Feed Catalog
All 40+ threat-intel feeds aggregated by WhisperGraph, with category and refresh cadence.
Feed Catalog Documentation
WhisperGraph aggregates 40+ threat intelligence feeds across 18 categories. Indicators (IPs, domains, hostnames, ASNs) appear in the graph as LISTED_IN virtual edges to FEED_SOURCE nodes.
For category groupings see Feed Categories. For the scoring algorithm see explain().
Live feeds
| Feed | Category |
|---|---|
| AbuseCH ThreatFox | C2 Servers |
| AbuseCH URLhaus | Malware Distribution |
| Alienvault Reputation | General Blacklists |
| Bitcoin Nodes | Reference Data |
| Blocklist.de All Attacks | Attack Sources |
| Blocklist.de Bots | Attack Sources |
| Blocklist.de Mail | Spam |
| BotScout Last Caught | Reputation |
| CERT.pl Domains | Malicious Domains |
| CINS Score | General Blacklists |
| Cloudflare Radar Top 1M | Popularity/Trust |
| DNS RD Abuse | General Blacklists |
| Dan Tor Exit | TOR Network |
| ET Compromised IPs | General Blacklists |
| Feodo Tracker | C2 Servers |
| FireHOL Abusers 1d | General Blacklists |
| FireHOL Anonymous | Proxies |
| FireHOL Level 1 | General Blacklists |
| FireHOL Level 2 | General Blacklists |
| FireHOL Level 3 | General Blacklists |
| FireHOL WebClient | General Blacklists |
| GreenSnow Blacklist | General Blacklists |
| Hagezi Light | Ad/Tracking Blocklists |
| Hagezi Pro | Ad/Tracking Blocklists |
| IPsum | General Blacklists |
| InterServer RBL | General Blacklists |
| MalwareBazaar Recent | Malware Distribution |
| OpenPhish Feed | Phishing |
| SSH Client Attacks | Brute Force |
| SSH Password Auth | Brute Force |
| SSL IP Blacklist | General Blacklists |
| Spamhaus DROP | General Blacklists |
| Spamhaus EDROP | General Blacklists |
| StevenBlack Hosts | Ad/Tracking Blocklists |
| ThreatFox IOCs | C2 Servers |
| Tor Exit Nodes | TOR Network |
| Tranco Top 1M | Popularity/Trust |
| URLhaus Recent | Malware Distribution |
Refresh cadence
Feeds are aggregated by whisper-feeds, a companion service that pulls from public and commercial sources. Refresh policy:
- Hourly: incremental refresh — newly listed indicators flow into the graph within ~60 minutes of source publication.
- Daily: full refresh — every feed is re-fetched and entries no longer present are removed from the graph.
This means a hot indicator (e.g. a C2 IP added to ThreatFox) is queryable through MATCH (ip:IPV4 {name: "..."})-[:LISTED_IN]->(f:FEED_SOURCE) within an hour.
Querying
-- All feeds an indicator is listed in
MATCH (ip:IPV4 {name: "185.220.101.1"})-[:LISTED_IN]->(f:FEED_SOURCE)
RETURN f.name
-- All feeds in a category
MATCH (cat:CATEGORY {name: "C2 Servers"})<-[:IN_CATEGORY]-(f:FEED_SOURCE)
RETURN f.name
-- Feed source counts (how many indicators per feed)
MATCH (f:FEED_SOURCE)<-[r:LISTED_IN]-()
RETURN f.name, count(r) AS indicators ORDER BY indicators DESC LIMIT 20
For scored threat assessment, use explain() — it factors feed count, weights, recency, and network density into a single score.