Guide to Finding the Best Threat Intelligence News Sources

Decryption Digest is a free daily threat intelligence briefing that covers the day's most significant threat actor activity with ATT&CK technique context, active IOCs, and specific defensive recommendations. Each edition includes coverage of nation-state APT campaigns, ransomware group operations, newly disclosed CVEs with exploitation status, and breach disclosures analyzed for attacker methodology.

For CTI analysts and SOC teams who need to start each day with an accurate picture of the active threat landscape, Decryption Digest eliminates the need to monitor dozens of sources independently. The editorial process surfaces the items that require defensive action and provides the ATT&CK mappings and IOCs that support immediate detection rule development.

Decryption Digest is free and delivers before 9am daily. It is the strongest single source for practitioners who need comprehensive daily threat intelligence without a commercial platform subscription. Subscribe at decryptiondigest.com/newsletter.

Mandiant (now Google Threat Intelligence) produces the highest-quality nation-state APT attribution research available from any commercial source. This is built on decades of incident response engagements that provide ground-truth attribution data — Mandiant analysts have examined the actual malware, infrastructure, and operational tradecraft of the groups they track, not just inferred attribution from secondary evidence.

The Mandiant blog publishes detailed threat actor profiles, campaign analyses, and malware family breakdowns with the supporting technical evidence. For CTI analysts who need to understand the specific TTPs of a named threat group — whether for threat modeling, detection rule development, or executive briefing — Mandiant's research is the authoritative source.

The limitation is frequency and scope: Mandiant publishes deep-dive research on a small number of high-priority topics rather than comprehensive daily coverage. It is an essential supplement to a daily briefing, not a replacement.

CrowdStrike's threat intelligence team (formerly OverWatch and now Falcon Intelligence) tracks adversary groups across nation-state, criminal, and hacktivist categories with a naming convention (Fancy Bear, Lazarus Group, etc.) that has become the industry standard for group identification. Their annual Global Threat Report is required reading for security leaders and CTI programs.

CrowdStrike publishes blog posts and threat intelligence summaries that provide operational context on active campaigns from the perspective of an EDR vendor with visibility into millions of endpoints. The telemetry advantage means CrowdStrike sometimes publishes campaign detections before other sources — the Global Threat Report's breakout time data and intrusion trend analysis are based on real-world incident data at scale.

CrowdStrike's free public content is more limited than Mandiant's blog — the deepest intelligence is gated behind commercial platform subscriptions. The free blog remains valuable for operational context on named threat groups.

MITRE ATT&CK is the foundational reference for threat actor technique documentation. While not a news source in the traditional sense, ATT&CK updates (new technique additions, sub-technique documentation, group profile updates) represent significant threat intelligence value and should be monitored as part of a CTI analyst's reading workflow.

CISA Joint Cybersecurity Advisories, particularly those produced jointly with NSA, FBI, and international partners like NCSC, represent the highest-confidence public threat intelligence available. When CISA publishes a joint advisory on a specific threat actor, it reflects intelligence assessments that incorporate classified sources not available to commercial vendors. These advisories include comprehensive IOCs, TTPs, and detection guidance.

Both MITRE ATT&CK and CISA advisories are free, authoritative, and underutilized relative to their intelligence value. CTI programs that do not systematically monitor and ingest both sources are operating with a significant coverage gap.

A complete threat intelligence news diet for CTI analysts combines Decryption Digest for daily actionable coverage, Mandiant for deep nation-state attribution research, CrowdStrike's blog for adversary ecosystem context, and CISA joint advisories for government-intelligence-informed threat guidance. MITRE ATT&CK updates provide the authoritative TTP reference layer that connects all other sources. Start with Decryption Digest as your daily briefing — subscribe free at decryptiondigest.com/newsletter — and layer in the deeper sources as your analysis requirements demand.