OpenCTI

What is OpenCTI?

OpenCTI is an open-source cyber threat intelligence management platform developed by Filigran, designed to help organizations structure, store, and operationalize their threat intelligence using the STIX2 standard. It provides a knowledge graph that links threat actors, their tactics, techniques and procedures, associated malware families, campaign timelines, and indicators of compromise into a navigable, interconnected dataset. OpenCTI integrates natively with MITRE ATT&CK, allowing organizations to map observed adversary behavior to the framework and understand which defensive gaps exist in their detection coverage. The platform ingests threat intelligence from multiple sources simultaneously, including MISP, AlienVault OTX, and commercial feeds, deduplicating and merging overlapping data into a unified knowledge base. It also supports collaborative workflows where multiple analysts can contribute to and validate intelligence entries.

How does OpenCTI work with Qevlar?

Qevlar integrates with OpenCTI to enrich investigation findings with structured threat intelligence. When an investigation surfaces an IOC or a behavioral pattern, Qevlar can query OpenCTI to determine whether it is associated with a known threat actor, a specific campaign, or a malware family, adding strategic context to what might otherwise be a purely technical finding.