In an era of cyber threats looming large, the effectiveness of threat intelligence hinges on timely sharing with the right stakeholders. To facilitate this crucial process, the industry has developed standardized mechanisms for sharing intelligence that allows for fast, efficient, and automated data exchange—enter STIX and TAXII.
STIX and TAXII are pivotal in converting data from threat reports into actionable insights, empowering organizations to fortify their defenses. This guide delves into the transformation of unstructured threat intelligence into structured formats using STIX, while highlighting how TAXII enables seamless sharing of this valuable intelligence across various sectors.
You will learn how to start using STIX and TAXII with free, open-source tools and platforms such as txt2stix and OpenCTI, while exploring common use cases and the challenges you may encounter along the way. So, let’s dive in and bring some structure to your intelligence assessments!
Unstructured vs Structured Threat Intelligence
Cyber threat intelligence (CTI) comes in two forms.
- Unstructured intelligence: text, images, video, or presentations.
- Structured intelligence: text with metadata that gives it structure.
You will see structured intelligence in threat reports, email briefings, and presentations. Today, let us look at unstructured intelligence and how you can use it to streamline your CTI operations.
So, what is structured intelligence, and what does it look like?
Structured intelligence is regular intelligence with metadata that gives it some form of structure. This structure allows the data to be searchable and relate to other intelligence. For instance, you might have the following piece of intelligence:
“Threat actor Funky Panda is targeting the finance industry using phishing emails as an initial access vector.”
In this form, intelligence is unstructured data, something you might read in a threat report. But you can start identifying and labeling key data pieces in this intelligence to give it some structure.
“Threat actor Funky Panda is targeting the finance industry using phishing emails as an initial access vector.”
- Threat actor: Funky Panda
- Target: finance industry
- Technique: phishing emails
- Tactic: initial access
Now, you have metadata associated with our intelligence. But why is this useful?
Metadata is data that provides information about other data. It helps to describe, explain, or contextualize data, making it easier to manage, find, and use. For example, metadata could be the size of a file or a threat actor’s name.
With a single piece of intelligence like this, turning it into structured intelligence may seem pointless. However, imagine if you have hundreds, thousands, or even millions of pieces of intelligence like this. It would be impossible for a human analyst to derive any insights.
You need a way to effectively search through them, build correlations and relationships, and share this data with others. You also need it to take the strain of human analysts and put it on computers, which are built for crunching masses of data.
This is why you need structured intelligence!
It allows you to analyze data on-masse and ask questions like:
- What industry is a threat actor targeting?
- What is the most targeted industry?
- What tactics and techniques are common during an attack?
- And so on!

So, how does this all work in the real world?
There are various types of structured threat intelligence standards and formats that exist. Here are some of them:
- YARA: A tool for identifying and classifying malware samples based on their characteristics. It includes a standard format for creating “YARA rules” that allow you to do this.
- Sigma: A generic and open standard for writing detection rules for security monitoring systems.
- Snort: An open-source network intrusion detection and prevention system (IDPS) developed by Cisco and used for real-time traffic analysis and packet logging. You can write “Snort rules” to detect a variety of network attacks and misuse.
These all focus on technical indicators and detecting threats, and you will come across them as a CTI analyst. This data can be useful (depending on your target audience), but the structured data format you will most use in CTI is STIX.
Let’s explore it in detail!
What Is STIX?
Structured Threat Information Expression (STIX) is a standardized language designed to describe cyber threats in a structured and consistent format. It does this by mapping key components of a threat report to objects with standard definitions.
You tag attack patterns, campaigns, indicators, intrusion sets, etc., in your CTI report with STIX objects. Once you do this for all your reports, you can build a knowledge base that you can search using these STIX objects, allowing you to build correlations and find patterns in your data.
You can even share and receive STIX bundles (several related STIX objects) because everything is in a common format. In fact, this is the main purpose of STIX. To facilitate threat intelligence sharing and collaboration within the CTI community by using a standardized language for describing cyber threats.
