TL;DR, What is OpenCTI?
OpenCTI (Community Edition) is an open-source cyber threat intelligence platform that transforms fragmented security data into actionable defense strategies.
Security teams today face the overwhelming challenge of managing disparate intelligence feeds, indicators of compromise, and threat data scattered across multiple systems and formats. OpenCTI addresses this critical pain point by providing a unified knowledge management platform that ingests threat intelligence from diverse sources and structures data according to STIX2 standards.
The platform enables security analysts to correlate indicators across incidents, track threat actor campaigns, and understand attacker tactics, techniques, and procedures through intuitive visualizations and automated workflows. By centralizing threat intelligence operations, OpenCTI eliminates data silos and transforms raw threat data into actionable insights for proactive defense.
Developed by Filigran, OpenCTI has emerged as a leading solution for organizations seeking to operationalize their cyber threat intelligence capabilities and enhance collaborative threat hunting efforts.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
At‑a‑Glance
GitHub: https://github.com/OpenCTI-Platform/opencti
License: Apache‑2.0
Primary Language: TypeScript
Stars: 7.7k ⭐
Last Release: August 2025
Topics/Tags: threat‑intelligence, stix2, knowledge‑graph, graphql, cybersecurity
Common use cases
1. Centralized Threat Intelligence Management and Consolidation: Organizations can deploy OpenCTI as their primary cyber threat intelligence platform to consolidate threat data from multiple commercial feeds, open-source intelligence sources, government advisories, and internal security research into a unified knowledge base. This centralization enables you to understand the threat landscape, eliminates information silos between security teams, supports strategic security planning and investment decisions, and provides a single source of truth for threat intelligence across your organization. The platform's STIX2 compliance ensures standardized data representation and facilitates information sharing with industry partners and government entities.
2. Automated Detection Engineering and IOC Management: Security operations teams leverage OpenCTI to generate structured threat intelligence feeds that automatically update SIEMs, EDRs, network security tools, and custom detection systems with fresh indicators of compromise and contextual threat information. The platform enables dynamic rule generation based on threat actor TTPs, automated blocklist updates for network security devices, and integration with security orchestration platforms for automated response workflows, significantly reducing manual indicator management overhead and improving detection coverage against emerging threats.
3. Enhanced Incident Response and Digital Forensics: During security incidents, response teams utilize OpenCTI to correlate observed indicators with the threat intelligence knowledge base, enabling rapid threat actor attribution, campaign identification, and recommended mitigation strategies based on historical attack patterns. The platform's case management capabilities centralize incident artifacts, analysis notes, and intelligence findings, while timeline visualization helps you reconstruct attack sequences and identify persistence mechanisms, ultimately accelerating incident containment and recovery efforts.
4. Proactive Threat Hunting and Campaign Tracking: Threat hunters employ OpenCTI as their primary threat-hunting platform to develop hunt hypotheses based on trending threat actor behaviors, track adversary infrastructure evolution over time, and identify potential threats before they impact organizational assets. The platform's knowledge graph capabilities reveal hidden connections between seemingly unrelated indicators, while advanced filtering and search functions enable hunters to craft precise queries for identifying targeted threats relevant to their specific industry vertical or geographic region.
5. Strategic Threat Assessment and Executive Reporting: Intelligence analysts and security leadership utilize OpenCTI to create threat assessments, executive briefings, and strategic security reports by analyzing long-term threat actor capabilities, targeting patterns, and campaign evolution trends. The platform's visualization tools support the creation of professional intelligence products for board presentations, regulatory compliance reporting, and information sharing with industry peers, and collaborative features enable distributed intelligence teams to contribute to collective threat understanding and organizational risk management decisions.
How does OpenCTI work?
OpenCTI operates as a comprehensive threat intelligence platform built on a microservices architecture centered around a knowledge graph. The system ingests threat data from multiple external sources through specialized connectors, converts the data to the standardized STIX2 format, and processes the data through an asynchronous workflow that enriches and stores the intelligence for analysis and sharing.
