What can go into the bundle?

STIX Domain Objects such as indicators, malware, threat actors and the relationships between them, along with marking definitions for TLP. You supply the raw intelligence and the skill maps each item to the correct STIX object type and pattern syntax.

Will the bundle validate against the STIX 2.1 schema?

That is the goal of the skill. It assigns valid identifiers and timestamps, uses correct object types and patterning, and structures the bundle so STIX 2.1 validators and TAXII clients accept it without manual fixes.

Is the STIX bundle skill free?

Yes. It ships in the open-source, MIT-licensed CTI Skills pack, so you can run it, inspect how it builds bundles, and adapt it to your own sharing arrangements at no cost.

CTI Skill · Intelligence production

STIX 2.1 Bundle Builder.

/stix-bundle

When you need to create a STIX 2.1 bundle to share intelligence with a partner or push to a TAXII feed, this skill assembles it correctly. Give it your indicators and related objects and it builds a valid STIX 2.1 bundle in JSON, with properly typed SDOs, identifiers, timestamps and relationships, so the receiving platform ingests it cleanly the first time.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

The skill constructs a STIX 2.1 bundle from indicators and other objects you supply. It creates correctly typed STIX Domain Objects such as indicators, malware, threat-actor and relationship objects, assigns valid identifiers and timestamps, writes indicator patterns in STIX patterning syntax, and applies marking definitions for TLP. The result is schema-valid JSON ready to share.

When to use it.

Use it when intelligence has to leave your environment in a structured, machine-readable form: sharing a campaign's indicators with an ISAC, publishing to a TAXII server, or handing a partner a packaged set of objects and the relationships between them. It suits analysts who produce intelligence others consume and need the wire format to be right.

What you get back.

A single STIX 2.1 bundle in JSON containing the objects you provided, each correctly typed and identified, with indicator patterns, timestamps, relationships and TLP markings in place. The bundle is built to validate against the STIX 2.1 schema, so downstream platforms and TAXII clients can ingest it without manual repair.

How it fits your workflow.

It is one of the open-source CTI Skills that run inside an AI coding agent such as Claude Code. You assemble your objects in the terminal and get a shareable bundle out. It pairs with the IOC export and MISP skills in the pack, so the same indicators can be packaged as STIX for a TAXII feed or pushed to a MISP community as the situation requires.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.