So, what does STIX look like?
There are two main versions of STIX.
- STIX 1.x: This original version which uses XML format to tag data but has a limited number of objects.
- STIX 2.x: The current version uses JSON format to tag data and includes an expanded range of objects for more granular reporting.
This article will examine STIX 2.1 (the latest stable version). This version includes 18 STIX Domain Objects (SDOs) to which you can map the components of your threat report.

It also includes two STIX Relationship Objects (SROs) that you can use to describe how different SDOs relate to each other.

When you map a component of your threat report to one of these objects, it will look like this:
{
"type": "bundle",
"id": "bundle--1736e032-a96a-41e9-8302-126677d4d781",
"objects": [
{
"type": "indicator",
"id": "indicator--71312c48-925d-44b7-b10e-c11086995358",
"spec_version": "2.1",
"created": "2017-02-06T09:13:07.243000Z",
"modified": "2017-02-06T09:13:07.243000Z",
"name": "CryptoLocker Hash",
"description": "This file is a part of CryptoLocker",
"pattern": "[file:hashes.'SHA-256' = '46afeb295883a5efd6639d4197eb18bcba3bff49125b810ca4b9509b9ce4dfbf']",
"pattern_type": "stix",
"indicator_types": ["malicious-activity"],
"valid_from": "2017-01-01T09:00:00.000000Z"
},
{
"type": "malware",
"id": "malware--81be4588-96a8-4de2-9938-9e16130ce7e6",
"spec_version": "2.1",
"created": "2017-02-06T09:26:21.647000Z",
"modified": "2017-02-06T09:26:21.647000Z",
"name": "CryptoLocker",
"description": "CryptoLocker is known to be malicious ransomware.",
"malware_types": ["ransomware"]
},
{
"type": "relationship",
"id": "relationship--a19fac85-f6f5-47f3-aacd-4bfb54557852",
"spec_version": "2.1",
"created": "2017-02-06T09:30:51.987000Z",
"modified": "2017-02-06T09:30:51.987000Z",
"relationship_type": "indicates",
"source_ref": "indicator--71312c48-925d-44b7-b10e-c11086995358",
"target_ref": "malware--81be4588-96a8-4de2-9938-9e16130ce7e6"
}
]
}
This is a STIX bundle in JSON format that contains related STIX objects. It has two SDOs: an indicator object with a SHA256 file hash and a malware object describing CryptoLocker ransomware. It also has an SRO that describes the relationship between the indicator object and the malware object.
That’s great. You can map your threat report to STIX objects and then share it with others to enhance your analysis, using machines to crunch your data and spot patterns. But how do you share your STIX-based CTI?
This is where TAXII comes in.
What Is TAXII?
Trusted Automated eXchange of Indicator Information (TAXII) is the protocol used to share CTI between organizations. It works alongside STIX to facilitate the exchange of threat data by providing a set of services and message exchanges that allow organizations to send, receive, and manage CTI.
TAXII organizes the sharing process into several components:
- Services: TAXII defines various services to facilitate the exchange of information.
- Messages: The protocol defines specific message formats for different types of data exchanges.
- TAXII Server: Stores and distributes STIX threat intelligence.
- TAXII Client: Requests or submits STIX data to/from a TAXII server.
What does this look like in reality?
There are two primary services you can use with TAXII that support a variety of common sharing models (like polling, pushing, or subscribing):
- Collections: Repositories of STIX objects that can be requested by a consumer (e.g., a TAXII client makes a request to a TAXII server for a collection).
- Channels: A TAXII server pushes data to many consumers through a channel that TAXII clients subscribe to.

You can organize the data in collections and channels to meet user requirements. For instance, you might group STIX objects in a collection based on a particular trust group or restrict access to a particular channel that requires authentication. All data transfer is then performed over HTTPS through API requests.
