STIX
What is STIX?
STIXSTIX is an OASIS standard that defines a structured, machine-readable language for representing and exchanging cyber threat intelligence between organizations and tools.
Structured Threat Information eXpression (STIX) is an open OASIS specification — currently STIX 2.1 — that models threat intelligence as JSON objects with defined types such as indicators, malware, threat actors, campaigns, intrusion sets, and relationships. By giving every concept a stable schema, STIX lets analysts share context (TTPs, kill-chain phases, sightings) rather than just isolated IoCs, and lets tools like SIEMs, TIPs, and SOAR platforms ingest the same data without custom parsers. STIX is typically transported with the companion TAXII protocol and is widely used by ISACs, government CERTs, and commercial intelligence providers.
● Examples
- 01
Sharing a malware family with linked indicators, attack-pattern, and threat-actor objects through an ISAC.
- 02
Exporting CTI from a TIP as STIX 2.1 bundles consumed by a SIEM.
● Frequently asked questions
What is STIX?
STIX is an OASIS standard that defines a structured, machine-readable language for representing and exchanging cyber threat intelligence between organizations and tools. It belongs to the Defense & Operations category of cybersecurity.
What does STIX mean?
STIX is an OASIS standard that defines a structured, machine-readable language for representing and exchanging cyber threat intelligence between organizations and tools.
How does STIX work?
Structured Threat Information eXpression (STIX) is an open OASIS specification — currently STIX 2.1 — that models threat intelligence as JSON objects with defined types such as indicators, malware, threat actors, campaigns, intrusion sets, and relationships. By giving every concept a stable schema, STIX lets analysts share context (TTPs, kill-chain phases, sightings) rather than just isolated IoCs, and lets tools like SIEMs, TIPs, and SOAR platforms ingest the same data without custom parsers. STIX is typically transported with the companion TAXII protocol and is widely used by ISACs, government CERTs, and commercial intelligence providers.
How do you defend against STIX?
Defences for STIX typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for STIX?
Common alternative names include: Structured Threat Information eXpression, STIX 2.1.
● Related terms
- defense-ops№ 1133
TAXII Protocol
TAXII is an OASIS application-layer protocol over HTTPS for publishing, discovering, and consuming cyber threat intelligence — typically STIX content — between organizations.
- defense-ops№ 684
MISP
MISP is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured indicators and analyst context across trusted communities.
- defense-ops№ 1158
TLP
TLP is a simple labeling scheme maintained by FIRST that signals how sensitive shared cyber information is and with whom it may be redistributed.
- defense-ops№ 771
OTX
OTX is an open, community-driven threat intelligence exchange — originally AlienVault, now LevelBlue OTX — where researchers publish indicators bundled into Pulses.
- defense-ops№ 527
Indicator of Compromise (IoC)
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.