OpenCTI
About the product
OpenCTI is a threat intelligence TIP platform that enables organizations to manage knowledge and observations related to cyber threats. The platform is designed to structure, store, organize, and visualize technical and non-technical information about cyber threats.
Technical architecture
OpenCTI consists of several main components:
Platform (Core) – the main element of the system, providing a user interface and GraphQL API used by connectors and workers to insert and retrieve data.
Workers – independent processes that handle tasks from the RabbitMQ broker and perform database write operations. The number of workers can be increased to improve write performance; it is recommended to use 3 to 4 workers per OpenCTI instance.
Connectors – modules that integrate OpenCTI with external data sources or tools (e.g., data import from MISP, enrichment from Shodan, export to CSV/STIX2).
Each connector is a separate process that can perform one of five defined roles:
EXTERNAL_IMPORT – importing data from external sources,
INTERNAL_ENRICHMENT – enriching data based on external sources,
INTERNAL_IMPORT_FILE – importing files via UI/API,
INTERNAL_EXPORT_FILE – exporting data to files,
STREAM – consuming data streams from the platform
The platform requires/uses several external services, such as ElasticSearch, Redis, RabbitMQ, and S3/MinIO for data storage.
Key features of the OpenCTI architecture
Modularity and scalability – each component can be scaled independently as needed.
High availability – clustering is used for key services.
Integration – a wide range of connectors is available, enabling data exchange with other platforms and tools.
Flexibility of implementation – can be run both on-premises and in the cloud (e.g., AWS, Azure, GCP).
Advantages of the product
Openness and flexibility
OpenCTI is a cyber threat management platform whose key features are high flexibility and the ability to adapt to the individual requirements of an organization. The platform can be integrated with multiple data sources and uses the STIX2 standard to structure information. It also offers an extensive API, allowing for easy expansion of functionality and integration with other security tools.
Visualization and analysis of threats
OpenCTI offers advanced visualization tools, such as graph representation of relationships between threats, indicators, vulnerabilities, and campaigns. This allows analysts to quickly identify connections, trends, and the evolution of attacks, supporting effective threat analysis and profiling. The platform also enables the creation of custom dashboards and reports.
Automation and integration
Automation is one of the key elements of OpenCTI. The platform enables automatic data import from various sources (e.g., TAXII, RSS, CSV, other OpenCTI platforms) through the use of connectors, which shortens the process of enriching the threat knowledge base.
Scalability and modern architecture
OpenCTI is characterized by scalability and high availability. It supports cluster solutions, enabling horizontal scaling of both the platform itself and its key components (ElasticSearch, Redis, RabbitMQ, S3/MinIO). As a result, the platform can handle large volumes of data and multiple users simultaneously, with high performance and reliability.
Security and access control
The platform offers advanced access control mechanisms that enable precise management of permissions for specific data and containers (e.g., reports, incidents, tickets). Administrators can define which users, groups, or organizations have access to specific resources and manage permission levels (view, edit, manage).
Benefits of Implementation
Centralization and a complete picture of threat intelligence
OpenCTI collects, stores, and analyzes threat intelligence in one place, providing complete context—from technical details to connections to adversaries, sectors, or specific incidents. This enables analysts to identify and respond to threats faster and more effectively.
Advanced modeling and visualization of relationships
The platform allows you to model connections between different objects (organizations, sectors, events, systems, people) and visualize these relationships in the form of knowledge graphs. This facilitates the analysis of complex campaigns and the identification of dependencies and trends in the activities of cybercriminals.
Strict access management and data sharing policy
OpenCTI offers advanced mechanisms for controlling access to information, based on so-called “marking definitions” (e.g., TLP:RED, TLP:AMBER) and organizational segregation. This allows for granular determination of which teams, departments, or partners can access specific data.
Supporting internal and external cooperation
The platform enables information sharing both within the organization (e.g., between SOC, CERT, and analytical teams) and with external partners, customers, and industry entities. This facilitates effective knowledge exchange and faster response to new threats.
Automation and integration
OpenCTI enables integration with other security tools (SIEM, SOAR, firewalls, detection systems), which allows for the automation of incident detection and response processes. The platform supports the STIX 2.1 standard, which facilitates data exchange with other CTI systems.
Extensive analytics and reporting
Users can create reports, analyses, use cases, and visualizations that can support strategic decision-making processes for the organization.