STIX and TAXII Explained

STIX and TAXII are the two open standards that make automated cyber threat intelligence sharing possible. They're often mentioned together but do different jobs: STIX is the language for describing threat intelligence, and TAXII is the protocol for transporting it. A simple analogy: STIX is the document, and TAXII is the postal service that delivers it.

Both are maintained by the OASIS standards body and are free and open. Together they allow different tools, vendors and organizations to exchange threat intelligence in a consistent, machine-readable way — turning isolated knowledge into a shared defense.

What is STIX?

STIX — Structured Threat Information Expression — is a standardized language and serialization format (in JSON) for representing cyber threat intelligence. Instead of every team describing threats in free-form text, STIX provides a common structure so that information about an attack means the same thing to everyone and to every tool.

STIX is built around objects and the relationships between them. The two main categories are:

• STIX Domain Objects (SDOs) — the "nouns" of threat intelligence, such as Threat Actor, Campaign, Malware, Attack Pattern (which maps to TTPs), Indicator, Vulnerability, Identity and Intrusion Set.
• STIX Relationship Objects (SROs) — the connections between them, such as "this Threat Actor uses that Malware" or "this Indicator indicates that Campaign."

This graph-like model is powerful: it captures not just isolated indicators but the rich context around them — who, what, how and why — which is what separates true intelligence from raw data.

What is TAXII?

TAXII — Trusted Automated Exchange of Intelligence Information — is the application-layer protocol for exchanging STIX data over HTTPS. It defines a standard way for systems to share threat intelligence automatically, so a tool can pull (or be pushed) the latest intelligence without custom integration for every source.

TAXII organizes data into:

• Collections — logical groupings of threat data that a client can request from a server, in a request-response model.
• Channels — a publish-subscribe model where producers push data to subscribers.

Crucially, TAXII handles the transport only; it doesn't care what's inside, though in practice it carries STIX. It also supports the trust and access controls needed for sensitive sharing.

How they work together

In a typical workflow: a threat-intelligence producer describes a campaign as STIX objects (the threat actor, the malware they use, the indicators to watch for, and the relationships between them), then makes that STIX available through a TAXII server. Consumers' tools connect to the TAXII server, pull the STIX data into their platforms — like MISP or OpenCTI — and operationalize it, for example by pushing indicators to a SIEM. All of this happens automatically and at machine speed.

Why STIX and TAXII matter

• Interoperability. Different vendors' tools can exchange intelligence because they speak a common language.
• Automation. Sharing happens at machine speed, not via manually emailed spreadsheets.
• Context, not just indicators. STIX's object model preserves the relationships that make intelligence actionable.
• Community defense. Standards underpin information-sharing communities (like ISACs), so when one organization sees a threat, others can defend against it quickly.

Practical notes

You don't need to write STIX by hand — modern threat-intelligence platforms generate and consume it for you. If you're evaluating tools or feeds, STIX/TAXII support is a good sign of interoperability. And while STIX can express deep, structured intelligence, many real-world feeds use it primarily to share indicators; the richer object model is there when you're ready to model actors, campaigns and TTPs in full.

STIX in practice: a simple example

To make STIX concrete, imagine describing a small piece of intelligence: "A threat actor we track uses a particular piece of malware, and here's an indicator to detect it." In STIX, that becomes a set of connected objects:

• A Threat Actor object representing the adversary, with properties like its name, sophistication and motivation.
• A Malware object representing the tool, with its name and type.
• An Indicator object containing a detection pattern — for example, a file hash or a malicious domain to watch for.
• Relationship objects tying them together: the Threat Actor uses the Malware, and the Indicator indicates the Malware.

Each object has a unique identifier and timestamps, and the whole bundle is expressed in JSON. A receiving tool can ingest this and automatically understand not just "here's a bad hash" but the full context: which actor it belongs to, what malware it detects, and how everything relates. That context is what elevates the data from a raw indicator to genuine intelligence.

A note on versions

It's worth knowing that STIX has evolved. The original STIX 1.x used XML and was powerful but cumbersome. STIX 2.x — the current standard — switched to a cleaner JSON format and a simpler, more consistent object model, which is a major reason for its widespread adoption. Likewise, TAXII has matured into a straightforward HTTPS-based API. If you're evaluating tools or feeds today, STIX 2.x and TAXII 2.x support is what you're looking for.

In day-to-day work you rarely hand-craft STIX; your threat intelligence platform generates and parses it for you. But understanding the underlying model helps you appreciate why STIX-based sharing preserves so much more value than passing around plain lists of indicators — and why standards support is a key thing to look for when choosing tools and feeds. The richer the shared structure, the more your community's collective knowledge compounds.

Quick recap:

• STIX is the standardized language for describing threat intelligence; TAXII is the protocol for transporting it.
• STIX models intelligence as objects (threat actors, malware, indicators, vulnerabilities) and the relationships between them, preserving context.
• TAXII exchanges that STIX data over HTTPS using collections (request-response) and channels (publish-subscribe).
• Together they enable interoperability, automation and community defense — and STIX 2.x with TAXII 2.x is the current standard to look for.

The bottom line

STIX is the standardized language for describing threat intelligence, and TAXII is the protocol for sharing it — together they let tools and organizations exchange CTI automatically and with context. They're the connective tissue of the threat-intelligence ecosystem. To feed your STIX/TAXII pipeline with what's happening right now, our live threat intelligence feed aggregates and priority-ranks reporting from dozens of authoritative sources in real time.