These design principles aim to minimize the operational changes required for adoption and allow organizations to integrate existing CTI sharing agreements with the protocol easily. They also support a wide range of threat-sharing models, including hub-and-spoke, peer-to-peer, and source-subscriber.
Getting Started with STIX/TAXII
STIX and TAXII provide a comprehensive framework for threat intelligence sharing, enabling organizations to respond more effectively to cyber threats by leveraging shared knowledge and improving their situational awareness.
STIX defines the “what” by providing a data structure to organize threat data in a standardized format. TAXII defines the “how” with a protocol that empowers organizations to send, receive, and manage CTI.
You can get started using STIX and TAXII using open-source tools:
- You can set up your own TAXII server using the excellent cti-taxii-server project from OASIS Open. This lets you easily spin up a minimal implementation of a TAXII 2.1 Server in Python.
- Next, you can add data to this server by extracting it from threat reports with the txt2stix tool or downloading STIX 2.1 bundles directly from an open-source threat exchange like AlienVault OTX.
- Finally, using its API, you can pull or push STIX threat data from your TAXII server. You could even automatically pull this data into your Threat Intelligence Platform (TIP) or Security Incident and Event Management (SIEM) solution using built-in tools or an automation platform like Zapier.
If this sounds daunting, don’t worry. You could leverage the power of open-source TIPs like MISP or OpenCTI to take advantage of their built-in STIX/TAXII capabilities (saving you from setting up your own infrastructure).
For example, OpenCTI allows you to import STIX 2.1 bundles into the platform manually, automatically ingest this data through a connector (e.g., the AlienVault OTX connector), or subscribe to a TAXII feed. The platform even lets you share your threat data by creating your own TAXII collection.
With this in mind, here are some common use cases you can use STIX/TAXII for.
Threat Intelligence Sharing
Governments, Industry Sharing and Analysis Centers (ISACs), and businesses exchange cyber threat data daily using TAXII feeds. They share indicators of compromise (IOCs) and MITRE ATT&CK tactics and techniques used by threat actors for threat hunting, incident response, and threat detection.
Cyber threat intelligence providers also use TAXII feeds to distribute the latest STIX-based CTI to their customers in real-time. These include providers like CrowdStrike Falcon Intelligence, FBI InfraGrad, and Anomali Threat Stream.
Threat Enrichment
STIX/TAXII is used by SIEM and Security Orchestration Automated & Response (SOAR) platforms to correlate threat data and use it to enrich cyber incidents. This allows Security Operations Center (SOC) analysts to quickly triage and investigate potential threats without having to perform manual research on every piece of data.
Platforms like Splunk, IBM QRadar, and Elastic Security fetch IOCs and threat data from TAXII feeds, cross-check it against existing log data and use it as context for security incidents.
Automated Threat Detection
Often, manual threat detection is too slow. Having an analyst manually add detections to a security product is time-consuming and inefficient. Instead, STIX/TAXII allows cyber security providers to share detections with their customers and have them automatically add them to their products via a TAXII feed.
These detections could be IOCs, Sigma, YARA, or Snort rules and could be for Intrusion Detection/Prevention Systems (IDS/IPS), Endpoint Detection & Response (EDR), or SIEM solutions. Suricata IDS automatically pulls TAXII feeds to detect threats in network traffic using IOCs and Snort rules.
Should You Use STIX/TAXII?
Now that you understand what STIX/TAXII is (and how they are related), you might think you should stop what you are doing and start using it today. But hold on! Before you dive in, it’s essential to consider whether your organization (and its use cases) align with the sharing mechanics that these two standards offer.
STIX/TAXII provides the following benefits:
- Enhanced situational awareness.
- Streamlined incident response and mitigation.
- Strengthened collaboration within the cyber security community.
- Automation capabilities to lessen manual workloads.
These benefits sound impressive. However, applying STIX/TAXII in reality can be challenging. Let’s explore some of the obstacles you might encounter and potential solutions to address them.
Adoption Barriers
There is a level of technical complexity associated with STIX/TAXII.
