Home

STIX

STIX, or Structured Threat Information Expression, is an open standard for representing and sharing cyber threat intelligence (CTI) in a machine-readable form. It provides a standardized language and serialization format that enables organizations to describe adversaries, campaigns, techniques, and observable indicators in a consistent way, supporting automated analysis, correlation, and integration with security systems such as SIEMs and endpoint protection platforms. STIX content commonly covers objects like indicators, threat actors, intrusion sets, campaigns, malware, tools, and relationships among these elements, together with markings to express confidence and handling restrictions.

The STIX data model is designed to be consumed and produced by multiple vendors and allows CTI

Historically developed by MITRE and maintained as an open standard, STIX is widely adopted by government, industry,

to
be
exchanged
across
organizational
boundaries.
It
is
often
carried
over
TAXII,
the
Trusted
Automated
eXchange
of
Indicator
Information,
which
provides
a
standardized
protocol
for
publishing
and
querying
CTI
data.
STIX
1.x,
the
original
version,
defined
a
rich
object
model
and
was
implemented
in
XML/JSON;
STIX
2.x,
a
major
redesign,
uses
a
JSON-based
representation
with
a
simplified,
extensible
structure
and
a
dedicated
STIX
Patterning
Language
for
describing
indicators.
and
research
communities
to
enable
faster
threat
detection
and
coordinated
responses.
It
is
commonly
used
alongside
the
ATT&CK
knowledge
base,
which
documents
adversary
techniques,
and
is
supported
by
a
growing
ecosystem
of
CTI
feeds,
tools,
and
services.