🧠 Threat intelligence
OpenCTI
STIX 2.1-native threat intelligence platform with a polished modern UI.
Why use it
OpenCTI is the modern alternative to MISP — STIX 2.1 throughout, knowledge-graph driven, and visually superior. Better when you want to model threat actor relationships and infrastructure clusters, not just lists of IoCs.
What you get
- STIX 2.1 native objects: actors, campaigns, malware, infrastructure
- Relationship graph between every entity
- Connector ecosystem (MISP, AlienVault, MITRE, AbuseIPDB)
- Hierarchical organisation structure
- Reports and dashboards per investigator
System requirements
| Cpu | 4 cores |
|---|---|
| Ram | 16 GB recommended |
| Disk | 50 GB+ |
| Os | Linux |
| Docker | Yes |
Installation
Use the official Docker Compose: git clone github.com/OpenCTI-Platform/docker, edit .env for admin email/password, then docker compose up -d. Add connectors (one per data source) by enabling them in the same compose file.
Suggested configuration
Enable the MITRE ATT&CK and OpenCTI built-in connectors first — they populate the platform with TTPs and known threat actors instantly. Then add MISP, AbuseIPDB, and AlienVault OTX connectors. Set up a shared workspace per use case (ransomware, APT, commodity malware).
Integration ideas
- Bidirectional sync with MISP
- Push observables to TheHive cases
- Use Cortex analysers for enrichment
Alternatives
- MISP — Older, lighter, larger community.
Cyentrix verdict
The right pick if you want to model threat-actor relationships graphically and you have the RAM to spare. Heavier than MISP but the UX is a generation ahead.