Skip to main content
Video

What Are STIX/TAXII?

STIX is a framework.

Think of it as a model of threat intelligence data.

And TAXII is the process in which somebody acquires or sends that information.

Think of the TAXII server as the one that is serving out the information or receiving it, and what it's serving and receiving is a STIX package.

STIX is basically just a common language for intelligence.

So everyone in the world, whether or not English or whatever is their first language, it just creates a foundation for everyone to know what is happening and what this means.

Years ago, the intelligence industry determined that we need some tool, some container, essentially some vehicle for taking this information that is being tossed around, and to be able to take that and push it out to anyone who wants to receive it.

And so from there, that's where STIX and TAXII was born.

So they're free, because from an industry perspective, we want everyone to be able to share this information freely.

And so it's important that that standard remains free.

Imagine that the FBI wants to put out an all-points bulletin to everyone in the United States.

They can push that out as a STIX package, and immediately if a company is using a TAXII server, they can pull that in and they can immediately operationalize it.

So it normally uses STIX for both platforms that we have, so whether it's ThreatStream, which is the subscription-based TIP, or STAXX, which is more of the free kind of general TIP.

STIX is used so it structures it in a way that you understand what the itypes are, what malware, whether it's a malicious IP false positive malicious domain, it structures it in a way that everyone can understand it.

Anomali uses it in a couple ways.

First of all, we have a free-to-use STIX taxi virtual machine client, called STAXX.

Basically what it does, it's able to pull down data from STIX TAXII service and consolidate and normalize that data.

That's pretty much it.

Then it has an API, which you can access that data.

How our Anomali threat platform uses it is that you're able to export both indicators and threat model intelligence into STIX format in multiple versions.

So STAXX is a free version of ThreatStream.

And what it does is it allows users to basically dip their toes in to kind of get a better understanding of threat intelligence information sharing.

So they can utilize STAXX to use it on a very general basis, and then as their needs evolve, as they get larger, as they are kind of the threats change, then they can then switch to ThreatStream which is much more comprehensive.

So ultimately, if you're trying to serve this information out to maybe some local endpoints or maybe some other individuals who want to share and collaborate that information, Anomali's TIP allows you to be able to freely do that and ease of use of just clicking a button and sending that information out.

Discover More About Anomali

Check out some of our other great resources covering the latest cybersecurity trends, threat intelligence, security and IT operations, and Anomali product updates.

Video
February 13, 2026

Anomaly Agentic AI revolutionizes threat intelligence research by solving the overwhelming data problem

Anomaly Agentic AI revolutionizes threat intelligence research by solving the overwhelming data problem that cybersecurity professionals face. The scenario begins with a relatable situation where an analyst needs to research APT 28 activity but gets buried under 175,000 relevant items and millions of connected data points. The video showcases how Anomaly's multi-agent AI system uses specialized agents - a keyword agent for comprehensive data retrieval, a semantic agent for contextual understanding, a knowledge graph agent for connecting indicators across billions of nodes, and an LLM summarizer for generating clean reports. The key value proposition is dramatically reducing research time from two weeks to two minutes, allowing professionals to maintain work-life balance while delivering thorough, defensible threat intelligence reports.
Read More
2026-02-13
Video
February 13, 2026

Anomaly ThreatStream NextGen New UI - All in one experience built for timely, real world cyber threat response

Anomaly ThreatStream NextGen addresses real-world cybersecurity challenges, using the Black Shadow threat actor as a case study. The content shows how despite CISO warnings about sophisticated phishing campaigns, employees still fall victim, leading to data breaches and infrastructure compromises. ThreatStream NextGen is presented as an all-in-one solution that provides analysts with targeted threat intelligence briefings, trending threat information, and AI-powered analysis capabilities. The product automatically operationalizes threat alerts like CISA's Black Shadow advisory through automated IOC ingestion, log correlation, exposure visibility, and MITRE attack mapping, positioning itself as a comprehensive cyber threat intelligence platform built for speed and operational readiness.
Read More
2026-02-13
Video
January 30, 2026

Are you exposed by LockBit? Find out with Anomali Unified Security Data Lake

With LockBit impacting critical suppliers and partners worldwide, companies are left wondering how close the threat is to their own network. In the boardroom, your CEO asks the question: Are we exposed?
Read More
2026-01-30
Threat Intelligence in Action