Data ingestion pipeline: Connectors automatically pull threat intelligence from sources like MITRE ATT&CK, MISP, and various threat feeds, converting data to STIX2 format and queuing the data via RabbitMQ for processing.
Asynchronous processing: Python workers consume queued messages, validate incoming data, establish relationships within the knowledge graph, and store entities in ElasticSearch/OpenSearch while maintaining data integrity.
GraphQL API layer: A Node.js-based API server provides a unified interface for all data operations, supporting complex queries, mutations, and real-time subscriptions for both human users and automated systems.
Knowledge graph: The central data repository structures threat intelligence as interconnected entities and relationships, enabling sophisticated analysis and correlation of security information.
Scalable infrastructure: The platform supports horizontal scaling with clustered databases, multiple API instances, and distributed workers for high-availability enterprise deployments.
How to Prepare for a Cloud Cyberattack: An Actionable Incident Response Plan Template
A quickstart guide to creating a robust incident response plan - designed specifically for companies with cloud-based deployments.
Core capabilities
1. STIX2-compliant knowledge graph architecture: OpenCTI's foundation is built on a sophisticated knowledge graph that organizes threat intelligence according to STIX2.1 standards, the industry-standard data format for cyber threat intelligence. This graph-based approach enables the platform to model complex relationships between threat actors, attack patterns, indicators, vulnerabilities, and victims with unprecedented granularity.
The knowledge graph supports advanced correlation analysis, allowing analysts to discover previously unknown connections between seemingly unrelated threats, track threat actor evolution over time, and understand campaign relationships across different attack vectors. STIX2 data format compliance ensures interoperability with other threat intelligence platforms and standardized data exchange across organizations, making OpenCTI a central hub for structured threat intelligence management.
2. Comprehensive connector ecosystem: The platform features hundreds of connectors that seamlessly integrate with external threat intelligence sources, security tools, and data feeds, making OpenCTI a versatile cyber threat intelligence platform. Connectors are categorized into five types: external import connectors for ingesting data from sources like MITRE datasets, MISP instances, and CVE feeds; internal enrichment connectors that enhance data quality through services like Shodan and DomainTools; file import/export connectors supporting various formats including STIX2, PDF, and CSV; stream processing connectors for real-time integration with Splunk and Elastic Security; and custom connectors for proprietary systems.
This extensive ecosystem ensures comprehensive threat intelligence coverage and enables seamless integration with existing security infrastructure, supporting both pull-based data collection and push-based threat intelligence sharing across organizational boundaries.
3. Advanced visualization and analytics engine: OpenCTI transforms complex threat data into intuitive graphical representations that accelerate threat analysis workflows. The platform includes interactive knowledge graph visualizations that reveal hidden connections between entities, custom dashboards with configurable widgets for real-time threat tracking, timeline analysis tools for understanding campaign evolution, and geospatial mapping capabilities for threat attribution and targeting pattern analysis.
Advanced filtering and search capabilities enable analysts to slice and dice data across multiple dimensions, and automated reasoning engines identify patterns and suggest relationships that might otherwise be missed. OpenCTI’s visualization tools support both tactical analysis for immediate threats and strategic assessment for long-term threat landscape understanding.
4. Integrated case management and incident response: The platform provides comprehensive case management capabilities that centralize incident-related data and foster real-time collaboration among distributed security teams. Cases can aggregate threat intelligence, indicators of compromise, digital artifacts, and analysis notes within structured workflows that support standardized incident response procedures. Integration with the broader threat intelligence knowledge base enables context-aware incident response, where historical threat actor tactics, techniques, and procedures (TTPs) and related campaigns inform containment and remediation strategies.
Automated workflows and notification systems ensure proper team coordination, evidence preservation, and compliance with organizational incident response procedures, all while maintaining audit trails for post-incident analysis and process improvement.
