What Is STIX? Structured Threat Intelligence Explained.

STIX (Structured Threat Information eXpression) is an open standard for describing cyber threat intelligence in a structured, machine-readable form. Instead of a threat report written as free text that only a human can read, STIX expresses the same information as defined objects, an indicator, a piece of malware, a threat actor, the relationships between them, in a format that software can ingest, share and act on without anyone re-keying it.

STIX is maintained by OASIS, a non-profit standards body, through its Cyber Threat Intelligence Technical Committee. It almost always travels alongside TAXII, the companion protocol for moving STIX data between systems. Together they are the lingua franca of automated threat-intelligence sharing: the reason a feed from one vendor, an ISAC and your own platform can understand each other at all. This piece defines STIX, separates it from TAXII, walks through what STIX 2.1 actually contains, and explains where it helps and where it does not.

What is STIX?

STIX stands for Structured Threat Information eXpression. It is a common language for threat intelligence: a defined vocabulary and data model that lets different organisations and tools describe the same threats in the same way. Where a written report says “this domain is used by a ransomware group targeting healthcare”, STIX captures that as discrete, linked objects: a domain, an indicator, a threat actor, a malware family, and the relationships joining them, each with its own properties and a unique identifier.

Modern STIX (the 2.x line) is expressed in JSON, which makes it straightforward for software to parse. The current version, STIX 2.1, became an OASIS standard in 2021 and replaced the older, XML-based STIX 1.x. If you are starting today, STIX 2.1 is the version that matters; you will only meet 1.x in legacy systems.

STIX vs TAXII: what is the difference?

STIX and TAXII are designed to work together, and they are constantly confused, so it is worth being precise. STIX is the what: the language you write the intelligence in. TAXII is the how: the protocol that moves it from one place to another.

TAXII (Trusted Automated eXchange of Intelligence Information) is an application-layer protocol that runs over HTTPS. It defines how a client requests threat data from a server, typically by pulling from named collections of STIX objects, so that sharing can be automated rather than emailed around as attachments. You can use STIX without TAXII, for example by exporting a STIX file and handing it over directly, but TAXII exists specifically to carry STIX at scale.

The shortest way to keep them straight: STIX is the language, TAXII is the postal service. One is what you say; the other is how it gets delivered.

The building blocks of STIX 2.1

STIX 2.1 models threat intelligence as a small set of object types that you connect together. There are three groups worth knowing.

STIX Domain Objects (SDOs) are the concepts an analyst works with. STIX 2.1 defines eighteen, including Indicator, Malware, Threat Actor, Intrusion Set, Campaign, Attack Pattern, Tool, Vulnerability, Identity, Infrastructure, Course of Action and Report. Each is a defined object with its own properties: a Threat Actor has aliases, sophistication and motivation; an Indicator carries a detection pattern and a validity window.

STIX Cyber-observable Objects (SCOs) are the raw technical artefacts: a file, an IPv4 address, a domain name, a URL, a registry key. In STIX 2.1 these are first-class objects, which means an observable can be referenced and reused rather than buried inside another object.

STIX Relationship Objects (SROs) are what make STIX a graph rather than a list. The Relationship object links two objects with a verb, for example an Indicator indicates a piece of Malware, or a Threat Actor uses a Tool. The Sighting object records that something was actually observed. These relationships are where much of the analytical value sits, because they capture how the pieces connect.

A group of STIX objects is usually packaged in a bundle, a simple container for transmitting them together. A bundle is not analysis in itself; it is just the envelope.

Why STIX matters

The value of STIX is interoperability. Threat intelligence is only useful if it can move, and before a common standard, every vendor and sharing group used its own format, so connecting two sources meant writing a custom translator each time. STIX gives the whole ecosystem one model, which has a few practical consequences:

• Automation. Because STIX is machine-readable, indicators can flow straight into a SIEM, SOAR or firewall and be acted on without manual transcription.
• Sharing.ISACs, government programmes such as CISA's Automated Indicator Sharing, and communities running MISP can distribute intelligence that members can ingest directly.
• Context travels with the data. Because STIX carries relationships, a shared indicator can arrive already linked to the malware and actor behind it, rather than as a bare value.

This is also why STIX shows up so often in our explainer on what a threat intelligence feed is: STIX over TAXII is one of the standard ways feeds are delivered.

What STIX does not solve

It is worth being clear about the limits, because STIX is sometimes treated as a synonym for good intelligence, which it is not. STIX is a format. A well-formed STIX bundle full of stale, irrelevant or unassessed indicators is still stale, irrelevant, unassessed intelligence, just tidily structured. The standard guarantees that machines can read your intelligence; it guarantees nothing about whether the intelligence is any good, relevant to your organisation, or worth acting on. That judgement is the work of the intelligence lifecycle, and it sits on top of the format rather than inside it.

STIX also has a learning curve. The object model is expansive, tools vary in how completely they implement 2.1, and producing rich, well-linked STIX by hand is slow. For most teams the realistic goal is to consume and produce STIX through tooling rather than to author it manually.

Where Liberty91 fits

Liberty91 treats STIX as one of its dissemination formats, not as the product. The platform runs the analysis, assessing each event against your own Intelligence Requirements and deciding what is actually relevant, then emits the result in whatever form the reader needs: a written brief for a stakeholder, scored indicator lists, Sigma rules for detection, and STIX 2.1 bundles for the tooling downstream.

The point is that the structure and the judgement arrive together. You get machine-readable STIX that a SIEM or TIP can ingest directly, but the indicators inside it have already been enriched, scored and assessed for relevance rather than passed through raw. If structured, ready-to-ingest intelligence tailored to your organisation is what you are after, our platform overview is the place to start.