Feed Catalog
All 39 threat-intel feeds aggregated by WhisperGraph, with category and refresh cadence.
Feed Catalog Documentation
WhisperGraph aggregates 39 threat intelligence feeds across 18 categories. Indicators (IPs, domains, hostnames) appear in the graph as LISTED_IN virtual edges to FEED_SOURCE nodes, and each FEED_SOURCE is classified under a category via the BELONGS_TO edge.
For category groupings see Feed Categories. For the scoring algorithm see explain().
Live feeds
| Feed | Category |
|---|---|
| AlienVault Reputation | Reputation |
| Binary Defense Banlist | General Blacklists |
| Blocklist.de All | General Blacklists |
| Blocklist.de Mail | Spam |
| Blocklist.de SSH | Brute Force |
| Botvrij Domains | Malicious Domains |
| Botvrij Dst IPs | C2 Servers |
| Brute Force Blocker | Brute Force |
| C2 Intel 30d | C2 Servers |
| CERT.pl Domains | Malicious Domains |
| CINS Score | General Blacklists |
| Cloudflare Radar Top 1M | Popularity/Trust |
| DNS RD Abuse | General Blacklists |
| Dan Tor Exit | TOR Network |
| ET Compromised IPs | General Blacklists |
| Feodo Tracker | C2 Servers |
| FireHOL Abusers 1d | General Blacklists |
| FireHOL Anonymous | Proxies |
| FireHOL Level 1 | General Blacklists |
| FireHOL Level 2 | General Blacklists |
| FireHOL Level 3 | General Blacklists |
| FireHOL WebClient | General Blacklists |
| GreenSnow Blacklist | General Blacklists |
| Hagezi Light | Ad/Tracking Blocklists |
| Hagezi Pro | Ad/Tracking Blocklists |
| IPsum | General Blacklists |
| InterServer RBL | General Blacklists |
| MalwareBazaar Recent | Malware Distribution |
| OpenPhish Feed | Phishing |
| SSH Client Attacks | Brute Force |
| SSH Password Auth | Brute Force |
| SSL IP Blacklist | General Blacklists |
| Spamhaus DROP | General Blacklists |
| Spamhaus EDROP | General Blacklists |
| StevenBlack Hosts | Ad/Tracking Blocklists |
| ThreatFox IOCs | C2 Servers |
| Tor Exit Nodes | TOR Network |
| Tranco Top 1M | Popularity/Trust |
| URLhaus Recent | Malware Distribution |
The feed set evolves as sources are added or rebalanced — MATCH (f:FEED_SOURCE) RETURN f.name ORDER BY f.name returns the current list, and GET /api/query/stats reports the live feedSourceCount.
Refresh cadence
Feeds are aggregated by whisper-feeds, a companion service that pulls from public and commercial sources. Refresh policy:
- Hourly: incremental refresh — newly listed indicators flow into the graph within ~60 minutes of source publication.
- Daily: full refresh — every feed is re-fetched and entries no longer present are removed from the graph.
This means a hot indicator (e.g. a C2 IP added to ThreatFox) is queryable through MATCH (ip:IPV4 {name: "..."})-[:LISTED_IN]->(f:FEED_SOURCE) within an hour.
Querying
// All feeds an indicator is listed in
MATCH (ip:IPV4 {name: "185.220.101.1"})-[:LISTED_IN]->(f:FEED_SOURCE)
RETURN f.name
// All feeds in a category — FEED_SOURCE belongs to CATEGORY via BELONGS_TO
MATCH (cat:CATEGORY {name: "C2 Servers"})<-[:BELONGS_TO]-(f:FEED_SOURCE)
RETURN f.name
// The categories a given feed is classified under
MATCH (f:FEED_SOURCE {name: "Feodo Tracker"})-[:BELONGS_TO]->(cat:CATEGORY)
RETURN cat.name
For scored threat assessment, use explain() — it factors feed count, weights, recency, and network density into a single score.