Open Cyber Threat Intelligence Platform
Store, organize, visualize and share knowledge about cyber threats.
Open source application, community-centered approach.
OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables.

Knowledge graph

The whole platform relies on a knowledge hypergraph allowing the usage of hyper-entities and hyper-relationships including nested relationships.

Unified data model

From operational to strategic level, all information are linked through a unifed and consistent data model based on the STIX2 standards.

Sourcing of data origin

Every relationships between entities have time-based and space-based attributes and must by sourced by a report with a specific confidence level.

Exploration and correlation

The whole dataset could be explored with analytics and correlation engines including many visualization plugins, MapReduce and Pregel computations.

Automated reasoning

The database engine performs logical inference through deductive reasoning, in order to derive implicit facts and associations in real-time.

Data access management

Full control of data access management using groups with permissions based on granular markings on both entities and relationships.









Knowledge management
The first purpose of the OpenCTI platform is to provide a powerful knowledge management database with an enforced schema especially tailored for cyber threat intelligence and cyber operations.
With multiple tools and viewing capabilities, analysts are able to explore the whole dataset by pivoting on the platform between entities and relations. Relations having the possibility to own multiple context attributes, it is easy to have several levels of context for a given entity.
Data visualization
OpenCTI allows analysts to easily visualize any entity and its relationships. Multiple views are available as well as an analytics system based on dynamic widgets. For instance, users are able to compare the victimology of two different intrusion sets.
In the future, the OpenCTI roadmap includes the development of a full investigation capability, allowing analysts to explore the whole knowledge graph by pivoting on entities in a unified space.
Observables and indicators context
The goal is to create a comprehensive tool allowing users to capitalize technical (such as TTPs and observables) and non-technical information (such as suggested attribution, victimology etc.) while linking each piece of information to its primary source (a report, a MISP event, etc.).
All indicators are linked to threats with all the information needed to the analysts to fully understand the situation, the role played by the observables regarding the threat, the source of the information and the malicious behavior scoring.