5. Real-time data streaming and feed generation: OpenCTI offers real-time data streaming and structured threat intelligence feed–generation capabilities. The platform can generate custom feeds based on filtered datasets, publish STIX2 bundles for automated consumption, and stream threat events to external systems including SIEMs, EDRs, firewalls, and other security tools for automated threat detection and response. OpenCTI’s streaming capability transforms it from a passive intelligence repository into a dynamic threat-hunting platform that continuously feeds detection systems with up-to-date indicators and contextual threat information. Organizations can configure multiple feed outputs with different classification levels and filtering criteria to support various operational security requirements and information sharing agreements.
Limitations
1. Complex installation and configuration requirements: OpenCTI installation requires significant technical expertise and infrastructure planning, involving multiple components including databases, message queues, and web services that must be properly configured and maintained. The platform requires substantial computational resources and careful capacity planning to handle large-scale threat intelligence datasets effectively.
2. Steep learning curve for non-technical users: The platform's sophisticated features and STIX2 data model complexity can be overwhelming for users without technical backgrounds or experience with graph-based threat intelligence platforms. Users need extensive training to effectively utilize advanced visualization tools and correlation capabilities.
3. Resource-intensive knowledge graph processing: Large-scale knowledge graphs with millions of entities and relationships can impact system performance, requiring significant memory and processing power for complex queries and visualizations. Organizations may need to implement performance optimization strategies and hardware scaling to maintain acceptable response times.
4. Dependency on external connector reliability: The platform's effectiveness heavily relies on the stability and accuracy of the connector ecosystem, which may experience outages, API changes, or data quality issues from third-party sources. Connector maintenance and troubleshooting require ongoing technical attention and may impact threat intelligence feeds’ continuity.
5. Limited built-in threat intelligence analytics: While OpenCTI excels at data aggregation and visualization, OpenCTI requires additional tools or custom development for advanced analytics capabilities like machine learning–based threat prediction, automated threat scoring, or sophisticated behavioral analysis that some specialized threat-hunting platforms provide natively.
Managing threat intelligence with OpenCTI? You can bridge the gap between threat data and cloud reality with Wiz. While OpenCTI organizes and visualizes cyber threats brilliantly, Wiz shows you which of those threats actually apply to your specific cloud environment—connecting IOCs to your running workloads, sensitive data, and potential attack paths.
Getting Started
Step 1: Clone the OpenCTI Docker repository
git clone https://github.com/OpenCTI-Platform/docker.git
cd dockerStep 2: Run with Docker Compose
docker-compose -f docker-compose.yml upStep 3: Access the OpenCTI web interface
Open your browser and go to: http://localhost:8080
Step 4: Complete setup
Follow the on-screen prompts to create your admin account and begin using OpenCTI.
OpenCTI vs. Alternatives
| Feature | OpenCTI | MISP | ThreatConnect | Cortex |
|---|---|---|---|---|
| License Type | Apache 2.0 (Open Source) | GNU AGPL v3.0 (Open Source) | Commercial (SaaS/On-Premise) | GNU AGPL v3.0 (Open Source) |
| Primary Focus | Complete threat intelligence platform with knowledge graph | Threat intelligence sharing & community collaboration | Enterprise threat intelligence operations platform | Incident response & observable analysis |
| Data Model | STIX 2.1-compliant knowledge graph with advanced relationships | MISP event-based model with STIX 2.1 export capabilities | Proprietary data model with STIX 2.1 support | Case-based model with observable enrichment |
| Connector Ecosystem | 100+ connectors for data ingestion and enrichment | 200+ modules for expansion and import/export | 200+ integrations via marketplace | 100+ analyzers and responders |
| Visualization | Advanced graph visualizations, custom dashboards, timeline analysis | Event correlation views, galaxy clusters, basic dashboards | ATT&CK visualizer, threat modeling, advanced analytics | Observable analysis results, case timelines |
| Case Management | Built-in case management with real-time collaboration | Limited case management via event sharing | Comprehensive case management with automated workflows | Primary focus: advanced case and incident management |
| Best Use Case | Organizations needing comprehensive threat intelligence management with advanced analytics | Communities focused on threat intelligence sharing and collaboration | Large enterprises requiring commercial-grade TIP with extensive automation | Security teams prioritizing incident response and observable analysis |