Features

Knowledge graph

The whole platform relies on a knowledge hypergraph allowing the usage of hyper-entities and hyper-relationships including nested relationships.

Unified and consistent data model

From operational to strategic level, all information are linked through a unifed and consistent data model based on the STIX2 standards.

By-design sourcing of data origin

Every relationships between entities have time-based and space-based attributes and must by sourced by a report with a specific confidence level.

Exploration and correlation

The whole dataset could be explored with analytics and correlation engines including many visualization plugins, MapReduce and Pregel computations.

Automated reasoning

The database engine performs logical inference through deductive reasoning, in order to derive implicit facts and associations in real-time.

Data access management

Full control of data access management using groups with permissions based on granular markings on both entities and relationships.

Technologies
Unified platform
Manage all levels of cyber threat intelligence
Main goals
Knowledge management
The first purpose of the OpenCTI platform is to provide a powerful knowledge management database with an enforced schema especially tailored for cyber threat intelligence and cyber operations.
With multiple tools and viewing capabilities, analysts are able to explore the whole dataset by pivoting on the platform between entities and relations. Relations having the possibility to own multiple context attributes, it is easy to have several levels of context for a given entity.
Data visualization
OpenCTI allows analysts to easily visualize any entity and its relationships. Multiple views are available as well as an analytics system based on dynamic widgets. For instance, users are able to compare the victimology of two different intrusion sets.
In the future, the OpenCTI roadmap includes the development of a full investigation capability, allowing analysts to explore the whole knowledge graph by pivoting on entities in a unified space.
Observables context
The goal is to create a comprehensive tool allowing users to capitalize technical (such as TTPs and observables) and non-technical information (such as suggested attribution, victimlogy etc.) while linking each piece of information to its primary source (a report, a MISP event, etc.).
All observables are linked to threats with all the information needed to the analysts to fully understand the situation, the role played by the observable regarding the threat, the source of the information and the malicious behavior scoring.