OTX
What is OTX?
OTXOTX is an open, community-driven threat intelligence exchange — originally AlienVault, now LevelBlue OTX — where researchers publish indicators bundled into Pulses.
The Open Threat Exchange (OTX), originally launched by AlienVault and now operated by LevelBlue, is a free crowdsourced platform on which researchers, vendors, and SOC analysts publish Pulses — curated bundles of indicators, context, and references tied to a specific campaign, malware family, or actor. Subscribers consume Pulses through the web UI, REST API, STIX/TAXII, or via integrations with SIEM, EDR, and TIP products. OTX is widely used as a low-cost enrichment source and a starting point for hunting, though defenders typically combine it with paid feeds and vetted ISAC content for high-confidence detection. The community feedback loop on each Pulse helps surface false positives quickly.
● Examples
- 01
Subscribing to a Pulse covering a phishing kit and ingesting its URLs into a SIEM watchlist.
- 02
Publishing IoCs from an internal investigation as a Pulse to inform the wider community.
● Frequently asked questions
What is OTX?
OTX is an open, community-driven threat intelligence exchange — originally AlienVault, now LevelBlue OTX — where researchers publish indicators bundled into Pulses. It belongs to the Defense & Operations category of cybersecurity.
What does OTX mean?
OTX is an open, community-driven threat intelligence exchange — originally AlienVault, now LevelBlue OTX — where researchers publish indicators bundled into Pulses.
How does OTX work?
The Open Threat Exchange (OTX), originally launched by AlienVault and now operated by LevelBlue, is a free crowdsourced platform on which researchers, vendors, and SOC analysts publish Pulses — curated bundles of indicators, context, and references tied to a specific campaign, malware family, or actor. Subscribers consume Pulses through the web UI, REST API, STIX/TAXII, or via integrations with SIEM, EDR, and TIP products. OTX is widely used as a low-cost enrichment source and a starting point for hunting, though defenders typically combine it with paid feeds and vetted ISAC content for high-confidence detection. The community feedback loop on each Pulse helps surface false positives quickly.
How do you defend against OTX?
Defences for OTX typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OTX?
Common alternative names include: AlienVault OTX, LevelBlue OTX, Open Threat Exchange.
● Related terms
- defense-ops№ 1105
STIX
STIX is an OASIS standard that defines a structured, machine-readable language for representing and exchanging cyber threat intelligence between organizations and tools.
- defense-ops№ 1133
TAXII Protocol
TAXII is an OASIS application-layer protocol over HTTPS for publishing, discovering, and consuming cyber threat intelligence — typically STIX content — between organizations.
- defense-ops№ 684
MISP
MISP is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured indicators and analyst context across trusted communities.
- defense-ops№ 1158
TLP
TLP is a simple labeling scheme maintained by FIRST that signals how sensitive shared cyber information is and with whom it may be redistributed.
- defense-ops№ 527
Indicator of Compromise (IoC)
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.