Threat Intelligence Platforms Compared: MISP, OpenCTI, ThreatConnect, Recorded Future, and Anomali

The most common misconception about TIPs is that they duplicate SIEM functionality. They do not. They address different aspects of the threat intelligence lifecycle.

The SIEM's job is to collect security events from your environment (Windows event logs, firewall logs, authentication logs, network flows, endpoint telemetry), correlate them against detection rules, and surface alerts when anomalous or malicious patterns are detected. A SIEM is retrospective: it tells you what happened in your environment based on the data it has collected. It is excellent at detecting known patterns in log data but requires that intelligence be expressed as detection rules (KQL, SPL, YARA-L) to be actionable.

The TIP's job is to manage threat intelligence as structured knowledge, curate indicator quality, maintain the relationships between threat actors, malware families, campaigns, and techniques, and distribute actionable intelligence to the tools that need it. A TIP is prospective: it tells you what threats exist and what indicators to watch for, so that your detection tools can identify them when they appear.

The relationship between them is directional: the TIP feeds the SIEM with curated IOCs, which the SIEM matches against log data to generate alerts. The SIEM feeds the TIP (or SOAR) with alert context that triggers threat intelligence lookup queries, enriching alerts with attribution and campaign data. Neither can perform the other's function well.

Why you cannot skip the TIP and just import IOC lists into your SIEM:

Raw IOC feeds imported directly into a SIEM without a TIP in between generate significant noise. Most threat intelligence feeds contain aged indicators, known-good infrastructure that appears in attacker reports, and CDN/legitimate service IPs that generate massive false positive volumes when matched against network logs. A TIP provides the curation layer: scoring indicator confidence, applying expiration dates, deduplicating across sources, and filtering out known-benign infrastructure before indicators reach the SIEM. Organizations that skip the TIP and import raw feeds directly into their SIEM often disable the threat intelligence matching function entirely due to noise, which defeats the purpose.

MISP (Malware Information Sharing Platform) started as a platform for sharing threat intelligence within and between organizations. It is now the most widely deployed open-source TIP globally, with over 6,500 active community instances.

Architecture: MISP is a PHP/Python web application running on Linux (Ubuntu 22.04 and Debian are the supported platforms as of MISP 2.4.x). The backend uses MySQL for structured data and Redis for caching and background job queues. A MISP instance can run on a single server (4+ vCPUs, 16+ GB RAM recommended for production with feeds enabled) or in a distributed configuration with separate database, worker, and web tiers. The REST API is MISP's primary integration interface and supports both the native MISP JSON format and STIX 2.1 export.

Core data model: MISP organizes intelligence around Events (the top-level container), Objects (structured groupings of related attributes, for example a Network Activity object containing an IP, domain, and URL), Attributes (individual data points like IP addresses, domain names, file hashes, email subjects), and Tags (MISP's taxonomy system for classification, including threat actor tags, TLP markings, and MITRE ATT&CK technique tags). The Galaxies feature provides pre-built knowledge bases for threat actors (MITRE ATT&CK groups), malware families (MalPedia), ransomware groups, and more.

Feeds and sharing: MISP supports three feed types: MISP feeds (other MISP instances published as JSON over HTTP), Freetext feeds (line-separated indicator lists), and CSV feeds. The MISP community maintains a curated list of default feeds including abuse.ch feeds, CIRCL OSINT feeds, and several government CERT feeds. MISP's sharing model allows data to be shared selectively: Events can be shared with specific organizations, MISP communities (trust circles), or published publicly. The MISP Project operates several community MISP instances that serve as intelligence sharing hubs for ISACs and national CERTs.

Integration points:

• SIEM: MISP-to-Splunk via the Splunk MISP Add-on; MISP-to-Sentinel via the Threat Intelligence Platforms connector
• SOAR: MISP has native integrations with TheHive (open-source SOAR/IR case management), Cortex (analyzer and responder platform), and commercial SoARs via REST API
• EDR: MISP can export indicator lists in formats compatible with most EDR platforms via the misp-modules export framework
• Firewall: MISP feeds can be consumed by pfSense, Palo Alto Networks, and Fortinet via TAXII or direct REST API integration

Limitations: MISP's UI is functional but not optimized for analyst workflow. Large event lists with thousands of events require significant database tuning (MySQL query optimization, proper indexing on created_at and distribution fields) to perform acceptably. The platform has no built-in analyst intelligence production workflow (reports, finished intelligence documents) beyond raw event management.

OpenCTI (Open Cyber Threat Intelligence) is a STIX 2.1-native threat intelligence platform developed by Filigran (formerly the ANSSI/LaBRI project). Unlike MISP, which grew from an IOC sharing tool, OpenCTI was designed from the ground up around STIX 2.1 and the structured knowledge graph model of threat intelligence.

