Trusted Automated eXchange of Indicator Information (TAXII™) is a free and open transport mechanism that standardizes the automated exchange of cyber threat information.
Sharing cyber-risk intelligence and defensive strategies has become imperative in today’s threat landscape. No organization can realistically sit in isolation and still be able to defend itself.
By understanding adversaries’ behavior against a range of targets over a period of time, defenders gain valuable insights into an attacker’s overall goals and strategies.
TAXII empowers organizations to share situational awareness about threats with the partners they choose, while leveraging existing relationships and systems.
TAXII is the preferred exchange mechanism for Structured Threat Information eXpression (STIX™).
By using TAXII, organizations can share STIX content in a secure and automated manner.
TAXII is designed to integrate with existing sharing agreements, including access control limitations.
Pull messages are supported - supporting both subscription feeds and on-demand queries.
TAXII leverages existing protocols when possible - with native support for
Hub and Spoke is a sharing model where one organization functions as the central clearinghouse for information, or hub, coordinating information exchange between partner organizations, or spokes. Spokes can produce and/or consume information from the Hub.
Source/Subscriber is a sharing model where one organization functions as the single source of information and sends that information to subscribers.
Peer to Peer is a sharing model where two or more organizations share information directly with one another. A Peer to Peer sharing model may be ad-hoc, where information exchange is not coordinated ahead of time and is done on an as-needed basis, may be well defined with legal agreements and established procedures, or somewhere in the middle.
OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) - TAXII is developed by the TAXII subcommittee of the CTI TC.
Mailing Lists - Stay up-to-date on development and usage.
Developer Resources - The central location for development of the specifications, tools, and documentation (including this site).
STIX/TAXII Supporters - A growing list of products, services, and sharing communities using TAXII and STIX.
TAXII is a community effort to standardize the trusted, automated exchange of cyber threat information. TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries for the detection, prevention, and mitigation of cyber threats.
TAXII is not a specific information sharing initiative, and it does not define trust agreements, governance, or non-technical aspects of cyber threat information sharing.
Instead, TAXII empowers organizations to achieve improved situational awareness about emerging threats, and enables organizations to easily share the information they choose with the partners they choose, while leveraging existing relationships and systems.
See TAXII Releases.
Many organizations have announced support for TAXII and STIX, and are listed on our STIX/TAXII Supporters page on the STIX website. Please use our submission form to request that your organization’s products and services be added to the list.
Our STIX/TAXII Blog also lists press releases and other vendor announcements.
TAXII implementations enable secure, consistent, and automated exchange of cyber threat information. TAXII services can be used to support a wide range of sharing models and community requirements. With standardized services, messages, and message exchanges, TAXII implementations facilitate automation and eliminate the need for multiple, custom, point-to-point exchange implementations. TAXII simplifies and speeds cyber threat information exchange.
At present, TAXII defines an XML data format and HTTP/HTTPS message protocols. Details can be found in the TAXII XML Message Binding Specification and the TAXII HTTP Protocol Binding Specification. Future expansion to other protocols and message formats is possible, depending on community demand. The TAXII specifications are written in a modular fashion to accommodate multiple message formats and message protocols. Due to community interest and widespread use, XML and HTTP/HTTPS were selected as the initial TAXII message format and Specifications.
TAXII implementations can share any content as long as it can be represented in a TAXII Message. Use of STIX is recommended to capture indicator list (or other cyber threat) data for seamless sharing through TAXII.
Available TAXII services and their use can be communicated via the TAXII Discovery Service. The Discovery Service provides a requester with a list of TAXII Services and how these Services can be invoked. Specific details can be found in the TAXII Services Specification.
Yes, encrypted data can be exchanged using TAXII. Content can be encrypted directly within a TAXII Message, and the TAXII Protocol Bindings can also support encryption of the entire TAXII Message over the network. Specific details can be found in the TAXII Services Specification and the TAXII Content Binding Reference.
A content provider is not required to store content using different bindings, and is not required to translate between content bindings. The idea behind a consumer indicating a list of Content Bindings is to allow the consumer to avoid receiving content it is unable to parse, rather than an expectation that the hub will have copies of all of its content in each of the requested formats. A content provider MIGHT make the same piece of content available in multiple formats in order to support a wider range of recipients but doing so is not required.
In the XML binding specification an element might be required under some circumstances but optional in others, but in the schema it always appears as optional. For example, in a “Subscription Management Response Message” the “Subscription” field is optional if the requested action is STATUS and otherwise is required, yet the XML binding says “0-n” for the count. Due to the limits of XML schema definitions, it was necessary to use the more flexible definition, even though it would appear exactly once for the other action types. Remember that the XML schema is not considered to be normative — it is present as an aid only, but it is known that it is somewhat more permissive than the specification.
Structured Threat Information eXpression (STIX™) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner. STIX is one payload that TAXII can convey. STIX represents cyber threat information in a standardized and structured manner. STIX characterizes what is being shared, while TAXII defines how the STIX payload is shared.
Cyber Observable eXpression (CybOX™) is a structured language for describing elements that are observable within the cyber operational environment. STIX is one payload that TAXII can convey, and STIX uses CybOX to represent cyber observables.
Malware Attribute Enumeration and Characterization (MAEC™) is a structured language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. STIX is one payload that TAXII can convey, and STIX can describe malware using MAEC.