STIX and TAXII Standards
STIX and TAXII are open standards for representing and exchanging cyber threat intelligence, enabling machine-to-machine sharing of indicators, threat actors, and attack patterns across organizations and platforms.
Continue your mission
STIX and TAXII are open standards for representing and exchanging cyber threat intelligence, enabling machine-to-machine sharing of indicators, threat actors, and attack patterns across organizations and platforms.
# STIX and TAXII Standards
STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) are the twin standards that form the backbone of modern, machine-readable cyber threat intelligence sharing. Developed under OASIS and maintained by a broad consortium of government agencies, vendors, and academic institutions, they exist to solve a specific and costly problem: organizations were drowning in threat data they could not act on because the data arrived in formats their tools could not parse automatically. STIX defines what threat intelligence looks like as a data structure. TAXII defines how that intelligence moves between systems. Together, they enable security teams to receive, process, and act on threat intelligence at speeds that manual workflows cannot match.
---
STIX is a structured language and serialization format for expressing cyber threat intelligence. The current production version, STIX 2.1, is published by OASIS and specifies a JSON-based schema for representing threat intelligence objects and the relationships between them. STIX Domain Objects (SDOs) represent discrete intelligence concepts: Attack Pattern, Campaign, Course of Action, Grouping, Identity, Indicator, Infrastructure, Intrusion Set, Location, Malware, Malware Analysis, Note, Observed Data, Opinion, Report, Threat Actor, Tool, and Vulnerability. STIX Relationship Objects (SROs) encode directional links between SDOs, allowing analysts to express statements such as "Threat Actor X uses Malware Y in Campaign Z."
TAXII is the companion transport specification. TAXII 2.1 defines a RESTful HTTP API with two primary mechanisms: Collections, which function as structured repositories of STIX objects that clients can query and contribute to, and Channels, which support publish-subscribe distribution patterns for streaming intelligence feeds.
These standards emerged from the recognition that threat intelligence sharing was failing at scale. Prior to STIX and TAXII, organizations shared threat data through email attachments, PDF reports, and proprietary XML formats. Each recipient had to manually parse indicators, translate formats, and manually input data into security tools. This process introduced errors, delays, and analyst fatigue while reducing the actionable lifespan of time-sensitive intelligence. STIX and TAXII automate the entire chain from intelligence publication to security control enforcement.
STIX and TAXII are not a threat intelligence platform (TIP). They are standards that TIPs implement. They are not a substitute for analysis: a STIX bundle containing poorly vetted indicators is just as harmful as an unstructured email full of false positives. They are also not synonymous with the MITRE ATT&CK framework, though ATT&CK content is frequently represented and distributed using STIX 2.1 serialization.
---
Every STIX object carries a set of required common properties that enable distributed operation. The identifier follows a strict format: the object type (such as "malware" or "indicator") followed by two dashes and a UUIDv4 string. This creates globally unique identifiers like malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b. Timestamps record when the object was created and when it was last modified, using RFC 3339 format with millisecond precision. The spec_version field ensures compatibility as STIX evolves.
Optional properties add analytical context. Confidence scores range from 0 to 100 and represent the producer's assessment of the accuracy of the information. Labels provide semantic tags (such as "malicious-activity" for indicators or "trojan" for malware). External references link to source reports, vulnerability databases, or related intelligence. Granular markings control data handling at the property level, allowing producers to specify that certain fields require different sharing restrictions than the overall object.
The STIX Patterning Language expresses detection logic as structured expressions. An indicator pattern might specify: [file:hashes.MD5 = 'a1b2c3d4e5f6' AND file:size = 1024]. This syntax tells detection systems to watch for files matching both the hash and size criteria. More complex patterns combine multiple observable conditions using Boolean operators. The FOLLOWEDBY operator enables temporal pattern matching: [network-traffic:dst_ref.value = '198.51.100.47'] FOLLOWEDBY [file:name = 'payload.exe'] WITHIN 300 SECONDS instructs systems to alert when file creation follows network communication within a five-minute window.
Relationship objects transform individual intelligence items into a connected graph. A relationship carries a relationship_type property (standardized values include "uses," "targets," "attributed-to," "indicates," "mitigates") and source_ref and target_ref properties pointing to the UUIDs of connected objects. This graph structure allows analysts to traverse from a specific indicator to the campaign it supports, to the threat actor running that campaign, to other malware families that actor uses, and finally to available countermeasures.
