TypeDB CTI : STIX in TypeDB 3.0

TypeDB’s updated CTI schema delivers structure and semantic integrity for STIX 2.1

We’re excited to announce a significant update to our Cyber Threat Intelligence (CTI) repository, now leveraging the new features of TypeDB 3.0.

This release brings enhanced capabilities and a more robust implementation of the STIX 2.1 standard, providing users with an even more efficient and intelligent way to manage and analyze threat data.

We also include a new data import-export converter to go directly from STIX JSON bundles to TypeQL queries, and to generate queries to extract STIX bundles out of the database. 

This means that the repository can be used as the backbone of your cybersecurity threat intelligence database, and also to implement a TAXII server.

What is STIX? A structured format for threat intelligence

STIX (Structured Threat Information Expression) is a standardized language developed by OASIS for representing cyber threat intelligence (CTI) in a machine-readable, structured format. It was designed to enable organizations to share, automate, and analyze threat data consistently, without needing to agree on proprietary schemas or manually map threat indicators.

The core of STIX is a data model made up of domain-specific objects that describe key entities in the threat landscape, including:

• Threat actors – individuals or groups conducting malicious activity
• Indicators – patterns of behavior or artifacts that suggest malicious activity
• Malware and Attack patterns – technical characteristics of known threats
• Infrastructure – command and control servers, delivery mechanisms
• Vulnerabilities – exploited software or system flaws
• Observed data – raw forensic or telemetry records
• Courses of action – mitigations or response strategies
• Relationships – links between all of the above
  

Each object contains fields with structured metadata, and STIX defines how these objects link together to form a coherent picture of threats and incidents. The relationships themselves are typed; for example, threat-actor -> uses -> malware, or indicator -> indicates -> attack-pattern.

STIX is most commonly expressed in JSON bundles, which can be shared between systems or organizations. These bundles often travel over TAXII, a companion protocol that handles secure transport and subscription-based sharing.

Why it matters

STIX provides a common language for representing threats, but does not define how this data is validated, queried, or reasoned over once received. Most STIX-based platforms treat the data as flat JSON, leaving enforcement of structure, relationships, or business logic to external tooling.

By contrast, TypeDB gives STIX a semantic backbone turning the specification into an enforceable, queryable, and extensible knowledge model.

What’s new in TypeDB CTI 3.0?

Our CTI repository has been meticulously updated to take full advantage of TypeDB 3.0. This upgrade introduces several key improvements, including:

• Enhanced Querying Capabilities: TypeDB 3.0 offers more expressive and performant query language features, allowing for deeper insights into complex threat relationships.
• Improved Data Modeling: The new version of TypeDB provides greater flexibility in defining and evolving our STIX data model, making it easier to adapt to new threat intelligence requirements.
• Optimized Performance: Experience faster data ingestion and query execution, crucial for real-time threat analysis and large datasets.
• Easy STIX bundle loading: Use the pre-built python script to load any STIX bundle into TypeDB
• STIX bundle mappers: Re-use underlying data mapping libraries to map JSON bundles into and back out of TypeDB

For those interested in the previous version and the initial implementation, you can review our original blog post, which continues to live in our Github repository. 

Why use TypeDB for STIX?

Most STIX data implementations treat relationships as simple links. TypeDB treats them as semantic structures. That means:

• Roles are first-class: a single relationship object can carry precise meaning like “attacker” and “target”
• Schema validation ensures that malformed or inconsistent bundles are caught early
• Functions allows the you to to efficiently derive new insights from existing patterns (e.g. transitive relationships)
• Polymorphism and constraints let you model multiple object types cleanly, without flattening everything into generic graphs

Put simply, TypeDB enables a knowledge graph approach to threat intelligence with logic, constraints, and structure built in.

Get started with TypeDB CTI 3.0

The updated CTI repository remains an open-source project, and we want to encourage you all to explore its new features. You can find the latest version and detailed instructions on how to set it up and start using it at our official GitHub repository.

We also provide a pre-built sample dataset using the updated schema, and a small set of ingested STIX data. 

You can also spin a TypeDB Cloud database with the dataset preloaded in just a few clicks:

4. Sign up to cloud.typed.com
5. Click “Deploy”
6. Click through your deployment configuration, and choose cti as the sample dataset

That’s it!

Join the discussion

We hope this update helps cybersecurity teams, researchers, and CTI practitioners build smarter threat intelligence systems.

If you’ve got feedback, ideas, or want to share how you’re using TypeDB for CTI, let us know:

• Join us on Discord
• Email us at community@typedb.com

TypeDB CTI: Structured, semantic threat intelligence by design.