Architecture: OpenCTI uses a modern microservices architecture. The core components are: OpenCTI platform (Node.js/GraphQL API), OpenCTI frontend (React), OpenSearch (Elasticsearch-compatible search and storage backend), MinIO (object storage for documents and attachments), Redis (caching and job queues), and RabbitMQ (message broker for connector workers). The minimum recommended production deployment is Kubernetes (Helm chart provided) with 8+ vCPUs and 32+ GB RAM. A Docker Compose configuration is available for development and evaluation.

STIX 2.1 native model: Every object in OpenCTI is a STIX 2.1 object: Threat Actor, Campaign, Malware, Tool, Attack Pattern, Indicator, Observable, Relationship, Report. The platform enforces STIX semantics: relationships between objects are explicit STIX Relationship objects, not implicit database foreign keys. This makes OpenCTI's data model maximally interoperable with other STIX-compliant systems but requires analysts to think in STIX terminology when creating intelligence.

Connectors: OpenCTI's connector ecosystem is its primary differentiator. Connectors are Python workers that import intelligence from external sources or export to downstream tools. The official connector library (github.com/OpenCTI-Platform/connectors) includes 100+ connectors covering: MITRE ATT&CK (auto-imports the full ATT&CK knowledge base), MISP (bidirectional sync), VirusTotal, Shodan, CIRCL OSINT, AlienVault OTX, abuse.ch feeds, CVE/NVD, and many commercial intelligence providers. Export connectors push to Splunk, Elastic, Microsoft Sentinel (via TAXII), and firewall platforms. This connector architecture means OpenCTI functions as an intelligence orchestration hub, pulling from many sources and distributing to many consumers automatically.

Analyst workflow: OpenCTI provides a knowledge graph visualization interface where analysts can explore the relationships between threat actors, malware families, campaigns, and infrastructure. The Investigation workspace allows analysts to build relationship graphs interactively during analysis and export them as STIX bundles or PDF reports. The native report module supports finished intelligence production with entity linking, making OpenCTI more suitable than MISP for organizations that produce finished intelligence products (threat actor profiles, campaign reports) alongside raw indicator management.

Filigran's commercial offering: Filigran offers OpenCTI Cloud (fully managed SaaS deployment) and OCTI Enterprise Edition with additional features and SLA-backed support. The community edition is fully open source under Apache 2.0.

Commercial TIPs provide managed capabilities, vendor support, and pre-built intelligence content at price points that reflect the operational investment saved versus self-managing open-source platforms.

ThreatConnect: ThreatConnect is a traditional TIP with a strong emphasis on analyst workflow, playbook automation (similar to SOAR), and intelligence lifecycle management. Key capabilities: the ThreatConnect Intelligence platform ingests STIX/TAXII, CSV, JSON, and vendor-specific formats; the ThreatConnect SOAR module (TC Playbooks) automates enrichment, notification, and response workflows; ThreatConnect Risk Quantifier provides an exposure scoring model. ThreatConnect is deployed as SaaS (ThreatConnect Cloud) or on-premises and targets mid-enterprise to large enterprise customers. Pricing is not public; enterprise contracts commonly run $150,000 to $500,000 annually for the platform plus content subscriptions. ThreatConnect's differentiator is its playbook automation capability integrated natively with the TIP, which reduces the need for a separate SOAR platform.

Recorded Future: Recorded Future is better described as an intelligence provider than a platform. The core product is Recorded Future's Intelligence Cloud, which continuously collects and analyzes data from millions of sources including open web, dark web forums, paste sites, code repositories, social media, and technical indicators. Machine learning models produce risk scores (Domain Risk Score, IP Risk Score, Vulnerability Risk Score, Person Risk Score) and curated intelligence packs covering threat actors, vulnerabilities, and compromised credentials. Recorded Future integrates with SIEM, SOAR, and TIP platforms as an enrichment source rather than as a standalone workflow tool. It is the premier intelligence source subscription in the market; it is not a replacement for a TIP that manages your own intelligence and analyst workflow.

Anomali: Anomali's platform (Anomali ThreatStream) is a mature TIP targeting enterprise and government customers with high-volume IOC management requirements. ThreatStream provides: automated feed ingestion from commercial and open-source sources, confidence scoring and deduplication, workflow for analyst investigation and escalation, and output integrations to SIEM, firewalls, and EDR. Anomali LENS is a browser extension and document scanning feature that automatically detects threat intelligence in unstructured documents (PDFs, HTML pages) and links them to ThreatStream records, reducing manual intelligence extraction work. Anomali Match (formerly Staxx) provides automated indicator matching against historical logs stored in cloud storage, enabling retroactive hunting without a running SIEM query.

Intel 471: Deserves mention as a category leader for human intelligence and criminal underground monitoring. Intel 471 is primarily an intelligence source rather than a TIP platform, specializing in actor-centric intelligence from criminal forums, malware-as-a-service ecosystems, and compromised credential markets. It integrates with TIPs as a premium feed source. Organizations building a CTI function with actor attribution capability typically subscribe to Intel 471 as one of several commercial intelligence sources consumed by their TIP.

