What is STIX/TAXII?

STIX/TAXII is a joint global initiative to drive threat intelligence sharing and collaboration among organizations.

Learning Objectives

After reading this article you will be able to:

  • Define STIX/TAXII
  • Explain common use cases for STIX/TAXII
  • Learn how STIX/TAXII improves the mitigation and prevention of cyber threats

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is STIX/TAXII?

STIX/TAXII is a global initiative designed to mitigate and prevent cyber threats. Launched in December 2016 by the United States Department of Homeland Security (DHS), the organization is now managed under OASIS, a nonprofit organization that advances the development, adoption, and convergence of open standards for the Internet.

Structured Threat Information eXpression (STIX) is a standardized language that uses a JSON-based lexicon to express and share threat intelligence information in a readable and consistent format. It is similar to how a common language can help people from different parts of the world communicate. Only instead of conversation between people, STIX enables the exchange of cyber threat information between systems. STIX provides a common syntax so users can describe threats consistently by their motivations, abilities, capabilities, and responses.

Trusted Automated eXchange of Intelligence Information (TAXII) is the format through which threat intelligence data is transmitted. TAXII is a transport protocol that supports transferring STIX insights over Hyper Text Transfer Protocol Secure (HTTPS).

One key note is that STIX and TAXII are independent standards. STIX does not rely on a specific transport method, and TAXII can be used to transport non-STIX information and data.

When used together, STIX/TAXII forms a framework for sharing and using threat intelligence, creating an open-source platform that allows users to search through records containing attack vectors details such as malicious IP addresses, malware signatures, and threat actors.

How does STIX work?

STIX works by providing a common language for describing threat indicators, incidents, and data breaches. It can be used manually or programmed using XML editor, Python and Java bindings, and Python APIs and utilities. The data is organized into STIX packages, then shared through various methods, including file exchange, APIs, or publishing to a threat intelligence platform.

STIX also provides a set of recommended vocabularies and data models, making it easier for organizations to describe common threat types and structures.

How does TAXII work?

TAXII works by defining the protocols for exchanging data, including message formats, communication protocols, and security requirements.

Two key concepts in TAXII are the collection and the channel. A collection is a set of STIX packages organized and managed by a single entity, such as a security vendor or a government agency. A channel allows organizations to access a specific collection, such as through an API, file exchange, or threat intelligence platform. A channel allows users to push data to multiple consumers.

Why is STIX/TAXII important?

STIX/TAXII is important because it enhances an organization's overall security posture by improving its ability to detect, respond to, and prevent cyber threats.

STIX/TAXII enables the following:

  1. Improve threat intelligence sharing: STIX/TAXII provides a common language for organizations to share and exchange threat intelligence.
  2. Boost threat detection and response: With a standard way to represent threat data, organizations are able to automate threat detection, analysis, and response.
  3. Increase intelligence accuracy: STIX/TAXII framework helps ensure that intelligence data is consistent, complete and accurate. It improves the quality and usefulness of threat intelligence data.
  4. Encourage collaboration: Organizations are able to share data in a secure and scalable manner, which promotes collaboration and information sharing among organizations.
  5. Automate support: The use of common language and standards in STIX/TAXII makes it easier for organizations to automate threat detection, analysis, and response processes, which results in improving efficiency and reducing the risk of human error.

What are the different ways to use STIX/TAXII?

Since its launch, STIX/TAXII has been used by agencies worldwide to improve their understanding of online threats. There are several ways to use the STIX/TAXII framework for exchanging threat intelligence data:

  1. Threat intelligence platforms: Organizations can publish and access STIX data through a threat intelligence platform that acts as a central repository for sharing and exchanging threat intelligence data.
  2. API Integrations: Threat analysts can use APIs to exchange data with other security tools and systems.
  3. File exchanges: Organizations can exchange STIX packages as files, allowing for simple data exchange between systems.
  4. Real-time data feeds: Analyst teams can leverage TAXII to subscribe to real-time data feeds from providers.
  5. Threat hunting: Security analysts can use STIX/TAXII to organize and search threat intelligence data, making identifying threats and supporting investigations easier.
  6. Automated threat detection: Security teams can use STIX/TAXII to automate the threat detection process, enabling them to quickly identify and respond to new threats.

Cloudforce One

Cloudforce One is a threat operations and research team created to track and disrupt threat actors. The team’s advanced threat intelligence capabilities allow for comprehensive coverage of all entities in the threat landscape and help organizations stay ahead of the curve and take action before any threats can cause damage.