STIX is the format. MISP is the platform. The two together are how most CTI teams share intelligence between organisations, vendors, and ISACs.
STIX — the data format
STIX (Structured Threat Information eXpression) is an OASIS standard for describing threats in a machine-readable way. STIX 2.1 is the current version. It models the world as objects and relationships:
- Indicators — IOCs with a STIX pattern that says "this is a malicious thing to look for".
- Threat actors — named adversaries.
- Malware, tools, attack patterns — what they use.
- Identities, locations, vulnerabilities — who, where, what they target.
- Relationships — "actor X uses malware Y", "campaign Z targets sector W".
A STIX bundle is a JSON object containing those building blocks. Any STIX-capable platform can ingest it. Most CTI platforms produce STIX bundles per cluster, per incident, or per campaign.
TAXII — the way STIX moves
TAXII is the transport layer that ships STIX between systems. If STIX is the email, TAXII is the SMTP. Most teams interact with it as a REST API: a TAXII server exposes collections of STIX objects, and a client polls them.
MISP — the platform
MISP (Malware Information Sharing Platform) is open-source software that lets organisations store, enrich, and share threat intelligence. It pre-dates STIX 2 and uses its own JSON event format, but it speaks STIX too, so the two ecosystems interoperate.
What MISP gives you out of the box:
- A web UI for analysts to record events and indicators.
- A community model: communities of organisations share events with each other, with TLP markings to control redistribution.
- A feeds system — subscribe to external sources like ThreatCluster, and the indicators land in MISP automatically.
- Enrichment modules for VirusTotal, Shodan, Passive DNS, etc.
How ThreatCluster fits. ThreatCluster ships a public MISP feed at /misp/manifest.json — drop it into any MISP instance under Sync Actions → Feeds. Every cluster is also exportable as a STIX 2.1 bundle (TLP-marked) from the cluster page or via the API.
When you'd use one over the other
- If your downstream tool speaks STIX/TAXII natively (OpenCTI, Anomali, ThreatConnect): use STIX bundles.
- If your team has a MISP instance and shares with ISACs or sector partners: use the MISP feed.
- If you're feeding a SIEM: a simple JSON or CSV IOC export is usually easier than full STIX.