STIX (Structured Threat Information Expression) is a standardized language and serialization format for representing cyber threat intelligence (CTI), including indicators of compromise, threat actors, malware, attack patterns, campaigns, and courses of action. TAXII (Trusted Automated Exchange of Intelligence Information) is the companion application-layer protocol — running over HTTPS — that defines how STIX-formatted data is requested, published, and subscribed to between producers and consumers.
Both standards were originally developed by MITRE under U.S. Department of Homeland Security sponsorship, and governance was transferred to the OASIS Cyber Threat Intelligence Technical Committee in 2015. The current widely deployed versions are STIX 2.1 and TAXII 2.1, approved as OASIS Standards in 2021. STIX 2.x uses JSON (replacing the XML of STIX 1.x), and defines objects such as Indicators, Threat Actors, Intrusion Sets, Malware, Attack Patterns (often mapped to MITRE ATT&CK), and Relationships linking them into a graph.
TAXII 2.1 organizes data into Collections hosted on API Roots, supporting both request/response polling and channel-based publish/subscribe models. This enables Information Sharing and Analysis Centers (ISACs), national CERTs, and commercial threat intelligence providers to distribute machine-readable CTI at scale without bespoke integrations.
For policy researchers, STIX/TAXII matters because it underpins much of the operational layer of international cyber cooperation. Sharing arrangements such as those coordinated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Automated Indicator Sharing (AIS) program, the EU's CSIRTs Network exchanges, and sector ISACs (FS-ISAC, H-ISAC, E-ISAC) rely on these standards. Debates over cross-border data flows, attribution, sanctions enforcement against ransomware actors, and norms discussions at the UN Open-Ended Working Group on ICT security increasingly reference machine-readable indicator sharing as a confidence-building measure. Understanding STIX/TAXII helps distinguish technical interoperability from the harder political questions of who shares what with whom.
Example
In 2016, CISA's predecessor at DHS launched the Automated Indicator Sharing (AIS) program, which uses STIX and TAXII to distribute cyber threat indicators between the U.S. government and participating private-sector partners in near real time.
Frequently asked questions
The OASIS Cyber Threat Intelligence Technical Committee has maintained both standards since 2015, after governance transferred from MITRE. STIX 2.1 and TAXII 2.1 were approved as OASIS Standards in 2021.
Keep learning