OpenCTI

OpenCTI is a cyber threat intelligence platform for managing IOCs, threat actors, campaigns, and STIX/TAXII feeds. Use it to contextualize alerts with threat intelligence.

Aithroyz deploys OpenCTI v6 with Elasticsearch, RabbitMQ, and MinIO as backing services. The admin token is a valid UUID generated at provisioning time. Demo threat indicators are seeded on first boot.

Access

URL: https://opencti.<env-name>.ops.aithroyz.com

Admin email: admin@aithroyz.local — password shown in Environments detail

⚠

OpenCTI v6 takes 5–10 minutes to fully initialize on first boot. The health check may show amber during this time. Do not restart the container — wait for initialization to complete.

Connecting a TAXII feed

Go to Data → Ingestion → TAXII Feeds. Add the URL of a TAXII 2.1 server (e.g. CIRCL, MITRE ATT&CK). OpenCTI will automatically pull and parse STIX 2.1 bundles, creating indicators, threat actors, and campaigns in the knowledge graph.

Elastic Stack (SIEM)Read article →Wazuh (XDR)Read article →IR / DFIR Lab PresetRead article →