Back to Blog

STIX/TAXII 2.1: Industry-Standard Threat Sharing, Built In

February 28, 2026 • Setec Astronomy Team
stixtaxiiintegrationapi

We've added native STIX 2.1 (Structured Threat Information Expression) support to SATIS. Every threat in our blockchain can now be exported as a standards-compliant STIX Bundle, making it trivially easy to integrate with your existing security stack.

Why STIX Matters

STIX is the lingua franca of threat intelligence. If you're running a SIEM (Splunk, QRadar, Sentinel), a Threat Intelligence Platform (MISP, OpenCTI, ThreatConnect), or any modern security tool, chances are it speaks STIX. By publishing our data in STIX 2.1 format, we've eliminated the "glue code" that typically stands between a threat feed and your security infrastructure.

How It Works

A single API call returns all active SATIS threats as STIX 2.1 Indicators wrapped in a Bundle:

curl -H "Authorization: Bearer tck_your_key" \
     "https://setecastronomyinc.com/api/v1/stix/indicators?count=500"

The response comes back with Content-Type: application/stix+json;version=2.1 and includes:

  • STIX Indicators for every active threat, with proper STIX patterns ([ipv4-addr:value = '203.0.113.45'])
  • TLP markings automatically mapped from SATIS severity levels (critical = TLP:RED, high = TLP:AMBER, etc.)
  • Kill chain phases derived from threat categories (brute-force, port-scan, malware, etc.)
  • Deterministic UUIDs — the same threat always produces the same STIX ID, so your tools can correlate across pulls

No Extra Dependencies

Our STIX implementation is pure Python with zero external dependencies. We don't use the stix2 library — we serialize directly to the STIX 2.1 JSON schema. This keeps our deployment footprint small (important for our offline, air-gapped nodes) while maintaining full spec compliance.

Integration Examples

Splunk — Use the STIX/TAXII input to poll our endpoint on a schedule.

MISP — Add SATIS as a STIX feed source under Sync Actions.

OpenCTI — Configure a STIX 2.1 connector pointing at our API.

Custom scripts — Parse the JSON directly. Every indicator includes valid_from, valid_until, and confidence fields for straightforward filtering.

Filtering

You can filter by severity to only pull critical or high-severity threats:

# Only critical threats
curl -H "Authorization: Bearer tck_your_key" \
     "https://setecastronomyinc.com/api/v1/stix/indicators?severity=critical"

What's Next

We're working on a full TAXII 2.1 server endpoint to support push-based subscriptions, so your tools can receive new threats in real-time rather than polling. For now, the pull-based STIX endpoint covers the vast majority of integration use cases.

STIX export is available on all plans. Get started with the API.

Back to Blog