigations and IOC expansion.

abuse.ch Malware Data via Real-Time Feeds

Leveraging the collective capabilities of a large, experienced and thriving malware community, these threat intelligence feeds provide a rich source of actionable data focussed on IOCs. This subscription also offers exclusive access to raw connection data through controlled malware detonation by abuse.ch, with the Sandnet feed.

Why are there two different names for the data?

Our datasets have been supporting users for a very long time. With new users requesting our support, the dataset names are being updated for clearer understanding. We’re documenting two names, for now, to best support all users.

Datasets Included

Malware Samples

(Malware Bazaar)

Sample download, hash-based lookups (MD5, SHA1, or SHA256), associated metadata and file info, YARA rule matching, family attribution, delivery method, upload country, submitter, timestamp

Malware IoCs

(Threatfox)

Malware URLs

(URLhaus)

YARA Scan Results

(YARAify)

Malicious file telemetry

(Sandnet)

transition

Use cases for abuse.ch Malware Data via Real-Time Feeds

Utilizing enriched IOCs via real-time feeds offer numerous opportunities for cyber threat intelligence practitioners, including (but not limited to!) threat hunters, SOC analysts and threat intelligence analysts.

Threat Intelligence Enrichment
Threat Hunting
Threat Intelligence Enrichment
Transition

abuse.ch Malware Data via Real-Time Feeds for Threat Intelligence Enrichment

Enrich alerts to triage faster by correlating internal telemetry with fresh IOC data; cut down false positives and speed up incident prioritization. Feeds can be integrated into SIEM/EDR rules to auto-tag threats, triggering priority alerts based on the latest threat data. With minimal configuration or scripting required, data can also be ingested into reports for lower operational overhead so analysts can focus on priorities.

Threat Prioritization

Using focussed, real-time IOC context, better prioritize threats, and focus resources on high-risk activity with clearer alerts

Accelerated Alert Triage

Reduce manual investigation time and ease alert overload with directive IOC metadata that can be utilized through automations

Increase accuracy in Threat Classification

The abuse.ch data is a specialist source of active, high-impact threats for analysts to focus on genuine threats.

Getting started

  • How do I start a free 30 day trial?

    Simply complete the form and submit. No credit card or payment details are required for the free trial.

    What happens next?

    You’ll receive an email asking you to verify your address, and a member of the team will contact you to enable your access.

    Once verified, log in to the Customer portal and follow the setup instructions provided in the manual.

    Need help?

    If you have any questions, please add them to the comments box provided in the form. Once you gain access to the data, technical support is available via our Customer Portal.

    How can I purchase the data?

    During your free trial, you can request a quote in the Customer Portal to get the subscription cost based on your requirements. You can also enable trials of additional datasets via the Customer Portal.

  • System requirements

    There are no unique requirements. Please consider that this service provides a high volume of structured data and is best ingested into ready-made (internal or external) threat intelligence platforms.

    Real-time threat intelligence feeds need secure, low-latency connections. Software should handle feed ingestion, parsing, and SIEM/TIP integration with proper time sync.

  • Technical Documentation

    Our documentation site provides full setup details for accessing this service.

  • Pricing

    Pricing is based on your use case and usage needs. Exact pricing will be provided during your free trial period. Alternatively, please contact our team for more information.

View FAQs

Ready to start
your free trial?

Get a free 30-day trial to query abuse.ch Real-Time Feeds. No credit card details required.

Sign up for a free trial

Frequently Asked Questions

  • Who should use abuse.ch Malware Data via Real-Time Feeds?

    There are many ways to use this data across the cyber threat intelligence disciple, including, but not limited to:

    • SOC Analysts - To enrich alerts, accelerate triage, and improve detection accuracy using up-to-date, verified IOCs.
    • Threat Hunters - To proactively identify emerging threats, uncover attacker infrastructure, and pivot across indicators for deeper investigations.
    • Threat Intelligence Teams - To feed reliable, real-time IOCs into threat intelligence platforms (TIPs) and correlate internal data with global threat trends.
    • Incident Responders - To rapidly validate and scope incidents, identify related indicators, and guide containment efforts with high-confidence data.
    • MDR/MSSP Providers - To enhance managed services by incorporating high-impact, trusted intel into monitoring, detection, and response pipelines for clients.

Explore more

Data Access

Passive DNS API

A simple API supporting a variety of query types to discover historical, and up-to-the-moment, DNS infrastructure connections from Spamhaus’ Passive DNS database with up to one year of historical data.

Learn More

Data Access

Intelligence API

Integrate context-rich metadata relating to IP and domain reputation to enhance existing data feeds, or consume as an independent data source. Gain additional intelligence to monitor, assess and remediate as required.

Learn More

Integration

Maltego Integration

With Maltego, streamline complex analysis by utilizing the Spamhaus-abuse.ch Alliance’s expansive malware, IP and domain reputation intelligence. Quickly understand whether entities should be considered high risk, why, and whether it is still perpetuating malicious behavior to confidently define and prioritise next steps.

Learn More
Spamhaus | abuse.ch Logo

Solutions

Email & NetworkEmail ProtectionEmail ComplianceDNS ProtectionEdge ProtectionCyber Threat IntelligenceThreat Intelligence EnrichmentThreat HuntingAll Solutions

Data

Malware IntelligencePhishingSpamInsight & ClassificationHistorical ContextAll Data

Email & Network

About Email & NetworkEmail ProtectionEmail ComplianceDNS ProtectionEdge Protection

Cyber Threat Intelligence

About Cyber Threat IntelligenceThreat Intelligence EnrichmentThreat Hunting

Resources

Resource CenterEventsCommunityMalware DigestBotnet Threat MapCompromised IP StatisticsFAQsStatus Page

About Us

About SpamhausSpamhaus-abuse.ch Alliance
Spamhaus | abuse.ch Logo
XLinkedInYouTube
Privacy PolicyCookie PolicyTerms and Conditions
Uicons by Flaticon