What are STIX/TAXII standards?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

STIX and TAXII are a pair of standards that together solve a specific problem: how do you describe a security threat in a machine-readable way, and how do you transmit that description to other systems that can act on it automatically?

STIX stands for Structured Threat Information Expression. It's a data format, essentially a schema for describing security threat intelligence. A STIX object might describe an IP address associated with phishing, an attack pattern used in a campaign, a specific threat actor, or a relationship between indicators. STIX version 2.1 (the current standard) uses JSON, which makes it relatively straightforward to work with in modern security tooling.

TAXII stands for Trusted Automated Exchange of Indicator Information. It's the transport layer: a protocol specification for how STIX data gets distributed between systems. TAXII defines APIs for publishing and consuming threat intelligence, and concepts like "collections" (groupings of related indicators) and "channels" (subscription-based distribution). Think of STIX as the language and TAXII as the postal system that delivers it.

Why they matter for email security: many email security platforms consume STIX/TAXII feeds to receive up-to-date threat indicators from intelligence providers and ISACs. When M3AAWG members share indicators of a phishing campaign, STIX/TAXII is often how that data moves between organizations automatically. It reduces the need for manual threat data sharing and enables near-real-time defensive updates.

For organizations evaluating email security tools: asking whether a vendor supports STIX/TAXII ingest is a reasonable way to assess how well they integrate with broader threat intelligence ecosystems. Most enterprise-grade platforms do. If you're building internal tooling, the OASIS standards body maintains the specifications at no cost.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Evaluate STIX/TAXII for my organization

I'm evaluating whether to implement STIX/TAXII in our security infrastructure. Here's our context: - Our current threat intelligence setup: describe or 'none' - Our email security platform: name - Whether our platform already supports STIX/TAXII: yes / no / not sure - Our security team size: number - Our primary use case: consuming external intelligence / sharing internally / both Help me understand what implementing STIX/TAXII would require for our setup and whether the investment makes sense at our scale.

Edit the yellow boxes, then send to the AI of your choice.