Collection of Cyber Threat Intelligence sources from the Deep and Dark Web
The aim of this project is to collect the sources, present in the Deep and Dark web, which can be useful in Cyber Threat Intelligence contexts.
The contributors of the project (or people active in the field of Cyber Threat Intelligence) have a Telegram groups available to propose new sources to be integrated within the project and to have a place to discuss the tactics and techniques of research and analysis that are used daily. It is possible to request access to the Telegram group by sending a request to
What is Cyber Threat Intelligence?
Cyber Threat Intelligence (CTI) is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention and response actions against various cyber attacks.
CTI involves collecting, researching and analyzing trends and technical developments in the area of cyber threats and if often presented in the form of Indicators of Compromise (IoCs) or threat feeds, provides evidence-base knowledge regarding an organization’s unique threat landscape.
In Cyber Threat Intelligence, analysis if performed based on the intent, capability and opportunity triad. With the study of this triad, experts can evaluate and make informed, forward-learning strategic, operational and tactical decisions on existing or emerging threats to the organization.
There are three types of Threat Intelligence:
Strategic – provides high-level information regarding cyber security posture, threats and its impact on business.
Tactical – provides information related to threat actor’s Tactics, Techniques and Procedures (TTPs) used to perform attacks.
Operational – provides information about specific threats against the organization.
Typical sources of intelligence are:
- Open Source Intelligence (OSINT)
- Human Intelligence
- Counter Intelligence
- Internal Intelligence
Through this project, which takes into consideration the OSINT sources related to the Deep and Dark Web domain, we aim to monitor the intelligence information present in the following sources:
- Telegram channels, groups and chats
- Discord channels
- ransomware gangs sites
- forums related to cyber criminal activities and data leaks
- exploits databases
- Twitter accounts
- RaaS (Ransomware As A Service) sites
In addition, within the methods file, various techniques for searching and analyzing sources are described.