opencti

OpenCTI is an open source platform for managing information about cyber threats. Security teams use it to collect, organize, and visualize what they know about the threat actors, malware, attack patterns, and vulnerabilities that are relevant to their organization. The idea is to bring all of that scattered knowledge into one place where analysts can see how things connect.

The platform structures its data using an international standard called STIX2, which is a common format for sharing threat intelligence. This means information imported from other tools or sources arrives in a consistent shape, and information exported from OpenCTI can be read by other compatible systems. It connects with tools like MISP (a threat sharing platform) and supports the MITRE ATT&CK framework, which is a widely used catalog of adversary tactics and techniques. Analysts can tag their findings with ATT&CK categories to make reports easier to compare and search.

The web interface lets you link pieces of information together, for example connecting a particular piece of malware to a threat actor to a set of observed attack techniques. You can record confidence levels, first- and last-seen dates, and trace every claim back to its original source document or report. The platform can also infer new relationships from existing ones, which can surface connections that were not explicitly recorded.

OpenCTI comes in two editions. The Community Edition is open source under the Apache 2 license. The Enterprise Edition adds extra features and is available through a paid subscription from Filigran, the company that develops OpenCTI. The Enterprise Edition can be activated directly inside the platform settings.

Installation is done via Docker, manual setup, or community-maintained Terraform and Helm configurations. A live demonstration instance is publicly available and resets nightly. The project is actively developed and accepts community contributions.