Introduction
OpenCTI is rapidly transforming how organizations manage and visualize cyber threat intelligence.
From the moment you deploy OpenCTI, you gain a centralized, open-source hub for collecting, analyzing, and sharing threat data.
This guide provides a detailed exploration of this open-source CTI platform, offering actionable insights for Linux users, cybersecurity professionals, and tech enthusiasts.
You will discover how this cybersecurity tool empowers you to stay ahead of evolving threats, automate intelligence workflows, and integrate seamlessly with your security stack.
Let us dive deep into the world of OpenCTI and unlock its full potential.
What is OpenCTI?
OpenCTI stands for Open Cyber Threat Intelligence.
It is an open-source platform designed to centralize, structure, and visualize both technical and non-technical threat intelligence.
Developed by Filigran, it provides a robust knowledge graph, allowing users to interlink indicators, campaigns, threat actors, TTPs (Tactics, Techniques, and Procedures), and more.
The platform is built on modern standards, such as STIX2, ensuring interoperability and future-proofing your threat intelligence workflows.
This tool is trusted by SOCs, CERTs, and security teams worldwide for its flexibility, extensibility, and real-time analysis capabilities.
Core Architecture and Technology
At the heart of OpenCTI is a modular, scalable architecture.
The backend is powered by a GraphQL API, enabling precise and efficient data queries.
The frontend is a user-friendly web application that makes navigating complex intelligence data intuitive.
The knowledge schema is based on STIX2, which is the industry standard for sharing threat intelligence.
This ensures that data can be easily imported, exported, and integrated with other CTI platforms.
It supports Docker, manual installation, Terraform, and Helm charts for deployment, providing flexibility to scale as your needs evolve.
GraphQL API Example:
query {
threatActors {
name
description
firstSeen
lastSeen
confidence
}
}
This GraphQL query retrieves threat actor details, demonstrating how it enables you to fetch only the necessary data, thereby optimizing performance and automation.
Key Features of OpenCTI
- Knowledge Graph: Visualize relationships between indicators, actors, campaigns, and more.
- Temporal Tracking: Track first and last seen dates for every entity.
- Confidence Levels: Assign and visualize confidence scores to intelligence items.
- MITRE ATT&CK Integration: Map threats using the ATT&CK framework for standardized analysis.
- Custom Datasets: Import sector-specific or proprietary data for tailored intelligence.
- Import/Export: Work with CSV, STIX2 bundles, and other formats for maximum interoperability.
- Connectors: Automate data exchange with tools like MISP, TheHive, and SIEMs.
- Dashboards & Reporting: Create custom dashboards and generate actionable reports.
- Subscriptions & Alerts: Receive real-time notifications about new threats, changes, or trends.
- Role-Based Access: Control data visibility and actions with granular permissions.
Deployment Methods
This tool offers several ways to get up and running:
Docker: The recommended method for most users. Deploy it and its dependencies with a single command.
Manual Installation: For those who want complete control over every component.
Terraform & Helm Charts: Ideal for cloud-native and Kubernetes environments.
Here is a simple Docker deployment example:
docker-compose up -dThis command spins up OpenCTI and all required services, making it easy to scale and manage.
Manual Installation Guide
If you want to do a custom setup, manual installation is the best option. This method provides full control over every component and configuration, making it ideal for Linux users who want to understand each step and tailor the deployment to their specific environment.
System Requirements
- 64-bit Linux OS (Ubuntu 22.04 LTS recommended)
- Min Required RAM: 8GB (16 GB or more for production)
- At least 4 CPU cores
- 150 GB free disk space
- Stable network connection
Prerequisites
Update your system and install essential build tools:
sudo apt-get update
sudo apt-get install build-essential nodejs npm python3 python3-pip python3-dev wget tar
Download the Platform Files
Visit the official GitHub releases page and download the latest archive suitable for your OS.
For Debian-based systems, use:
mkdir ~/threat-intel-platform && cd ~/threat-intel-platform
wget https://github.com/OpenCTI-Platform/opencti/releases/download/{VERSION}/opencti-release-{VERSION}.tar.gz
tar xvfz opencti-release-{VERSION}.tar.gz
Replace {VERSION} with your chosen version number.
