TAXII Protocol
What is TAXII Protocol?
TAXII ProtocolTAXII is an OASIS application-layer protocol over HTTPS for publishing, discovering, and consuming cyber threat intelligence — typically STIX content — between organizations.
Trusted Automated eXchange of Indicator Information (TAXII), currently version 2.1, is an OASIS standard that defines a REST-style API over HTTPS for sharing threat intelligence. A TAXII server exposes API roots and channel-like collections from which clients pull or push STIX 2.1 objects, with authentication, paging, and filtering built in. TAXII is the transport layer that complements the STIX data model: it does not prescribe content, only how to discover and move it. ISACs, ISAOs, national CERTs, and commercial intel providers run TAXII servers so SIEM, TIP, and SOAR platforms can subscribe to feeds automatically instead of relying on email or PDFs.
● Examples
- 01
Pulling daily STIX bundles from a sector ISAC's TAXII collection into a Threat Intelligence Platform.
- 02
Publishing internally produced indicators to a TAXII server consumed by partner SOCs.
● Frequently asked questions
What is TAXII Protocol?
TAXII is an OASIS application-layer protocol over HTTPS for publishing, discovering, and consuming cyber threat intelligence — typically STIX content — between organizations. It belongs to the Defense & Operations category of cybersecurity.
What does TAXII Protocol mean?
TAXII is an OASIS application-layer protocol over HTTPS for publishing, discovering, and consuming cyber threat intelligence — typically STIX content — between organizations.
How does TAXII Protocol work?
Trusted Automated eXchange of Indicator Information (TAXII), currently version 2.1, is an OASIS standard that defines a REST-style API over HTTPS for sharing threat intelligence. A TAXII server exposes API roots and channel-like collections from which clients pull or push STIX 2.1 objects, with authentication, paging, and filtering built in. TAXII is the transport layer that complements the STIX data model: it does not prescribe content, only how to discover and move it. ISACs, ISAOs, national CERTs, and commercial intel providers run TAXII servers so SIEM, TIP, and SOAR platforms can subscribe to feeds automatically instead of relying on email or PDFs.
How do you defend against TAXII Protocol?
Defences for TAXII Protocol typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for TAXII Protocol?
Common alternative names include: TAXII 2.1, Trusted Automated eXchange of Indicator Information.
● Related terms
- defense-ops№ 1105
STIX
STIX is an OASIS standard that defines a structured, machine-readable language for representing and exchanging cyber threat intelligence between organizations and tools.
- defense-ops№ 684
MISP
MISP is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured indicators and analyst context across trusted communities.
- defense-ops№ 1158
TLP
TLP is a simple labeling scheme maintained by FIRST that signals how sensitive shared cyber information is and with whom it may be redistributed.
- defense-ops№ 771
OTX
OTX is an open, community-driven threat intelligence exchange — originally AlienVault, now LevelBlue OTX — where researchers publish indicators bundled into Pulses.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
- defense-ops№ 527
Indicator of Compromise (IoC)
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.