Skip to content
FortaRisks
Back to the glossaryThreat intelligence

STIX / TAXII

STIX and TAXII are the open standards of threat-intelligence sharing. STIX is a structured language to describe threats (indicators, actors, campaigns and their relationships); TAXII is the protocol that transports that data between systems. Together they enable machine-to-machine exchange of cyber intelligence.

Updated on July 2, 2026

What are STIX and TAXII?

STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) are two open standards, maintained by OASIS, that address the same need: sharing threat intelligence effectively.

STIX defines a common data model to represent a threat. It is not limited to a list of indicators: it also describes actors, campaigns, modes of operation and, above all, the relationships between these elements. TAXII specifies how those objects flow between a producer and a consumer of intelligence, via a secure application-layer protocol.

Why it matters for your organization

Threat intelligence is only valuable if it circulates fast and keeps its context. Without a common standard, every source imposes its own format, and integration becomes costly, slow, manual work.

STIX/TAXII makes exchange automatable and interoperable. Your threat-intelligence platforms, detection tools and sharing partners can consume and produce intelligence in a common language, which shortens the time between discovering a threat and putting a defense in place.

How to make the most of STIX/TAXII

  • Automate ingestion from your sources and sharing communities.
  • Preserve context: relationships, sources and confidence level of indicators.
  • Feed detection directly, without manual re-entry.
  • Contribute back to strengthen the collective value of sharing.

Where organizations most often fall short

A common pitfall is plugging in a STIX/TAXII feed without qualifying it: you then ingest a massive volume of uneven-quality indicators that saturate tools. Value comes not from the volume of intelligence consumed, but from its relevance, freshness and real integration into detection processes.

Frequently asked questions

What is the difference between STIX and TAXII?

STIX is the format, that is the way to describe a threat in a structured, machine-readable manner. TAXII is the transport, the protocol that lets two systems exchange STIX objects in an automated, secure way. In short: STIX is the language, TAXII is the channel.

Why use STIX/TAXII rather than sharing files?

Because manual sharing does not scale and introduces delay. STIX/TAXII automates the exchange, preserves the context of indicators (relationships, sources, confidence) and lets detection tools consume intelligence continuously, without human intervention.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.