Install Dependencies
The platform requires several backend services:
PostgreSQL
Redis
Elasticsearch
RabbitMQ
Install each using the package manager:
sudo apt-get install postgresql redis-server rabbitmq-server
# For Elasticsearch, follow the official documentation for your OS.
Record the host, port, username, and password for each service for later configuration.
Configure the Application
Move to the extracted directory and set up configuration files:
cp config/production.json sample config/production.json
nano config/production.json
Update database, Redis, RabbitMQ, and Elasticsearch settings as needed.
Set admin email and password here.
Worker Setup
Workers handle background processing and data ingestion.
Enter the worker directory and install dependencies:
cd worker
pip3 install -r requirements.txt
cp config.yml.sample config.yml
nano config.yml
Update config.yml with API token and connection details.
Start as many worker processes as the hardware you are using can handle:
python3 worker.py &
python3 worker.py &
Start the Platform
From the leading directory, launch the platform:
npm install
npm run build
npm run start
You can login to this web address http://localhost:4000 by default to see the dashboard.
Login and Initial Steps
Open your browser and go to http://localhost:4000.
Log in using the credentials set in your configuration file.
The dashboard will guide you through connecting data sources and customizing your workspace.
Troubleshooting
- Check that all services (PostgreSQL, Redis, Elasticsearch, RabbitMQ) are running and accessible.
- Review logs in the application and worker directories for errors.
- Ensure all configuration files are correct.
- If you hit memory errors, allocate more RAM or adjust Elasticsearch JVM settings.
- Verify your database credentials and network connectivity.
- Confirm that the correct versions of Node.js and Python are installed.
- Check that required ports (e.g., 4000, 5432, 6379, 9200, 5672) are open and not blocked by a firewall.
- Restart all backend services after making configuration changes.
- Ensure Elasticsearch has enough disk space and is not in read-only mode.
- Update all system packages and dependencies to the latest versions.
- Test connectivity between the app and each backend service using command-line tools (e.g., psql, redis-cli).
- Clear the application cache if UI changes are not reflected.
- Check for duplicate or conflicting worker processes.
- Review API tokens and permissions for worker connections.
- Look for syntax errors in JSON or YAML configuration files.
- Monitor CPU and memory usage to identify resource bottlenecks and optimize system performance.
- Ensure the correct Python virtual environment is activated before installing dependencies.
- Reinstall npm packages if build or start commands fail.
- Verify that the correct Elasticsearch version is installed (as required by the platform).
- Check RabbitMQ user permissions and vhost configuration.
- Inspect browser console logs for frontend errors.
- Increase logging verbosity for more detailed troubleshooting information.
- Read Official document for any troubleshooting problems: OpenCTI Documentation.
- Disable SELinux or AppArmor if they are blocking service communication.
- Seek help from the community forums or GitHub if the issue persists, and provide detailed logs.
Integration Ecosystem
It shines when integrated with other security tools.
It supports connectors for:
- MISP: Automate threat feed ingestion and sharing.
- The Hive: Link incident response cases directly to intelligence data.
- MITRE ATT&CK: Enrich your knowledge base with ATT&CK tactics and techniques.
- SIEMs, EDR, XDR: Feed actionable intelligence into detection and response systems.
- Custom Connectors: Build your own integrations using the OpenCTI API.
This ecosystem ensures your threat intelligence flows across your entire security stack, boosting detection and response.
OpenCTI Use Cases
It is versatile and adapts to many scenarios:
- Central Threat Intelligence Repository: Store, organize, and visualize all CTI in one place.
- Detection-as-Code: Generate feeds for SIEMs, EDRs, firewalls, and proxies.
- Incident Response: Link artifacts, observables, and cases to threat actors and campaigns.
- Vulnerability Management: Track vulnerabilities, affected assets, and related threats.
- Reporting and Dashboarding: Build custom widgets to monitor KPIs and trends.
- Collaboration: Share intelligence securely within and between organizations.
Working with OpenCTI: Practical Examples
Let’s see OpenCTI in action with some practical workflows.
Suppose you want to import a threat feed and correlate it with ongoing incidents.
