OpenCTI
Open-source threat intelligence platform for structured knowledge management, correlation, and collaborative TI sharing.
Vendor Information
OpenCTI Overview
OpenCTI is an open-source threat intelligence platform that enables organizations to manage cyber threat intelligence knowledge and observables at tactical, operational, and strategic levels through a Structured Threat Information Expression (STIX) 2.1-based knowledge schema. The platform structures, stores, organizes, and visualizes both technical information like Tactics, Techniques, and Procedures (TTPs) and non-technical information like attribution and victimology, linking each piece of intelligence to its primary source with confidence levels, first and last seen dates, and relationship mapping between data points for comprehensive threat context.
OpenCTI provides 300+ modular connectors that automatically import and enrich threat intelligence from multiple sources including CrowdStrike, SentinelOne, Sekoia, MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), and Malware Information Sharing Platform (MISP) in a unified interface, enabling Security Operations Center (SOC) teams to conduct intelligence-driven security operations with automated workflows and collaborative sharing. The platform integrates artificial intelligence (AI) for threat feed imports, search functionality, generating insights and summaries, and creating finished intelligence reports through templates, while serving as the foundation for Filigran's eXtended Threat Management (XTM) suite alongside OpenBAS breach and attack simulation platform for proactive threat validation and testing across the entire threat management lifecycle.
Founded in 2022 by Samuel Hassine (CEO, former France Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) and Tanium executive) and Julien Richard (CTO, former Axway engineering leader), Filigran has raised $60M across three funding rounds led by Insight Partners, Accel, and Moonfire Ventures, growing to 160 employees serving 6,000+ organizations including Airbus, Thales, Marriott, Hermès, Rivian, the Federal Bureau of Investigation (FBI), European Commission, and New York City (NYC) Cyber Command. With 10 million+ downloads, 4,300+ GitHub contributors, and International Organization for Standardization (ISO) 27001 and System and Organization Controls (SOC) 2 certifications, OpenCTI has become the leading community-driven threat intelligence platform with both free Apache 2.0-licensed Community Edition and managed Enterprise Edition offering advanced automation, AI features, and comprehensive support.
Key Capabilities
Standardized capabilities mapped to this product's security niche
Augments raw IoCs (IPs, domains, file hashes, URLs), with threat actor attribution, campaign context, confidence scores, and expiry dates to reduce false positive operational noise.
Submits suspicious files or URLs to detonation sandboxes and ingests behavioral analysis results as structured threat intelligence, linking indicators to observed malware behavior.
Pushes enriched IoCs directly into SIEM detection rules and SOAR playbook inputs, automating indicator lifecycle management rather than requiring manual export and import.
Ingests structured threat intelligence in STIX 2.x format over TAXII 2.1 from commercial, government, and ISAC feeds, normalizing indicators and TTPs into a common data model.
Maintains structured profiles of named threat actor groups with associated TTPs, infrastructure patterns, targeting history, and motivations, updated from multiple intelligence sources.
Implements controlled intelligence sharing with trusted peers, ISAC communities, and government entities through STIX/TAXII or proprietary sharing protocols with configurable TLP-based access controls.
Supports structured analytical methodologies for threat intelligence production, attribution, campaign tracking, and relationship mapping between adversary, infrastructure, capability, and victim.
Ingests and normalizes public threat intelligence from a broad range of sources: VirusTotal, Shodan, abuse.ch, AlienVault OTX, CIRCL, Emerging Threats, government ISACs. Source breadth, normalization quality, and update latency vary significantly across open-source TIP platforms.
Enables security community members to submit, validate, and rate intelligence indicators, improving accuracy through crowdsourced attribution and false positive feedback.
Provides REST APIs for pulling IoC data, threat actor profiles, and STIX bundles into SIEM detection pipelines and SOAR playbooks programmatically.
Supplements raw IoCs with threat actor attribution, campaign groupings, and contextual notes sourced from analyst contributions and automated correlation.
Integrations
Compatible tools and platforms
Solution Details
Compliance & Certifications
Regulatory frameworks and security certifications
Deployment Options
Where and how this solution can be deployed
Support Channels
Available support and communication options
Pricing Model
How this solution is priced
How to buy
This profile hasn’t been claimed yet. Contact the vendor directly for pricing and purchasing options.
Is this your company?
Claim Your Profile