Where this intelligence comes from

Israeli vendor research with consistent Iran and Hezbollah-adjacent coverage; also strong on mobile-malware ecosystems.

Telemetry-rich technical writeups; particularly strong on ransomware affiliate tracking and exploited-CVE post-mortems drawn from Cisco Secure Endpoint and Umbrella telemetry.

Introduced the animal-suffix taxonomy (Cozy Bear, Fancy Bear, Wicked Panda). Annual Global Threat Report is a CTI staple. Heavy presence on eCrime tradecraft and access broker tracking.

ICS/OT-focused threat intelligence — the authoritative source on adversary tradecraft against industrial control systems. Their ELECTRUM/CHERNOVITE/VOLTZITE naming covers ICS-targeting groups.

Slovak vendor with deep reverse-engineering coverage of Industroyer, the GreyEnergy/BlackEnergy lineage, and Ukrainian-targeted destructive malware.

Long-running APT research; historically uncovered Equation Group, Duqu, and many post-Soviet-region intrusion sets. Reporting now viewed through a geopolitical lens but the technical depth on implant analysis remains valuable.

Long-form intrusion writeups and APT attribution from the firm behind the original APT1 report (2013). Authoritative on China-nexus and Iran-nexus tracking; introduced the 'APTn' and 'UNCn' naming schemes the rest of the industry adopted.

Output from MSTIC (Microsoft Threat Intelligence Center) and the Digital Crimes Unit. Owns the weather-themed naming taxonomy (Volt Typhoon, Midnight Blizzard, Forest Blizzard). Strong on identity-provider abuse, BEC, and cloud-native intrusion.

Telemetry-driven research from Palo Alto Networks. Routinely publishes detailed actor profiles and IR narratives; strong Middle-East-nexus coverage.

Strategic CTI with strong influence-operations and infrastructure-tracking coverage. Notable for sustained tracking of Chinese MSS contractors and Russian disinformation ecosystem.

SentinelOne's research arm. Strong reverse-engineering depth on macOS-targeting threats, North Korean tooling, and Russian destructive-malware families.

Broad telemetry from Asia-Pacific deployments. Often first with Chinese and Southeast-Asian threat-actor reporting (Earth-prefix naming taxonomy).

Boutique IR firm with disproportionate influence on zero-day discovery (Microsoft Exchange ProxyShell, Ivanti Connect Secure). Reports tend to land first on novel state-sponsored exploitation.

French national agency. Strong on EU diplomatic targeting and Russian-linked intrusion-set tracking; bilingual reports.

Germany's federal cyber agency. Strong on industrial-base targeting and EU-coordinated advisory work.

State Cyber Protection Centre of Ukraine. Operational front line: routinely first to publish on Sandworm/APT28 destructive and disruptive operations.

U.S. CISA's joint-advisory series (AAxx-NNNa) — typically co-signed with FBI/NSA and partner Five Eyes / EU agencies. The single most important defender-facing source on named-actor tradecraft and IOCs.

Japanese national CERT. Frequently first-to-publish on China-and DPRK-nexus campaigns targeting Asia-Pacific organizations; translates significant reports to English.

South Korea's national CERT under KISA. Authoritative on DPRK tradecraft against Korean targets.

UK National Cyber Security Centre. Formal attribution carries intelligence-community weight; co-signs many CISA joint advisories.

Detailed end-to-end intrusion narratives reconstructed from real engagements. Ideal for detection engineers — every report ends with an IOC pack and Sigma rule references.

Consumer-facing but technically rigorous; strong ransomware and stealer-malware coverage.

Independent malware-archive project; mirrors leak-site dumps and ransomware brand portals as research artifacts. Frequent first-publisher of leaked operator chats and source code.

Influence-operations-focused research; strong on the intersection of cyber and information operations from Russia, China, and Iran.

University of Toronto research lab — definitive coverage of mercenary spyware (NSO Group/Pegasus, Candiru, QuaDream) and state-sponsored targeting of journalists and dissidents.

Maintains the Significant Cyber Incidents list — high-signal running chronology of state-attributed events going back to 2006.

Beat-reporter cybersecurity news. Often the public confirmation channel for ransomware victim disclosures and brand-new strain discovery.

Brian Krebs — long-form investigative work on cybercrime ecosystems and operator unmasking.

Patrick Gray's weekly briefing — the dominant CTI/defender industry podcast. Strong attribution-curious analysis.

Operates URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker, and YARAify. Free, high-quality IOC feeds widely consumed in MISP and OpenCTI deployments.

Per-brand ransomware victim counts and timelines, useful for benchmarking which RaaS operations are growing or in decline.

Aggregated ransomware leak-site monitor — surfaces victim claims across active brands without the visitor having to touch the underlying Tor sites. Best public source for tracking ransomware activity in aggregate.