You do not need a Threat Intelligence Platform to get started with intel. I will go further: the free OSINT stack is the correct starting point even if you eventually buy one, because it teaches you what you actually want the paid product to do. Here is the stack that will get you 80% of what $100k+ in vendor subscriptions deliver.
The Vulnerability Layer
CISA KEV (Known Exploited Vulnerabilities) is the single highest-signal free feed on the internet. If a CVE is on KEV, it is being exploited in the wild against U.S. infrastructure. Every CVE on this list deserves a patch ticket with a 14-day SLA; that is the federal mandate under BOD 22-01 and it is a defensible standard for the private sector too. Subscribe to the JSON feed; wire it into your ticketing.
NVD for base CVSS, CPE matching, and reference links. Supplement with EPSS (Exploit Prediction Scoring System) — a probability, updated daily, that a CVE will be exploited in the next 30 days. KEV + EPSS > CVSS alone for prioritization.
The Exposure Layer
Have I Been Pwned — Troy Hunt's breach database. The domain search (free for verified domain owners) tells you which of your employees' corporate addresses appear in breach dumps. Wire it into your IAM program. A new hit on a C-level address is an immediate password-rotation and MFA-verification event.
Certificate Transparency logs (crt.sh, Censys CT) expose every TLS cert issued for your domains. Set a weekly query for %.yourdomain.com and you will catch shadow IT, forgotten subdomains, and typosquat preparation within days of issuance.
Shodan and Censys for external attack surface. Facet your ASN and organization name; look for RDP (3389), SMB (445), exposed databases (27017, 5432, 9200), and deprecated TLS. Censys' free tier is generous enough to run weekly attack-surface reviews.
The Adversary Layer
Ransomware leak site trackers. ransomware.live and ecrime.ch aggregate claims from every major extortion group's .onion leak site — LockBit offshoots, Akira, Play, BlackBasta, Cl0p, Medusa, Qilin. Filter by industry and geography. This is the closest thing we have to a real-time industry-specific threat indicator, and it is entirely free.
Mandiant, CrowdStrike, Microsoft Threat Intelligence, Unit 42, Talos blogs. Public-facing write-ups of active campaigns. When Mandiant publishes a deep dive on APT41's new edge-device TTP, that is operational intel you would pay six figures for from a smaller vendor.
CISA advisories. Joint CSAs with FBI/NSA on groups like Volt Typhoon, Salt Typhoon, and LockBit variants include IOCs, TTPs, and mitigation guidance. Drop them into your detection backlog.
The Indicator Layer
abuse.ch runs URLhaus (malicious URLs), MalwareBazaar (samples), ThreatFox (IOCs), and Feodo Tracker (botnet C2). Free, well-curated, STIX/MISP-ingestible. AlienVault OTX for community-contributed pulses. VirusTotal free tier for sample and URL lookups (upgrade if you need hunting and retrohunt).
How to Stack Them
The trick is correlation, not collection. A workable weekly rhythm for a lean team:
Monday (20 min): New CISA KEV entries → cross-reference with your CMDB → open patch tickets. New CISA advisories → skim TTPs → flag any that hit your tech stack.
Wednesday (15 min): HIBP domain scan, CT log diff, Shodan/Censys ASN review. Anything new gets a ticket.
Friday (20 min): ransomware.live filtered to your sector, plus one major vendor blog. Are any victims peer organizations? If yes, threat-model the delivery vector.
That is under an hour a week, costs zero, and produces a dated artifact you can show an auditor or a board. It is also, I would argue, better than most $100k TIP deployments I have seen, because the humans actually read it.
When to Graduate
Buy a TIP when the volume of correlated indicators exceeds what a human can triage, when you need automated enrichment at ingest, or when you need non-public underground sources. Not before. The free stack is not a starter kit — it is a permanent layer. The paid tools sit on top of it.