STIX & TAXII in Cyber Threat Intelligence

Photo by Kai Pilger on Unsplash

STIX (Structured Threat Information Expression)

  • Attack Pattern: how adversary attempts to compromise targets; a type of TTP
  • Campaign: a group of adversarial behaviors over a period of time, targeting a set of targets
  • Course of Action: recommended response to the intel
  • Indicator: pattern to detect suspicious or malicious activity
  • Location: geographic location
  • Malware: type of TTP that represents malware
  • Threat Actor: individual or group believed to be acting maliciously
  • Vulnerability: vulnerability which can be compromised

TAXII (Trusted Automated Exchange of Indicator Information)

  • Collection: an interface to a local repository of CTI objects that can be requested by consumers; a request-response model
  • Channel: a way for producers to push data to consumers; a publish-subscribe model

How STIX and TAXII are Used

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.