STIX 2 vs MISP: choosing a CTI format
If you exchange threat intelligence, you'll meet both formats. They overlap, but they were built for different audiences. Here's the operator's TL;DR — when to use each, and where ThreatGraph slots in.
The short version
| STIX 2.1 | MISP | |
|---|---|---|
| Designed for | Cross-organization sharing, machine-readable | SOC ingestion, IOC distribution |
| Transport | TAXII 2.1 | MISP server-to-server sync |
| Strength | Rich object model, relationship semantics | Tagging, taxonomies, simple IOC sharing |
| Weakness | Verbose, easy to mis-model | Less structured for analysis pivots |
| Best when | You need to express why indicators relate | You need to push IOCs to detection tools fast |
When STIX 2 wins
You want to publish a campaign report — a threat actor used a malware family, dropped via a delivery infrastructure, with two C2 domains. STIX's relationship graph captures that story; the consumer can re-render it without reading prose.
When MISP wins
You want to push 4,000 hashes into your SIEM tonight. STIX is overkill — MISP's flat Attribute list and tag taxonomies move faster.
Convert when you must, not by default
MISP can export STIX 2.1; the conversion is lossy in both directions. Tags become labels, sightings collapse, and custom taxonomies don't survive a round-trip. If you live in MISP, ship MISP. If you publish for the public good, ship STIX.
Where ThreatGraph fits
ThreatGraph is a workbench for STIX 2 data. If you're authoring a bundle for distribution — particularly when relationships matter — open the bundle in the workspace, edit it next to the graph, and export the canonical JSON. From there, hand it to TAXII or convert to MISP as a one-way fan-out.
Open the workspace →