TAXII 2.1 operates as a REST API with JSON payloads, making it compatible with standard HTTP clients and modern DevOps toolchains. Authentication typically uses HTTP Basic authentication with API keys or Bearer tokens, though implementations may add OAuth 2.0 or mutual TLS for high-security environments.
Client interaction begins with the discovery endpoint, which returns available API roots and supported TAXII versions. Each API root exposes a collections endpoint that lists available STIX object repositories. Collections have descriptive metadata including title, description, supported media types, and read/write permissions. Many implementations organize collections by source (such as "government-indicators"), threat type (such as "financial-malware"), or sharing classification (such as "tlp-white").
To retrieve intelligence, clients send GET requests to a collection's objects endpoint. The server returns a STIX bundle containing all accessible objects, subject to query filters. The added_after parameter limits results to objects modified since a specific timestamp, enabling efficient polling. The type filter restricts results to specific STIX object types. The match parameter supports server-side filtering based on object properties. Large result sets are paginated using HTTP Link headers with "next" and "prev" relations.
Intelligence contribution uses POST requests to the same objects endpoint. Clients submit STIX bundles as JSON payloads. The server validates each object against the STIX 2.1 schema and may apply additional policy checks such as marking validation or content filtering. The response includes a status object reporting success and failure counts plus detailed error messages for rejected objects.
Consider a healthcare organization participating in the Health Information Sharing and Analysis Center (H-ISAC). The ISAC operates a TAXII 2.1 server hosting multiple collections organized by threat type and sharing classification. The "Medical Device Threats" collection contains indicators and TTPs targeting healthcare infrastructure.
At 14:30, a regional hospital detects unusual network activity from medical devices in their cardiac unit. Their security team analyzes the traffic and identifies a previously unknown botnet targeting specific device firmware. They create a STIX bundle containing:
The hospital submits this bundle to the H-ISAC TAXII server at 15:45. The bundle includes TLP:AMBER markings restricting distribution to healthcare sector participants.
Participating organizations poll the collection on varying schedules based on their risk tolerance. A major health system with dedicated threat hunting resources polls every five minutes. A smaller clinic polls hourly. When organizations retrieve the bundle, their TIPs automatically extract the indicator patterns and distribute them to network monitoring tools, endpoint detection systems, and medical device management platforms.
By 16:00, twelve healthcare organizations have deployed the indicators. By 16:30, three have detected the same botnet in their environments and contributed additional indicators expanding the campaign profile. The collective defense response completed within one hour, compared to days or weeks for traditional report-based sharing.
STIX objects are versioned through the modified timestamp rather than explicit version numbers. When an object is updated, producers publish a new version with the same UUID and an updated modified timestamp. Consumers must implement version reconciliation logic to ensure they operate on current intelligence while maintaining audit trails of changes.
Confidence scoring requires careful interpretation. A confidence score of 85 on an indicator does not mean 85% mathematical probability of maliciousness. It represents the producer's assessment of the accuracy of the indicator information based on their analytical methodology. Organizations should establish confidence thresholds for automated deployment based on their risk tolerance and the quality of their intelligence sources.
Marking and handling instructions encoded in STIX objects must be enforced programmatically. Traffic Light Protocol (TLP) markings are commonly represented as STIX data markings, and automated systems must honor these restrictions or organizations risk violating sharing agreements and potentially legal obligations.
---
Before STIX and TAXII standardization, threat intelligence sharing operated through manual processes that created systematic delays and introduced errors at every step. Security analysts received intelligence via email attachments, vendor portals, or PDF reports. Each piece of intelligence required manual extraction, format translation, and manual entry into security tools. This workflow created several critical problems.
First, the manual bottleneck meant that actionable intelligence often expired before it could be deployed. Threat actors rotate infrastructure rapidly, often abandoning IP addresses and domains within hours of their first detection. An indicator that takes 24 hours to travel from initial observation to blocking policy has likely missed its window of effectiveness. Second, manual transcription introduced errors. An analyst copying an IP address from a PDF to a firewall rule might transpose digits, creating false negatives (missed threats) or false positives (blocked legitimate traffic). Third, the manual process did not scale with the volume of modern threat intelligence. A large organization might receive hundreds of indicators daily from multiple sources, overwhelming analyst capacity.
