OpenCTI (Open Cyber Threat Intelligence) is a free, open-source platform developed by the French company Filigran (formerly Luatix), originally built in partnership with the French national cybersecurity agency ANSSI and the EU agency CERT-EU. It is designed to help analysts and organizations manage their cyber threat intelligence (CTI) knowledge and observables in a structured way.
The platform organizes information using the STIX 2.1 (Structured Threat Information Expression) data model maintained by OASIS, which represents threat actors, campaigns, malware, intrusion sets, tactics, techniques, indicators of compromise (IOCs), and victims as linked entities. This graph-based approach lets analysts trace relationships — for example, connecting a malware family to an APT group, a campaign, and the CVEs it exploits.
Typical features include:
- Connectors that ingest data from sources such as MITRE ATT&CK, MISP, AlienVault OTX, VirusTotal, and commercial feeds.
- Knowledge graph visualizations of actors, infrastructure, and incidents.
- Investigation and reporting tools for producing intelligence products.
- Role-based access control and segmentation for sharing with trusted communities.
- A GraphQL API and Python client (
pycti) for automation.
For policy researchers, MUN delegates working on cybersecurity committees, or think-tank analysts tracking state-aligned threat groups, OpenCTI is relevant as both a tool and a case study: it illustrates how the CTI community has converged on open standards (STIX/TAXII) and how public-private partnerships in Europe have produced shared digital infrastructure for cyber defense. It is widely used by national CERTs, ISACs, and private security teams, and is frequently cited in discussions of cyber threat information-sharing norms under frameworks such as the EU NIS2 Directive.
OpenCTI is released under the Apache 2.0 license, with a community edition and a commercial enterprise offering from Filigran.
Example
In 2023, several European CERTs used OpenCTI instances to correlate STIX-formatted indicators on the Cl0p ransomware group's exploitation of the MOVEit Transfer vulnerability (CVE-2023-34362).
Frequently asked questions
It is developed by Filigran (formerly Luatix), a French company, with early collaboration from ANSSI and CERT-EU. The code is open-source under the Apache 2.0 license.
Keep learning