Back to Blog

TAXII 2.1: Standards-Compliant Threat Intelligence Sharing

March 01, 2026 • Jonathan Kalbfeld
taxiistixstandardsinteroperability

The threat intelligence industry has a fragmentation problem. Every vendor has their own API format, their own data model, their own way of doing things. This makes integration painful and locks organizations into vendor-specific tooling.

OASIS solved this with two complementary standards:

  • STIX 2.1 (Structured Threat Information Expression) — a standardized data format for threat intelligence
  • TAXII 2.1 (Trusted Automated Exchange of Indicator Information) — a standardized API for exchanging STIX data

SATIS now implements both.

Our TAXII 2.1 Server

The SATIS TAXII server is available at https://setecastronomyinc.com/taxii2/ and implements the full TAXII 2.1 specification:

Discovery

curl https://setecastronomyinc.com/taxii2/

Returns server information and available API roots.

Collections

curl https://setecastronomyinc.com/taxii2/satis/collections/

Two collections are available: - SATIS Active Threats — currently active, non-expired, non-revoked indicators - SATIS All Threats — complete history including expired and revoked entries

Objects

curl -H "Authorization: Bearer tck_your_key" \
     "https://setecastronomyinc.com/taxii2/satis/collections/{id}/objects/"

Returns STIX 2.1 indicators with support for: - added_after — temporal filtering (only objects added after a timestamp) - match[type] — filter by STIX object type - Pagination via limit parameter

STIX 2.1 Indicators

Each threat in the SATIS network is serialized as a proper STIX 2.1 Indicator with:

  • Deterministic UUIDs — the same threat always produces the same STIX ID (via UUID v5), enabling correct deduplication across multiple data pulls
  • TLP markings — Traffic Light Protocol markings auto-mapped from severity (critical → TLP:RED, high → TLP:AMBER, etc.)
  • Kill chain phases — mapped from threat categories to the Lockheed Martin Cyber Kill Chain
  • STIX patterns — standard pattern syntax like [ipv4-addr:value = '203.0.113.45']
  • External references — links back to the SATIS API for full threat details

Who Benefits

If you use any of these tools, you can now pull SATIS intelligence automatically:

  • Splunk Enterprise Security — STIX/TAXII input
  • MISP — TAXII feed integration
  • OpenCTI — native TAXII connector
  • ThreatConnect — TAXII 2.1 data source
  • IBM QRadar — Threat Intelligence app
  • CrowdStrike Falcon — custom indicator import

Why Blockchain + Standards

The combination is powerful: SATIS stores threat intelligence on a permissioned blockchain with cryptographic attestation and immutable audit trails, then serves it through industry-standard APIs. You get the provenance guarantees of blockchain with the interoperability of open standards.

Every indicator can be traced back to its publishing node, its original source, and the exact block where it was recorded — something no other TAXII server can offer.

Getting Started

  1. Get an API key at setecastronomyinc.com/signup
  2. Configure your TAXII client to discover at https://setecastronomyinc.com/taxii2/
  3. Pull indicators on a schedule (we recommend every 5 minutes for active threats)

The blockchain does the hard work of consensus and distribution. TAXII makes it accessible to every security tool in your stack.

Back to Blog