The automation enabled by STIX and TAXII transforms this dynamic. Machine-readable intelligence can travel from initial detection to enforcement deployment in seconds or minutes rather than hours or days. During active incidents, this speed differential is often decisive. Organizations that participated in STIX-based sharing during the 2020 SolarWinds supply chain compromise received and deployed infrastructure indicators before many threat actors completed their initial environment reconnaissance.
However, automation amplifies both good and bad intelligence equally. A high-quality STIX indicator deployed automatically provides immediate protection. A poor-quality indicator deployed automatically creates false positives at scale. Organizations must apply analytical rigor to incoming STIX objects, establishing confidence thresholds, validation procedures, and expiration policies. The standards solve the format and transport problems but do not solve the analysis problem.
A common misconception is that STIX and TAXII adoption requires expensive commercial platforms or large security teams. Many open-source threat intelligence platforms support STIX 2.1 natively, and public TAXII servers operated by CISA, MITRE, and sector ISACs are freely accessible. A mid-sized organization can implement STIX ingestion using open-source tools and begin receiving government-curated threat intelligence immediately.
Another misconception is that STIX and TAXII are primarily valuable for indicator sharing. While indicators represent a common use case, the standards support sharing complete attack patterns, threat actor profiles, courses of action, and analytical assessments. Organizations can share defensive techniques, lessons learned from incidents, and strategic threat assessments using the same infrastructure used for tactical indicators.
The business impact extends beyond technical efficiency. Standardized threat intelligence sharing reduces the total cost of security operations by eliminating redundant analysis across participating organizations. When one organization analyzes a new threat and shares structured intelligence, hundreds of other organizations benefit from that analysis without duplicating the effort. This collective defense model is particularly valuable for sectors with many smaller organizations that lack dedicated threat intelligence capabilities.
---
CDA treats STIX and TAXII as foundational infrastructure within the Threat Intelligence and Defense (TID) domain of the Planetary Defense Model. The PDM framework recognizes that defensive advantage comes from compressing the time between threat emergence and defensive posture adjustment. STIX and TAXII provide the mechanical layer that makes this compression possible, but only when implemented within a broader Predictive Defense Intelligence (PDI) methodology.
Traditional threat intelligence programs are reactive: they respond to threats that have already been observed and reported. PDI operates on the principle of "see the threat before it sees you," which requires intelligence to be not only collected but structured, analyzed, and delivered to decision-making systems faster than adversaries can adapt their tactics. A STIX bundle that arrives in a client's environment 30 seconds after initial detection elsewhere and automatically generates detection rules represents PDI in practice. A PDF report read by an analyst 48 hours later does not.
CDA operationalizes STIX and TAXII through three differentiating approaches. First, CDA maintains versioned STIX object libraries organized by adversary cluster and targeting pattern rather than by source or chronology. These libraries are confidence-scored at the individual object level, enabling consuming systems to make granular decisions about which intelligence to deploy to which enforcement points based on organizational risk tolerance and environmental context.
Second, CDA applies STIX Extension Objects to encode proprietary analytical fields while maintaining standards compliance. Extensions include PDM threat scoring, adversary behavioral cluster identifiers, predicted next-action probabilities derived from pattern analysis, and environmental context scores indicating which types of organizations are likely targets. This approach provides CDA-specific analytical value while ensuring that core intelligence remains consumable by standard STIX implementations.
Third, CDA operates TAXII infrastructure that supports both traditional polling-based collection access and real-time streaming through push-based channels. High-priority intelligence flows through dedicated channels with sub-second delivery guarantees, while routine intelligence uses standard collections with configurable polling intervals. All transactions are logged and monitored as security telemetry, with unusual access patterns triggering automated investigation workflows.
Within the TID domain, STIX and TAXII enable the automated hypothesis testing that drives PDI methodology. Every STIX object entering CDA systems is evaluated against active hunting hypotheses and threat models. High-confidence matches trigger escalation to predictive analysis workflows that assess likelihood of imminent threat manifestation in client environments. This approach treats threat intelligence not as reference material but as sensor data feeding continuous threat anticipation processes.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.