OpenCTI: Open Source Cyber Threat Intelligence Platform

MISP handles IOCs fine. Events, attribute lists, tags, and galaxy mappings get the job done. But scale makes it messy. Relationships between actors, tools, campaigns, and targets are implied, not explicit.

OpenCTI is built for structured analysis. The data model is designed to provide detailed information. You can ask questions like, Show me every campaign this actor ran. What malware did they use? Which sectors did they hit? What TTPs show up across campaigns? The data model supports these queries.

What OpenCTI Is

OpenCTI is an open-source cyber threat intelligence platform built by Luatix and backed by ANSSI, France's national cybersecurity agency. This support ensures development stays funded, and ANSSI's needs shape the platform.

The platform runs on STIX2 and includes threat actors, campaigns, TTPs, malware families, vulnerabilities, attack patterns, indicators, and courses of action. These get domain objects, and relationships get typed semantics. The platform uses a graph database.

The API is the primary interface, and every UI action is available via GraphQL. Users can create entities, manage relationships, export indicators, and generate reports programmatically. The platform is designed for integration with other security tools, not isolation. Teams use it in conjunction with other tools.

STIX2 Data Model and Why It Matters

STIX2: More Than Just a Format

The case for STIX2 as a native data model is analytical. The key concept here is typed relationships.

In OpenCTI, saying APT-X is attributed to C-2023-04 carries meaning: attribution confidence, the analyst who made the call, external references, and the date.

C-2023-04 uses M-17. This relationship records who made the link and what evidence they had.

M-17 targets the finance sector. The source is tied to the claim.

Comparison to Other Models

This approach differs from MISP. In MISP, you tag an event with a threat actor and sector.

In STIX2, relationship semantics are in the data model, not inferred from tags.

MITRE ATT&CK Integration

MITRE ATT&CK fits naturally into this model. Attack patterns in OpenCTI are STIX2 objects, they map to ATT&CK techniques. Campaigns with TTP relationships to attack patterns feed ATT&CK navigator heatmaps. Threat actor profiles build technique coverage over time. The navigator output reflects analysis. Operators get accurate data.

Connector Ecosystem: 150+ External Data Sources

OpenCTI's connector ecosystem keeps the intelligence database current. Connectors are Docker containers that run with the platform, handling specific data source integrations.

The catalog covers 150+ sources: MISP instances, TAXII feeds, AlienVault OTX, VirusTotal, Shodan, MITRE ATT&CK framework data, CVE databases, CERT feeds, threat intel vendor feeds, community-maintained integrations.

Connectors work both ways. Import connectors pull intel from external sources into OpenCTI's STIX2 graph. A MISP import connector ingests MISP events, transforms them into OpenCTI objects. Export connectors push OpenCTI intel outward — to MISP, STIX2 bundles, CSV, SOAR platforms.

To add a data source, you simply deploy a connector. Pull the connector container, configure environment variables with API credentials and OpenCTI connection details, then start it. The connector handles data transformation and ingestion; no integration code or API mapping is required. Community-contributed connectors are deployed the same way as official ones. You manage the library separately from the core platform.

Graph Visualization and Investigation Workflows

The knowledge graph interface is where OpenCTI's data model becomes an investigation surface. Threat actor node. Analyst expands the graph. Attributed campaigns, malware families used, vulnerabilities exploited, sectors targeted, and TTPs observed surface through interactive graph traversal.

This capability sets OpenCTI apart from MISP. A MISP event provides a point-in-time snapshot. OpenCTI's graph provides an accumulated analytical picture. Each attribution, campaign association, or TTP linkage adds to the record.

Investigation workspaces take this further. An analyst constructs an ad-hoc relationship map, combining entities across the intelligence database, subsets the full graph, and explores a hypothesis. The analyst annotates with notes, attaches references, shares with colleagues, and exports as a report, all within the same tool, querying the STIX2 graph.

Every entity and relationship carries provenance metadata, including creator, external references, confidence score, last review date. The audit trail supports peer review, intelligence sharing, and source attribution.

Deployment, Scale, and Operational Considerations

Infrastructure and Scale

Evaluating OpenCTI starts with infrastructure. The Docker Compose stack requires several components: Elasticsearch, MinIO, Redis, RabbitMQ, and the core app and connector containers. This is not a simple single-server setup.

Sizing Elasticsearch for a large intel corpus requires planning. A straightforward MISP deployment won't suffice.

For teams that can invest in the setup, OpenCTI scales organizationally. Role-based access control governs what analyst groups can view and modify. Group-based data sharing policies control intel visibility. Multi-tenancy support allows one platform deployment to serve multiple units with data separation.

The GraphQL API covers the full platform for integration, enabling SIEM platforms to pull indicators via API, SOAR platforms to create and update intel objects, and reporting workflows to query the graph. The API-first design is the intended integration path.

Teams embedding OpenCTI in a security stack use the API to get the most out of OpenCTI. The API is not an afterthought; it is how teams integrate OpenCTI.

OpenCTI vs MISP: Positioning and Use Case Differences

MISP and OpenCTI serve different needs, built for interoperability.

MISP is designed to share threat information, with fast IOC distribution as its primary goal, and it operates within a trusted community. Events and attributes synchronize between instances, and it features contextual tagging with galaxy mappings. The platform supports a one-server deployment, event-driven data, and mature sharing, making it well-suited for sharing indicators quickly.

OpenCTI, on the other hand, focuses on managing threat intelligence through structured analysis, aiming to build a rich threat picture over time. It utilizes the STIX2 graph model, includes an investigation workspace, and integrates with ATT&CK to attribute campaigns. These features make OpenCTI ideal for strategic analysis.

Many teams require both needs to be met, and as a result, they use both MISP and OpenCTI. MISP is often used for sharing indicators, while OpenCTI is used for analysis. Connectors exist that enable MISP and OpenCTI to work together.

The infrastructure requirements of each platform differ. MISP is simple, requiring only one server, and is easy to maintain. OpenCTI, however, is more complex, involving multiple containers and requiring management. Teams that choose OpenCTI over MISP trade simplicity for advanced analysis capabilities, and they should be aware of the implications of this choice.

Verdict

OpenCTI handles structured threat intel with precision. The platform utilizes the STIX2 data model and typed relationships. It offers over 150 connectors and a graph-based workflow. The integration with MITRE ATT&CK enhances its capabilities. This combination provides unmatched analysis depth; no free equivalent comes close.

Commercial platforms like Recorded Future, ThreatConnect, and Anomali offer managed infrastructure. Their support teams handle the heavy lifting. OpenCTI does not. However, its analytical capabilities are on par with commercial platforms.

National CERTs tracking threats over months, enterprise teams building attribution records, and MSSPs managing intel across clients justify the investment. STIX2 sharing with partners is a requirement.

OpenCTI is not suitable for teams needing quick IOC enrichment. Small security teams without admin capacity also may not benefit. Tactical indicator distribution is better handled by MISP.

The barrier to entry is infrastructure investment. It also serves as a filter. Teams that invest get the analytical value. Lightweight indicator stores hit a complexity ceiling.

Best for: National CERTs, enterprise TI teams, MSSP operations Website: opencti.io · GitHub: OpenCTI-Platform/opencti