OpenCTI Cyber Threat Intelligence Platform Intro

OpenCTI Dashboard

OpenCTI Setup

OpenCTI Tour


  • Dashboard: an overview of top labels, active entities, targeted countries, latest ingested analysis, observables distribution, and more
  • Analysis: reports from various sources, notes, opinions, and external references
  • Events: incidents, sightings, and observed data
  • Observations: observables, artifacts, indicators, and infrastructure
  • Threats: threat actors, intrusion sets (TTPs, tools, malware, infrastructure), campaigns
  • Arsenal: malware, attack patterns (TTPs), ATT&CK courses of action, tools, and vulnerabilities (CVEs)
  • Entities: sectors, countries, cities, geographic positions, organizations, systems, individuals
  • Data: data and data administration within OpenCTI (entities, background tasks, connectors, synchronization, data sharing, TAXII collections)
  • Settings: OpenCTI settings (parameters, workflows, retention policies, rules engine, label and attributes)


  • Overview: general info about entity
  • Knowledge: shows relations between entities, linked observables and indicators
  • Entities: other entities that have been linked to the entity
  • Observables: technical elements which may have been observed (IP addresses, domain names, hashes, etc.)
  • Data: files related to the entity
  • Sightings: where the observable or indicator has been seen
  • History: change history
  • Analysis: reports that include the entity
  • Indicators: detection rules for malicious behavior (STIX2, SNORT, Suricata, YARA).
APT29 intrusion set in OpenCTI

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner

Cyber threat intelligence (CTI), cybersecurity, & privacy enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.