Intel-as-graph paradigm
The paradigm treats CTI as a graph problem: entities and relations are first-class, and each relation can carry evidence and time windows for defensible attribution.
OpenCTI turns threat intel from a pile of indicators into an operational knowledge-graph system. The point is not to store more IOCs, but to connect actors, infrastructure, malware, techniques, and response actions through entities, relations, and evidence so analysts can query, explain, and replay decisions. It aligns exchange on open standards like STIX and TAXII, then uses connectors to bring feeds, enrichers, sandboxes, and internal ticketing/alerting into one data plane, enabling ingest→correlate→enrich→distribute→act loops. For SOC and IR, the win is control and auditability: every claim is anchored to evidence and timelines with governance-friendly collaboration.
| ✕Traditional Pain Points | ✓Innovative Solutions |
|---|---|
| Intel is scattered across tools and spreadsheets; relationships live in people’s heads, making retros and audits painful. | Graph-first data modeling turns entities, relations, and evidence into queryable assets with timelines and provenance. |
| IOCs, incidents, and response actions are disconnected: enrichment is slow, work is duplicated, and handoffs rely on tribal knowledge. | Standards plus connectors wire ingest, correlation, enrichment, and distribution into an operational pipeline. |
1docker --version && docker compose version1git clone https://github.com/OpenCTI-Platform/opencti.git && cd opencti && cp .env.sample .env1docker compose up -d1docker compose logs -f --tail=2001# Import a pinned STIX bundle and snapshot expected entities/relations for diffs| Core Scene | Target Audience | Solution | Outcome |
|---|---|---|---|
| SOC alert correlation and faster attribution | SOC analysts | auto-correlate alert IOCs with historical entities, techniques, and context | faster triage and defensible attribution with less manual lookup |
| Threat hunting with ATT&CK mapping | hunting teams | map observations to MITRE ATT&CK techniques and attach evidence | reusable hunt assets and better detection hypotheses |
| IR collaboration with an audit loop | IR leads | centralize timelines, actions, tickets, and evidence | traceable handoffs, auditable retros, and process-backed knowledge |