You can use the MISP connector to automatically ingest threat indicators.
With the GraphQL API, you can query for recent threat actor activity and visualize relationships in the knowledge graph.
If you need to export a report for your SOC, use the built-in export tools to generate a STIX2 bundle or CSV file.
Here is a Python snippet for interacting with the API:
import requests
query = '''
query {
indicators {
edges {
node {
name
pattern
valid_from
}
}
}
}
'''
Response = requests.post(
'https://your-opencti-instance/graphql',
json={'query': query},
headers={'Authorization': 'Bearer YOUR_API_TOKEN'}
)
print(response.json())
This code fetches indicators from OpenCTI, which helps Linux users in automation and integration.
Community and Support
OpenCTI has an active community and user-friendly support channels.
You can find help through:
- GitHub: Report issues, request features, and contribute to the codebase.
- Official Documentation: Comprehensive guides and API references.
- Community Forums: Discuss use cases, best practices, and troubleshooting.
- Enterprise Support: For organizations needing advanced features and SLAs.
The OpenCTI community is responsive and collaborative, making it easy to get started and grow your expertise.
OpenCTI FAQs
- What is OpenCTI?
It is an open-source cyber threat intelligence platform for managing, structuring, and visualizing threat data. - How does OpenCTI help with threat intelligence?
It centralizes and links all your threat data, making analysis, sharing, and response easier. - Is OpenCTI free to use?
Yes, Community Edition is free and open source under the Apache 2.0 license. - What data formats does OpenCTI support?
This tool supports CSV, STIX2 bundles, and more for import and export. - Can I deploy OpenCTI on Linux?
Absolutely, Linux is a primary platform for its deployments. - What is the advantage of the knowledge graph in OpenCTI?
The knowledge graph lets you visualize and analyze relationships between all threat intelligence entities. - Does OpenCTI integrate with MISP?
Yes, it has a MISP connector for automated threat feed ingestion. - How can I automate workflows with OpenCTI?
Use the GraphQL API and connectors to automate data ingestion, enrichment, and sharing. - What is the difference between Community and Enterprise editions?
The Enterprise edition offers advanced features and support, while the Community edition provides robust core features for free. - How do I contribute to OpenCTI?
Join the GitHub community, submit issues, and contribute code or documentation. - What is STIX2, and why does OpenCTI use it?
STIX2 is a standard for sharing threat intelligence; this tool utilizes it for interoperability and data structuring. - Can I create custom dashboards in OpenCTI?
Yes, users can create custom dashboards and widgets tailored to their specific needs. - Does OpenCTI support role-based access control?
Yes, you can set granular permissions for different users and groups. - How does OpenCTI handle data privacy?
This tool collects only anonymized telemetry and never gathers personal or threat intelligence data without consent. - What are connectors in OpenCTI?
Connectors are modules that automate data exchange between OpenCTI and other platforms. - Can OpenCTI be used for vulnerability management?
Yes, you can track vulnerabilities, affected assets, and related threats within OpenCTI. - How do I get started with OpenCTI?
Follow the official documentation for installation, configuration, and best practices. - Is OpenCTI suitable for small teams?
Yes, it scales from small teams to large enterprises. - What programming languages are compatible with the OpenCTI API?
Any language that supports HTTP requests, including Python, Go, and JavaScript. - Where can I find more resources about OpenCTI?
Visit the official documentation, GitHub repo, and community forums for the latest updates and guides.
Conclusion
It is a game-changer for cyber threat intelligence management.
It empowers Linux users and tech enthusiasts to centralize, analyze, and act on threat data with unmatched flexibility.
With its open-source roots, robust integrations, and active community, this tool stands out as the platform of choice for modern security teams.
Whether you’re building a SOC, managing incident response, or just passionate about cybersecurity, it gives you the power to stay ahead of threats and drive smarter decisions.
Start your OpenCTI journey today and elevate your threat intelligence strategy to the next level.
View OpenCTI on GitHub
Explore cybersecurity attack and defense with these posts:
Auxiliary Module in MSFconsole Use Case
Payload Module in MSFconsole Use Case
Encoder Module in MSFconsole Use Case
Exploit Module in MSFconsole Use Case