- You must learn how to integrate it with existing security tools (if it can be integrated).
- You need to find somewhere to store the large volumes of STIX objects you will generate on your TAXII server.
- You even need to build processes to validate and verify the STIX data you are ingesting and sharing, as different organizations might use custom STIX objects or older versions.
Overcoming these adoption barriers requires thorough planning of how and why STIX/TAXII will be used at your organization and thoughtful designing of your CTI processes.
Consider if your current security tools support STIX/TAXII, the required resources for running a TAXII server, and technology that can ease your adoption, like STIX validators, connectors, and other tools.
Employee Training
STIX is not just a technical challenge to implement. You also need to ensure your people and processes can use it. You must train analysts on how to use STIX and team leads (or engineers) on how to manage a TAXII server.
Training options exist on how to use STIX and build a TAXII server. However, adopting a platform or tool that does the hard work for you is often easier. Try using open-source platforms like OpenCTI to see how STIX/TAXII can be used with your existing security products and tools like txt2stix to convert threat reports to STIX objects easily.
Privacy and Data Protection
Before adopting STIX/TAXII at your organization, you must consider legal and compliance issues. STIX/TAXII allows your team to automate information sharing, which is great from an operational perspective, but sharing across borders or industries may have legal ramifications.
You must carefully consider the threat intelligence you are sharing by asking questions like:
- Do you have a sharing agreement in place with the organization with which you share your intelligence?
- Are their legal contracts in place? (e.g. NDAs)
- Do you share potentially sensitive information? (e.g. secret or propriety)
- Are you sharing personal information? (e.g. GDPR)
- Is it possible to anonymize sensitive information?
- Is the data you share protected in transit and at rest?
Overcoming these challenges is not easy. But if you want to improve the efficiency of your CTI team and processes, adopting STIX/TAXII is a must!
Conclusion
STIX and TAXII are fundamental to structuring and sharing cyber threat intelligence with the wider community. They allow you to turn threat reports into machine-readable data structures that can be analyzed for correlations, automatically shared across businesses, and ingested by security tools for threat detection.
This guide explored how you can get started using these standards today with free, open-source tools, like cti-taxii-server and txt2stix, and platforms like OpenCTI and AlienVault OTX. You also saw some of the challenges of adopting STIX/TAXII, along with possible solutions to overcome them.
I highly recommend diving into the STIX 2.1 standard and exploring how you can map your threat intelligence reports to it, share these STIX bundles with other analysts, and ingest this data into your security tools!
Frequently Asked Questions
What is STIX and TAXII?
STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated Exchange of Intelligence Information) are two key standards for sharing cyber threat intelligence. STIX defines the “what” by providing a data structure to organize threat data in a standardized format. TAXII defines the “how” with a protocol that empowers organizations to send, receive, and manage CTI.
Who Created STIX/TAXII?
STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated Exchange of Intelligence Information) were initially developed by the MITRE Corporation in 2012 in collaboration with the U.S. Department of Homeland Security (DHS). They aimed to improve cyber threat intelligence (CTI) sharing between the government and private sector.
In 2017, the OASIS Cyber Threat Intelligence (CTI) Technical Committee took over the management of STIX/TAXII. They released the latest version of the standards (2.1) in 2020.
What Does STIX Stand For?
STIX stands for Structured Threat Information eXpression. It is a standardized language designed to describe cyber threats in a structured and consistent format. It does this by mapping key components of a threat report to objects with standard definitions. The standard is used across cyber security to share cyber threat intelligence efficiently.
What is a TAXII Server?
A TAXII Server (Trusted Automated Exchange of Intelligence Information Server) is a system that stores, manages, and distributes cyber threat intelligence (CTI) in STIX format over a network using the TAXII protocol.
It supports two primary services for sharing threat intelligence. (1) Collections where a TAXII client (consumer) makes a request, and the TAXII server responds with STIX objects. (2) Channels where the TAXII server pushes data to many consumers through a channel that TAXII clients subscribe to.