MISP
What is MISP?
MISPMISP is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured indicators and analyst context across trusted communities.
Malware Information Sharing Platform and Threat Sharing (MISP) is a widely deployed open-source TIP, originally developed by CIRCL, that stores intelligence as Events containing Attributes (IoCs), Objects, Galaxies, and Tags. Synchronization between MISP instances enables federated sharing across CERTs, ISACs, and private communities with fine-grained distribution levels and TLP labels. MISP supports STIX 2.1, OpenIOC, and custom feeds, exports IDS-ready signatures (Suricata, Snort, Sigma), and integrates with SIEMs and EDRs via API or ZeroMQ. Analysts use it to correlate sightings across cases, tag campaigns with MITRE ATT&CK, and operationalize indicators with low friction.
● Examples
- 01
A national CERT shares ransomware indicators with sector members via federated MISP synchronization.
- 02
Exporting Suricata rules from a MISP event to a perimeter IDS.
● Frequently asked questions
What is MISP?
MISP is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured indicators and analyst context across trusted communities. It belongs to the Defense & Operations category of cybersecurity.
What does MISP mean?
MISP is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured indicators and analyst context across trusted communities.
How does MISP work?
Malware Information Sharing Platform and Threat Sharing (MISP) is a widely deployed open-source TIP, originally developed by CIRCL, that stores intelligence as Events containing Attributes (IoCs), Objects, Galaxies, and Tags. Synchronization between MISP instances enables federated sharing across CERTs, ISACs, and private communities with fine-grained distribution levels and TLP labels. MISP supports STIX 2.1, OpenIOC, and custom feeds, exports IDS-ready signatures (Suricata, Snort, Sigma), and integrates with SIEMs and EDRs via API or ZeroMQ. Analysts use it to correlate sightings across cases, tag campaigns with MITRE ATT&CK, and operationalize indicators with low friction.
How do you defend against MISP?
Defences for MISP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for MISP?
Common alternative names include: Malware Information Sharing Platform, MISP Project.
● Related terms
- defense-ops№ 1105
STIX
STIX is an OASIS standard that defines a structured, machine-readable language for representing and exchanging cyber threat intelligence between organizations and tools.
- defense-ops№ 1133
TAXII Protocol
TAXII is an OASIS application-layer protocol over HTTPS for publishing, discovering, and consuming cyber threat intelligence — typically STIX content — between organizations.
- defense-ops№ 1158
TLP
TLP is a simple labeling scheme maintained by FIRST that signals how sensitive shared cyber information is and with whom it may be redistributed.
- defense-ops№ 771
OTX
OTX is an open, community-driven threat intelligence exchange — originally AlienVault, now LevelBlue OTX — where researchers publish indicators bundled into Pulses.
- defense-ops№ 527
Indicator of Compromise (IoC)
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.