STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies.
Designed for broad use, there are several core use cases for STIX. First, it is used by threat analysts to review cyberthreats and threat-related activity. Threat analysts also use STIX to identify patterns that could indicate cyberthreats. Any sort of decision maker or operations personnel may use STIX data to help facilitate cyberthreat response activities, including prevention, detection and response. The final core use for STIX is the sharing of cyber threat information within an organization and with outside partners or communities that benefit from the information.
STIX, which was originally sponsored by the office of Cybersecurity and Communications within the United States Department of Homeland Security (DHS), has been transitioned to OASIS, a non-profit consortium that seeks to advance the development, convergence and adoption of open standards for the Internet. STIX can be used manually or programmatically. Manual use requires an XML editor, but no additional tools. Programmatic use requires Python and Java bindings, Python APIs and utilities. Bindings and related tools to help security analysts process and work with STIX are open source on Github.