OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to structure, store, and visualise cyber threat intelligence (CTI). While it’s not a threat modelling framework per se, it plays a powerful supporting role by feeding real-world intelligence into frameworks like MITRE ATT&CK, PASTA, and custom models.
Contents
🔧 What Does OpenCTI Do?
- Aggregates threat data from feeds like MISP, MITRE ATT&CK, VirusTotal, and more
- Structures data using STIX 2.1 (Structured Threat Information Expression)
- Allows analysts to model attack campaigns, TTPs, IOCs, threat actors, and vulnerabilities
- Links together CTI entities to create narratives that help drive threat modelling, IR planning, and SOC enrichment
📌 Use Cases in Threat Modelling
- Populate ATT&CK matrices with actual actor techniques
- Support scenario-based modelling in PASTA using historical CTI
- Enrich assets in your threat model with real-world IOCs and attack patterns
- Provide strategic context (who’s attacking whom, and why)
🔗 Integration & Automation
- Works with platforms like TheHive, MISP, Elastic, Splunk, and SIEMs
- Supports custom ingestion pipelines and can power dashboards in SOC and CTI teams
- Enables automated risk scoring and contextualised alerts
🔗 Learn More
- GitHub: https://github.com/OpenCTI-Platform
- Docs: https://www.opencti.io/docs
- Demo: https://demo.opencti.io
- Community: https://opencti.io
✅ Summary
While OpenCTI is not a traditional threat modelling framework, it serves as a critical intelligence backbone. By integrating OpenCTI with your modelling efforts, you ensure that your threat models are grounded in current, relevant, and adversary-specific intelligence — not just theoretical threats.