STIX 2.1 and TAXII 2.1 are the infrastructure standards that enable interoperability between TIPs, SIEMs, and intelligence sharing communities. Understanding the mechanics is necessary for planning integrations.

STIX 2.1 object types relevant to TIP integration:

• indicator: A pattern (expressed in STIX Pattern Language or Sigma) that identifies malicious activity. Contains the actual detection pattern, valid_from/valid_until timestamps, confidence score, and labels.
• threat-actor: Profiles of adversaries with motivation, sophistication, aliases, and relationships to campaigns and malware.
• malware: Descriptions of malware families including capabilities, kill chain phase, and relationships to indicators.
• campaign: Named attack campaigns linking threat actors, malware, indicators, and targeted industries.
• relationship: First-class STIX objects expressing connections between other objects (e.g., threat-actor uses malware, campaign targets industry).
• bundle: A container for multiple STIX objects transferred together.

TAXII 2.1 server structure:

A TAXII 2.1 server exposes collections (named groups of STIX objects) via REST endpoints. The key endpoints:

• GET /taxii2/ returns the API root discovery
• GET /api/collections/ lists available collections
• GET /api/collections/{id}/objects/ retrieves STIX objects from a collection, with filter parameters for added_after, object type, and STIX IDs
• POST /api/collections/{id}/objects/ adds objects to a collection (for sharing)

Microsoft Sentinel's Threat Intelligence data connector polls a configured TAXII 2.1 endpoint every hour and imports indicator objects into the ThreatIntelligenceIndicator table. The connector supports TAXII 2.0 and 2.1 and authenticates via HTTP Basic Auth or API key depending on the server configuration.

Splunk Enterprise Security's Threat Intelligence Framework accepts STIX/TAXII 2.0 input via the Splunk Add-on for Threat Intelligence or via custom scripted inputs using the TAXII REST API.

Filtering stale indicators:

One of the most critical TAXII integration configurations is filtering indicators by valid_until to prevent importing expired IOCs. STIX 2.1 indicators include optional valid_from and valid_until timestamps. Indicators without a valid_until are treated as indefinitely valid by many consuming platforms, which causes accumulation of aged indicators over time. Best practice: configure TAXII consumers to request only indicators added within the past 30 days, and configure the TIP to set valid_until on all indicator objects at creation time based on the indicator type (IP addresses: 30 days; domains: 60 days; file hashes: 180 days; URL patterns: 30 days).

Selecting a TIP requires matching platform capability to organizational maturity, staff capacity, and budget. The following framework covers four organization profiles.

Profile 1: Security team under 10 people, no dedicated CTI analyst

Recommendation: Skip a standalone TIP. Integrate 2-3 high-quality free indicator feeds directly into your SIEM using the platform's native threat intelligence integration (Sentinel's TI data connector, Splunk's Threat Intelligence Framework). Focus on quality over quantity: abuse.ch feeds and CISA KEV integrated into your SIEM provide high-signal, low-noise indicator matching with minimal operational overhead. Add a commercial TIP only when you have a dedicated analyst with time to manage it.

Profile 2: Security team of 10-50 people, part-time CTI function

Recommendation: Deploy OpenCTI with managed hosting (Filigran's OpenCTI Cloud starts at approximately $1,000-2,000/month for small deployments) or self-host MISP on a dedicated VM with 3-5 curated community feeds. Integrate with SIEM via TAXII. The investment is justified if analysts are currently managing IOC spreadsheets manually or wasting time on threat context lookups without enrichment. Do not invest in a commercial TIP until the CTI function is consuming the open-source platform's capabilities fully.

Profile 3: Enterprise security team of 50-500 people, dedicated CTI team

Recommendation: Evaluate ThreatConnect or Anomali ThreatStream as the TIP alongside a Recorded Future subscription as the primary commercial intelligence source. The TIP manages analyst workflow, intelligence production, and distribution; Recorded Future provides the data. Budget $200,000-500,000 annually for the combined platform plus intelligence subscription. Evaluate MISP in parallel as the community sharing hub if the organization participates in ISAC sharing communities.

Profile 4: Large enterprise or government, mature CTI program with multiple analysts

Recommendation: A dual-platform approach is common: MISP as the community sharing and open-source feed aggregation platform, with a commercial TIP (ThreatConnect, Anomali, or a custom OpenCTI deployment) as the analyst-facing production and workflow layer. The two platforms sync via STIX/TAXII. This provides the breadth of the MISP community ecosystem with the analyst workflow quality of a commercial platform. At this scale, Intel 471 and a second commercial intelligence source (Flashpoint, ZeroFox) are standard components of the intelligence collection portfolio.