OpenCTI
🧠 Threat Intelligence · TypeScript/Python
OpenCTI is an open-source platform for managing cyber threat intelligence knowledge and observables. Built on a STIX2-native data model, it provides a unified view of threat data including threat actors, intrusion sets, campaigns, malware, vulnerabilities, and their relationships. OpenCTI uses a graph database (Neo4j or Amazon Neptune) to store and visualize complex relationships between entities, making it easy to understand how threat actors, TTPs, and infrastructure are connected. It supports connectors for automatic ingestion from MISP, AlienVault, VirusTotal, Shodan, and dozens of other sources. The platform includes role-based access control, workflow management for analyst collaboration, and export capabilities for integration with SIEMs and SOAR platforms.
Installation
Docker
$ git clone https://github.com/OpenCTI-Platform/docker.git && cd docker && docker compose up -dUse Cases
- Building a structured knowledge base of threat actors, campaigns, and TTPs
- Visualizing relationships between threat entities using graph-based exploration
- Ingesting and correlating threat feeds from MISP, VirusTotal, and Shodan automatically
- Collaborating across analyst teams with workflow management and RBAC
- Producing finished intelligence reports with STIX2 structured data
Tags
Details
- Category
- 🧠 Threat Intelligence
- Language
- TypeScript/Python
- Repository
- OpenCTI-Platform/opencti
- Platforms
- 🐧linux
Links
Alternatives & Comparisons
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
Compare OpenCTI vs MISPTheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
Compare OpenCTI vs TheHiveGRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
Compare OpenCTI vs GRR Rapid ResponseKAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Compare OpenCTI vs KAPECortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
Compare OpenCTI vs Cortexosquery
C++SQL-powered endpoint visibility. Query operating system state as a relational database for security monitoring and compliance.
Compare OpenCTI vs osqueryMore in Threat Intelligence
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
TheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
GRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
KAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Cortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
osquery
C++SQL-powered endpoint visibility. Query operating system state as a relational database for security monitoring and compliance.