Beyond STIX: Next-Level Cyber-Threat Intelligence - Dark Reading

THREAT INTELLIGENCE VULNERABILITIES & THREATS COMMENTARY Beyond STIX: Next-Level Cyber-Threat Intelligence While industry experts continue to analyze, interpret, and act on threat data, the complexity of cyber threats necessitates solutions that can quickly convert expert knowledge into machine-readable formats. Ryan Hohimer,Jans Aasman March 26, 2025 5 Min Read SOURCE: FUTURISTIC OVERLAY VIA ALAMY STOCK PHOTO COMMENTARY Cybersecurity has become central to every enterprise's digital strategy, but to stay ahead of evolving cyber threats, organizations need a common language that turns complex threat data into something universally understandable and actionable. This is where Structured Threat Information Expression (STIX) comes in — a standardized language for sharing, storing, and analyzing cyber threat intelligence. However, simply organizing the data isn't enough to fully understand or counter the sophisticated tactics used by today's threat actors. As cyber threats evolve, traditional methods of identifying, cataloging, and responding to these threats struggle to keep pace. The Evolution of Cyber-Threat Intelligence Sharing STIX provides a common language for cyber-threat intelligence (CTI) sharing, enabling organizations to categorize and share critical data points like campaigns; threat actors; tactics, techniques, and procedures (TTPs); observables; and incidents. This categorization allows organizations to gain a deeper understanding of a threat actor's capabilities, patterns, and historical actions. Threat information can then be shared and collaboratively acted upon across a wide array of organizations, making it a foundational tool in cybersecurity. Related:Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish The STIX language was developed as a serialization and exchange format. As such, it is an excellent means for sharing facts and observations with other organizations.  Since the release of the original STIX 2.1 specification, semantic technologies have advanced. It is now possible to share much richer information with knowledge graphs that provide additional context, detailing motivations (financial, political, or otherwise), skills, resources, TTPs, and behavior and targeting patterns. The added intelligence encapsulated in a knowledge graph gives a more comprehensive profile of a potential threat actor and makes the enhanced threat intelligence more actionable. To enable this greater representation of the STIX 2.1 exchange language, the Cyber Threat Intelligence Ontology (CTIO) is under development as an extension of the gistCyber ontology. A Living, Contextualized View of Cyber Threats As cyber threats become increasingly complex, relying solely on the original STIX 2.1 exchange language is no longer enough to combat them effectively. To stay ahead of evolving risks, organizations need a richer, more dynamic framework that goes beyond static data representation. This is where translating STIX data from its JSON format into the Web Ontology Language (OWL) and knowledge graphs becomes essential. Knowledge graphs offer a new level of semantic interoperability, enabling organizations to visualize, explore, and query the relationships and hierarchies between various threat entities.  Related:Warlock Ransomware Group Augments Post-Exploitation Activities Knowledge graphs create a living, contextualized view of cyber threats, transforming what was once just a collection of isolated data points into a comprehensive landscape of interconnected threats.  With a knowledge graph, security teams can effectively map an exploit target — such as the infamous Log4Shell vulnerability (CVE-2021-44228) — to specific threat actors who have leveraged it in past campaigns. This capability allows them to prioritize their responses by understanding the vulnerability itself and analyzing its exploitation history, identifying the most likely perpetrators, and assessing the associated risks. This holistic view empowers organizations to adopt a proactive stance against cyber threats, enhancing their overall security posture. Merging Human-Readable Descriptions With Machine-based Logic  Using large language models (LLMs) to complement knowledge graphs marks an innovative leap in the application of AI within cybersecurity. By ingesting unstructured text data — such as incident reports, advisories, or analyst notes — LLMs can populate knowledge graphs with contextualized threat information. For instance, an LLM can transform descriptions of a spear-phishing campaign or details from an incident report into structured STIX instances, allowing for automated threat profiling and enhancing real-time decision-making. Related:China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years The integration of LLMs and knowledge graphs not only streamlines threat profiling but also sets the stage for utilizing established cybersecurity frameworks to build a more robust understanding of potential threats. Building a Comprehensive Blueprint to Anticipate Threats There is an extensive amount of data available from reliable sources such as MITRE, the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Vulnerability Database. These sources provide indispensable reference data about vulnerabilities, attack patterns, TTPs, mitigations, controls, computational platforms, and more. Ontologies and knowledge graphs such as MITRE's D3FEND, MITRE's ATT&CK, and NIST's CVE graph databases provide representations of threat analysis data and logic that is both machine-readable and human-readable, as well as highly actionable. It is cybersecurity expertise represented in graph form. Standardized ontologies, such as BFO, CCO, gistCyber, and D3FEND, can map out everything from vulnerabilities to TTPs and courses of action. When combined with an OWL-based knowledge graph, these frameworks provide a comprehensive blueprint for organizations to understand and anticipate threats. Adding STIX 2.1 via the CTIO into this mix bridges the gap between global standards and enterprise-specific threat intelligence, creating a consolidated knowledge base that draws on years of cybersecurity expertise. A New Paradigm in Cyber Threat Intelligence The convergence of STIX, gistCyber, CTIO, OWL, knowledge graphs, and LLMs represents the next evolution in cybersecurity. Knowledge graphs enriched by AI create an environment where CTI is shared, contextualized, and made actionable. This is more than just a technical advancement; it's a paradigm shift. Cybersecurity is moving toward a system where threat intelligence is rich with context, immediately actionable, and more accessible. The ultimate goal in developing these advanced, AI-powered knowledge graphs is to democratize cybersecurity intelligence. While industry experts continue to analyze, interpret, and act on threat data, the complexity of cyber threats necessitates solutions that can quickly convert expert knowledge into machine-readable formats. By leveraging LLMs and knowledge graphs, organizations can enable non-experts to use cybersecurity data effectively. About the Authors Ryan Hohimer Journeyperson Ontologist and Knowledge Engineer, Semantic Arts Ryan Hohimer is a journeyperson ontologist and knowledge engineer at Semantic Arts. He is a semantic technology and object-oriented design zealot who enjoys creating object models for artificial intelligence applications. Although many domains are fascinating, the cybersecurity domain is his passion. Ryan has a bachelor of science in electrical engineering (BSEE) from Washington State University (WSU). Upon receiving his degree, the US Department of Energy’s Pacific Northwest National Laboratory (PNNL) put him to work in data analysis in energy and national security. This led Ryan to an exciting career in object modeling for private sector companies. Jans Aasman CEO, Franz Inc. Jans Aasman is a Ph.D. psychologist and expert in cognitive science, as well as CEO of Franz Inc., an early innovator in artificial intelligence, and leading supplier of Graph Database technology for Neuro-Symbolic AI Solutions. As both a scientist and CEO, Dr. Aasman continues to break ground in the areas of AI and knowledge graphs as he works hand-in-hand with organizations such as Montefiore Medical Center, Blue Cross/Blue Shield, Siemens, Merck, Pfizer, Wells Fargo, BAE Systems and US and foreign governments. He is a frequent speaker within the Database and Semantic Technology industries and has authored multiple research papers and bylines on the subject. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Russia Pivots, Cracks Down on Resident Hackers by Nate Nelson, Contributing Writer OCT 22, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE What CISA's Red Team Disarray Means for US Cyber Defenses by Becky Bracken, Senior Editor, Dark Reading MAR 21, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE