Threat intelligence platform for structuring, linking, and visualizing cyber threat knowledge
- Stars9.5k
- Forks1.4k
- Open Issues1.9k
Other
- TypeScript
- JavaScript
- Python
About OpenCTI
OpenCTI is a cyber threat intelligence platform for managing knowledge and observables. It structures, stores, organizes, and visualizes technical and non-technical threat information, including TTPs, observables, attribution, victimology, and source-linked context.
Everything sits on a STIX2-based knowledge schema, served through a web app with a GraphQL API. Analysts link findings to primary sources, record first and last seen dates, set confidence levels, map MITRE ATT&CK, import data, export CSV and STIX2 bundles, and infer new relationships from existing ones.
Connectors integrate it with MISP, TheHive, MITRE ATT&CK, and many other tools to ingest and push intelligence automatically. It is self-hosted and deploys via Docker, manual install, Terraform, or Helm, with the Community Edition under an Apache 2.0 license.
Key features
- STIX2-based knowledge schema for threat intelligence data
- GraphQL API and web frontend
- Links to primary sources, confidence levels, and first and last seen dates
- Imports and exports including CSV and STIX2 bundles
- Connectors for MISP, TheHive, and MITRE ATT&CK
Details
- First released
- 2018
- Self-hosting
- Docker · manual · Terraform · Helm
- Standards
- STIX2 knowledge schema
- API
- GraphQL
- Integrations
- MISP · TheHive · MITRE ATT&CK
- Maintainer
- Filigran