
Threat Intelligence
OpenCTI
Open-source CTI platform to unify, operationalize, and prioritize threat intel in SecOps.
OpenCTI Overview
What it does
OpenCTI is an open-source threat intelligence platform that structures, stores, and operationalizes cyber threat knowledge at tactical, operational, and strategic levels using a Structured Threat Information Expression (STIX) 2.1 schema. The platform links technical observables and non-technical context such as attribution and victimology to primary sources with confidence scoring, relationship mapping, and timeline visualization across a STIX-structured knowledge hypergraph with MITRE ATT&CK mappings.
How it works
The platform ingests intelligence through 300+ one-click connector integrations, TAXII 2.1, and RSS feeds, then applies automation and agentic workflows for enrichment, correlation, case management, and finished report generation. A new Filigran Browser Extension converts web pages into structured threat reports with one click and connects investigations to OpenCTI and OpenAEV. Enterprise Edition adds Priority Intelligence Requirements (PIRs), advanced automation playbooks, and data segregation for multi-organization deployments across SaaS, on-premise, or air-gapped environments.
Credentials and traction
Filigran holds SOC 2 Type II and ISO 27001:2022 certifications. OpenCTI was named an Outperformer and Challenger in the 2026 GigaOm Radar for Threat Intelligence Platforms, and Filigran's XTM platform won The Hacker News Cybersecurity Stars Award for Best Intelligence-Powered Cybersecurity Platform in 2026. The platform is used by 6,000+ public and private organizations worldwide, including the FBI and the European Commission.
Key Capabilities
mapped to solution categoriesProvides an interactive portal with contextualized dashboards, configurable alerting, search and built-in analysis.
Provides comprehensive indicators of compromise such as IPs, URLs, domains and file hashes with maliciousness ratings and enrichments like geolocation and TTPs.
Delivers tailored vulnerability and exposure intelligence highlighting actively exploited vulnerabilities with associated IoCs, TTPs and threat actors.
Supports machine-to-machine integration via JSON, APIs and STIX or TAXII, with sharing across private and public communities such as ISACs.
Auto-generates detection rules and syntax for SIEM, firewalls, IPS or IDS and EDR.
Offers analyst support such as requests for information, recurring analyst augmentation and takedown services.
Produces finished intelligence reports at technical, operational and strategic levels.
Ingests and shares intelligence via STIX/TAXII and other machine-to-machine formats and APIs.
Aggregates indicators from multiple sources into comprehensive, deduplicated coverage.
Profiles threat actors with associated TTPs and attribution context.
Compliance
certificationsIntegrations
compatible toolsImplementation & support
Info last updated on May 28, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.