A comparative analysis of cyber-threat intelligence sources, formats and languages

Andrew Ramsdale, Stavros Shiaeles*, Nicholas Kolokotronis

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

152 Downloads (Pure)


The sharing of cyber-threat intelligence is an essential part of multi-layered tools used to protect systems and organisations from various threats. Structured standards, such as STIX, TAXII and CybOX, were introduced to provide a common means of sharing cyber-threat intelligence and have been subsequently much-heralded as the de facto industry standards. In this paper, we investigate the landscape of the available formats and languages, along with the publicly available sources of threat feeds, how these are implemented and their suitability for providing rich cyber-threat intelligence. We also analyse at a sample of cyber-threat intelligence feeds, the type of data they provide and the issues found in aggregating and sharing the data. Moreover, the type of data supported by various formats and languages is correlated with the data needs for several use cases related to typical security operations. The main conclusions drawn by our analysis suggest that many of the standards have a poor level of adoption and implementation, with providers opting for custom or traditional simple formats.
Original languageEnglish
Article number824
Number of pages22
Issue number5
Publication statusPublished - 16 May 2020


  • cyber-threat intelligence
  • threat exchange
  • vulnerability alerts
  • incident reporting
  • indicators of compromise
  • cyber-observables


Dive into the research topics of 'A comparative analysis of cyber-threat intelligence sources, formats and languages'. Together they form a unique fingerprint.

Cite this