STIX & TAXII in Cyber Threat Intelligence

Photo by Kai Pilger on Unsplash

STIX (Structured Threat Information Expression)

STIX is a language used to communicate CTI between organizations in a consistent, machine-readable way. There are objects and relationships between those objects. Some of the objects are:

  • Campaign: a group of adversarial behaviors over a period of time, targeting a set of targets
  • Course of Action: recommended response to the intel
  • Indicator: pattern to detect suspicious or malicious activity
  • Location: geographic location
  • Malware: type of TTP that represents malware
  • Threat Actor: individual or group believed to be acting maliciously
  • Vulnerability: vulnerability which can be compromised

TAXII (Trusted Automated Exchange of Indicator Information)

TAXII is the framework for transporting STIX data. Just like a taxi is a vehicle to transport people, TAXII is a vehicle to transport STIX data. TAXII is an application protocol for exchanging STIX data over HTTPS. There are two primary services:

  • Channel: a way for producers to push data to consumers; a publish-subscribe model

How STIX and TAXII are Used

Organizations can send and/or receive CTI using STIX and TAXII. If an organization experiences an attack, it can analyze it and share the resulting CTI using STIX and TAXII, so other organizations can detect and defend against similar attacks.

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store