Data model

OpenCTI uses a variety of knowledge schemas in structuring data, the main one being the Structured Threat Information Expression (STIX2) standards. STIX is a serialised and standardised language format used in threat intelligence exchange. It allows for the data to be implemented as entities and relationships, effectively tracing the origin of the provided information.

OpenCTI architecture
The data model is supported by the platform's architecture. Source: OpenCTI Public Knowledge Base


  • GraphQL API: The API connects clients to the database and the messaging system.

  • Write workers: Python processes utilised to write queries asynchronously from the RabbitMQ messaging system.

  • Connectors: Another set of python processes used to ingest, enrich or export data on the platform. These connectors provide the application with a network of integrated systems and frameworks to create threat intelligence relations and allow users to improve their defence tactics.


Class Description Examples
External Input Connector Ingests information from external sources CVE, MISP, TheHive, MITRE
Stream Connector Consumes platform data stream History, Tanium
Internal Enrichment Connector Takes in new OpenCTI entities from user requests Observables enrichment
Internal Import File Connector Extracts information from uploaded reports PDFs, STIX2 Import
Internal Export File Connector Exports information from OpenCTI into different file formats CSV, STIX2 export, PDF