General Documents

CTI-TC Cover Page The list of current STIX and TAXII documents in Google Docs
TC Roadmap Current roadmap items, their status, and their proposed release target

Individual Specification Documents

STIX 2.1 Specification

HTML PDF Word Description
STIX 2.1 Specification STIX 2.1 Specification STIX 2.1 Specification Defines concepts and structure of the STIX language, domain objects, relationship objects, cyber observable objects, and meta objects. Defines the patterning language to enable the detection of possibly malicious activity on networks and endpoints

Note: This version of the specification is no longer a multipart document. Older STIX 2.1 documents can be found here

TAXII 2.1 Specification

HTML PDF Word Description
TAXII 2.1 Specification TAXII 2.1 Specification TAXII 2.1 Specification Defines the TAXII RESTful API and its resources along with the requirements for TAXII Client and Server implementations

STIX/TAXII 2.1 Interoperability Documents

HTML PDF Word Description
TAXII 2.1 Interoperability Test Document Version 1.0 TAXII 2.1 Interoperability Test Document Version 1.0 TAXII 2.1 Interoperability Test Document Version 1.0 This document provides detailed requirements on how product implementers within the threat intelligence ecosystem may demonstrate TAXII 2.1 interoperability compliance.
STIX 2.1 Interoperability Test Document Version 1.0 STIX 2.1 Interoperability Test Document Version 1.0 STIX 2.1 Interoperability Test Document Version 1.0 This document provides detailed requirements on how producers of products within the threat intelligence ecosystem may demonstrate STIX 2.1 interoperability compliance.

STIX 2.0 Specification

HTML PDF Word Description
Part 1: STIX Core Concepts Part 1: STIX Core Concepts Part 1: STIX Core Concepts Defines concepts that apply across all of STIX and defines the overall structure of the STIX language
Part 2: STIX Objects Part 2: STIX Objects Part 2: STIX Objects Defines the set of domain objects and relationship objects that STIX uses to represent cyber threat information
Part 3: Cyber Observables Core Concepts Part 3: Cyber Observables Core Concepts Part 3: Cyber Observables Core Concepts Defines concepts that apply across all of STIX Cyber Observables
Part 4: Cyber Observable Objects Part 4: Cyber Observable Objects Part 4: Cyber Observable Objects Defines a set of cyber observable objects that can be used in STIX and elsewhere
Part 5: STIX Patterning Part 5: STIX Patterning Part 5: STIX Patterning Defines a patterning language to enable the detection of possibly malicious activity on networks and endpoints

TAXII 2.0 Specification

HTML PDF Word Description
TAXII 2.0 Specification TAXII 2.0 Specification TAXII 2.0 Specification Defines the TAXII RESTful API and its resources along with the requirements for TAXII Client and Server implementations

STIX/TAXII 2.0 Interoperability Documents

HTML PDF Word Description
Part 1: STIX/TAXII 2.0 Interoperability Test Document Part 1: STIX/TAXII 2.0 Interoperability Test Document Part 1: STIX/TAXII 2.0 Interoperability Test Document Document that provides detailed requirements on how producers of products within the threat intelligence ecosystem may demonstrate conformity with STIX/TAXII 2.0 if they wish to self-certify that their software is verified as interoperable
Part 2: STIX/TAXII 2.0 Interoperability Test Document Part 2: STIX/TAXII 2.0 Interoperability Test Document Part 2: STIX/TAXII 2.0 Interoperability Test Document Document that provides detailed requirements on how producers of products within the threat intelligence ecosystem may demonstrate conformity with STIX/TAXII 2.0 if they wish to self-certify that their software is verified as interoperable

STIX Extensions

Extension Name & Link Extension Status Extension Description
Incident Specification Track Objects to allow tracking an incident across its lifecycle
TLP 2.0 External Apply TLP 2.0 markings to STIX objects
Malware Artifact Open Capture malware artifacts
Malware Behavior Open Objects to capture malware behavior information, including objectives, behaviors, and methods
ACS Data Markings External Mark STIX objects using the Information Sharing Architecture (ISA) Access Control Specification (ACS) tagging specification

Please submit a pull request or an issue to the cti-documentation project, if you would like to have your open extension listed here.

More information about how extensions are developed and managed is available in the STIX Extensions Definition Policy.

OASIS CTI TC Open Repositories

cti-documentation GitHub Pages site for STIX and TAXII
cti-pattern-matcher Match STIX content against STIX patterns
cti-pattern-validator Validate patterns used to express Cyber Observable content in STIX Indicators
cti-python-stix2 Python APIs for STIX 2
cti-common-objects Collection of commonly used STIX 2.1 objects and extensions
cti-stix-elevator Convert STIX 1 XML to STIX 2 JSON
cti-stix-generator Tool for generating random STIX content for prototyping and testing
cti-stix-slider Convert STIX 2 JSON to STIX 1 XML
cti-stix-validator Validator for STIX 2 JSON normative requirements and best practices
cti-stix-visualization Lightweight visualization for STIX 2 objects and relationships
cti-stix2-json-schemas Non-normative STIX schemas and examples
cti-taxii-client TAXII 2 Client Library Written in Python
cti-taxii-server TAXII 2 Server Library Written in Python
cti-training Collection of CTI-related training materials

ARCHIVED OASIS CTI TC Repositories

cti-marking-prototype Prototype for processing granular data markings in STIX
cti-sep-repository Collection of STIX Enhancement Proposals

Other Resources

FreeTAXII YouTube Channel Informational videos about STIX/TAXII - Not affiliated with OASIS
STIX 2 Preferred Program Self-Certification Program for STIX/TAXII
Introduction to STIX Brief intro to STIX and what it is used for
Introduction to TAXII Brief intro to TAXII and what it is used for