MISP (originally the Malware Information Sharing Platform, now styled as the Open Source Threat Intelligence and Sharing Platform) is a free software project used by governments, CERTs, ISACs, and private firms to exchange structured cyber threat intelligence. It allows analysts to record indicators of compromise (IOCs) such as malicious IPs, file hashes, domains, and email addresses, along with contextual data on threat actors, campaigns, and tactics, techniques, and procedures (TTPs).
The project was initiated within the Belgian Defence and later developed and maintained by CIRCL (Computer Incident Response Center Luxembourg), with contributions from NATO NCIRC and a wide community of users. MISP is distributed under an open-source license and integrates with frameworks such as STIX/TAXII, MITRE ATT&CK, and various SIEM tools.
Key features include:
- Event-based data model, where each "event" bundles related attributes and objects.
- Synchronization and sharing groups, letting organizations define who sees what at the event or attribute level.
- Taxonomies and galaxies (tags) to classify threats consistently, including TLP (Traffic Light Protocol) markings.
- Correlation engine that automatically links overlapping indicators across events.
- API access for automated ingestion into firewalls, IDS/IPS, and endpoint tools.
For policy researchers, MISP is significant as concrete infrastructure underpinning operational threat-intelligence sharing obligations created by instruments such as the EU NIS2 Directive (Directive (EU) 2022/2555) and earlier NIS Directive, which require coordination among national CSIRTs. It is also used inside sectoral ISACs (financial, energy, health) and by the EU CSIRTs Network supported by ENISA.
Unlike commercial threat-intel feeds, MISP emphasizes community-driven sharing, granular access control, and machine-readable formats, making it a reference point in debates about public-private cybersecurity cooperation and digital sovereignty.
Example
In 2020, CIRCL and partner CSIRTs used MISP instances to circulate IOCs related to COVID-19-themed phishing campaigns targeting healthcare organizations across Europe.
Frequently asked questions
MISP is primarily maintained by CIRCL (Computer Incident Response Center Luxembourg), with contributions from a broad open-source community including national CSIRTs and private-sector analysts.
Keep learning