STIX 2.1 in, STIX 2.1 out
Validate against the OASIS schema, edit safely, and re-emit a canonical bundle that round-trips through MISP, OpenCTI, and TAXII servers.
Free · no sign-up · in your browser
A calm workbench for STIX 2 data.
Paste a bundle. Edit indicators inline. The relationship graph rebuilds in real time. ThreatGraph is a free, no-signup STIX 2.1 compatible tool — a CTI workbench you can think in.
Three panes. One source of truth.
Edit JSON, sort indicators, rearrange the graph — every pane stays in sync.
Report-grade graph exports
One click renders a 4× resolution PNG or vector SVG with a clean white background, calm colors, and crisp labels — drop straight into your CTI report.
Three panes, one truth
JSON editor, indicators table, and Cytoscape graph share the same store. Edit anywhere — every other pane updates instantly. No sync button.
Editable workspace
Drag nodes, right-click to wire relationships, delete observed objects you don't trust. The bundle stays valid the whole time.
Indicator table & CSV export
Sort and filter indicators, then export to CSV for SOAR ingestion or analyst review without bouncing through a converter.
No sign-up. No tracker bloat.
Open it. Use it. Close the tab. ThreatGraph runs in your browser without an account, an email gate, or third-party analytics.
Guides for STIX 2 practitioners
Practical writeups on visualizing, mapping, and exchanging STIX 2.1 data.
Visualization
How to visualize STIX 2 data
From raw bundle to a presentable graph: layout choices, icon conventions, and what to leave out.
Mapping
STIX 2.1 mapping best practices
Pattern syntax, kill-chain phases, and the SDOs you actually need for shareable threat intelligence.
Formats
STIX 2 vs MISP: choosing a format
Where each format shines, when to convert, and how ThreatGraph fits between the two.
Try it on your next bundle.
No account. No upload limit on the workspace. Your bundle stays in your browser unless you choose to validate against the API.