modeling-threats-with-opencti

Installation
SKILL.md

Modeling Threats with OpenCTI

Overview

OpenCTI (Open Cyber Threat Intelligence) is an open-source threat-intelligence platform developed by Filigran that lets analysts store, organize, visualize, and share structured cyber threat intelligence as a knowledge graph. Every object — Threat Actors, Intrusion Sets, Campaigns, Attack Patterns, Malware, Indicators, Observables, Vulnerabilities — is modeled on the STIX 2.1 standard, and the relationships between them (uses, attributed-to, targets, indicates) form a graph that reveals how adversaries operate end to end.

Architecturally, OpenCTI is built from a GraphQL API backed by Elasticsearch/OpenSearch and a graph database, a Redis stream, RabbitMQ message broker, import/export workers, and connectors. Connectors retrieve information from external sources (MITRE ATT&CK, MISP, AlienVault OTX, CISA, abuse.ch, etc.), convert it into STIX 2.1 bundles, and submit those bundles to the platform; workers then ingest the bundles into the graph. The official Python client, pycti (OpenCTIApiClient), is the programmatic interface analysts use to create entities, build relationships, and push STIX bundles.

This skill follows the official OpenCTI documentation (docs.opencti.io) and the OpenCTI-Platform/client-python (pycti) repository. It maps to MITRE ATT&CK T1589 (Gather Victim Identity Information) as part of the broader CTI analysis lifecycle — OpenCTI is where reconnaissance and adversary tradecraft observed across reporting is consolidated, deduplicated, and modeled so detection and response teams can act on it. The threat context is the volume and fragmentation of modern CTI: hundreds of vendor reports, IOC feeds, and ATT&CK updates that are useless until correlated into a single, queryable adversary picture.

When to Use

  • Building a centralized, STIX-native knowledge base of threat actors, campaigns, and TTPs
  • Correlating IOCs and reports from multiple feeds into a single adversary graph
  • Mapping observed activity to MITRE ATT&CK techniques for coverage and gap analysis
  • Producing structured intelligence (STIX bundles) for downstream detection engineering
  • Tracking attribution: which intrusion sets are attributed to which threat actors and campaigns
  • Automating CTI ingestion via connectors and the pycti API

Prerequisites

Installs
5
GitHub Stars
24.7K
First Seen
10 days ago
modeling-threats-with-opencti — mukul975/anthropic-cybersecurity-skills