MalCloud vs OpenCTI vs MISP: An Honest Comparison
A technical comparison of three self-hostable threat intelligence platforms — MalCloud, OpenCTI, and MISP — covering architecture, deployment, STIX support, unique capabilities, and where each one is strongest.
We built MalCloud because we thought the TIP market had a gap. But we’re not going to pretend the alternatives don’t exist or aren’t good. MISP and OpenCTI are serious platforms with large communities and real production deployments. If you’re evaluating self-hosted threat intelligence platforms, you should understand all three.
This comparison is based on MISP 2.5.x, OpenCTI 6.x (Filigran), and MalCloud 0.x (current). We’ll update it as things change.
Architecture
Architecture dictates everything downstream: deployment complexity, operational overhead, scaling characteristics, and failure modes.
MISP
MISP is a PHP application backed by MySQL (or MariaDB), with Redis for caching and session management. It’s a monolithic architecture — one application process handles the web UI, REST API, background workers, and feed synchronization. The codebase has been in active development since 2011.
MISP stack:
- PHP 8.x (CakePHP framework)
- MySQL 8.0 / MariaDB 10.x
- Redis
- Python (PyMISP workers, MISP modules)
- Apache/NginxDeployment footprint: 1 server. A well-configured MISP instance runs on a single 4-core, 16GB VM. This is both its strength (simple) and limitation (vertical scaling only).
OpenCTI
OpenCTI is a Node.js/React application with a GraphQL API, backed by a complex service mesh. The architecture uses an event-driven model with RabbitMQ as the message broker.
OpenCTI stack:
- Node.js (API + GraphQL)
- React (Frontend)
- Elasticsearch / OpenSearch (primary data store + search)
- Redis (caching + locking)
- RabbitMQ (message broker)
- MinIO / S3 (file storage)
- Connectors (Python workers, 100+ available)Minimum deployment footprint: 5-7 containers. Elasticsearch alone wants 8GB+ of heap for meaningful datasets. A production OpenCTI deployment typically requires 32-64GB RAM and multiple cores. The docker-compose file in the OpenCTI repo defines 6-8 services before adding a single connector.
MalCloud
MalCloud uses Go microservices communicating over NATS, with PostgreSQL as the primary data store and object storage for samples and artifacts.
MalCloud stack:
- Go (API + core services)
- NATS (message bus)
- PostgreSQL (primary data store)
- Python (AI inference, extractors)
- Next.js (frontend)Deployment footprint: 3-4 containers for a minimal deployment. PostgreSQL handles both structured data and full-text search (using tsvector), avoiding the operational overhead of a separate search cluster. NATS is a single binary with minimal resource requirements.
Architecture comparison
| MISP | OpenCTI | MalCloud | |
|---|---|---|---|
| Core language | PHP | Node.js | Go |
| Data store | MySQL | Elasticsearch | PostgreSQL |
| Message bus | Redis (pub/sub) | RabbitMQ | NATS |
| Min. RAM | 8 GB | 32 GB | 8 GB |
| Min. containers | 1 (monolith) | 5-7 | 3-4 |
| Scaling model | Vertical | Horizontal (Elastic cluster) | Horizontal (NATS + service replicas) |
| API style | REST | GraphQL | REST + gRPC |
Deployment complexity
MISP: The installation process has a reputation. The INSTALL scripts are long and distribution-specific. MISP-docker has improved this significantly, but configuring feeds, taxonomies, galaxies, and warninglists still requires substantial post-install work. Expect 2-4 hours for a first deployment with feeds configured.
OpenCTI: Docker Compose gets you running, but tuning is non-trivial. Elasticsearch heap sizing, RabbitMQ queue management, and connector orchestration require familiarity with each component. Filigran offers a managed cloud version (OpenCTI Cloud, pricing on request) that eliminates this overhead. Expect 4-8 hours for a production-ready self-hosted deployment.
MalCloud: Single docker compose up with pre-configured defaults. MITRE ATT&CK data (20,285 objects), IOC feeds, and enrichment integrations are bootstrapped on first run. Target: under 30 minutes to a working deployment with data flowing.
STIX 2.1 support
STIX 2.1 (OASIS standard, published June 2021) is the lingua franca of threat intelligence. Support depth matters.
| STIX capability | MISP | OpenCTI | MalCloud |
|---|---|---|---|
| STIX 2.1 import | Via misp-stix converter | Native | Native |
| STIX 2.1 export | Via misp-stix converter | Native | Native |
| STIX 2.1 as internal model | No (MISP format internally) | Yes | Yes |
| Custom STIX objects | Partial (via galaxies) | Yes | Yes |
| STIX Relationship Objects | Partial (via converter) | Full | Full |
| STIX Groupings | Partial (via converter) | Yes | Yes |
| STIX Opinions | Yes (via converter, mapped to Analyst Data) | Yes | Planned |
MISP predates STIX 2.1 and uses its own internal data model. Conversion is handled by the misp-stix library, which works but introduces edge cases — particularly with complex relationships and custom properties. MISP’s native model (Events, Attributes, Objects) is well-understood but not 1:1 mappable to STIX.
OpenCTI adopted STIX 2.1 as its internal data model from early versions. This makes it the most STIX-native platform of the three, with full support for all 18 STIX Domain Objects and 2 STIX Relationship Objects.
MalCloud also uses STIX 2.1 internally and stores indicators, threat actors, malware objects, and relationships as native STIX. Opinions and some observational objects are on the roadmap.
ATT&CK integration
All three platforms integrate with MITRE ATT&CK. The depth varies.
MISP: ATT&CK is available as a MISP Galaxy — a structured taxonomy that can be attached to events and attributes. The Galaxy approach provides tagging and basic relationship mapping. Recent versions have improved inter-galaxy relations, but the relationship depth is less than graph-native approaches like OpenCTI.
OpenCTI: Deep ATT&CK integration with full matrix visualization, technique-to-threat-actor mapping, and coverage heatmaps. OpenCTI imports the entire ATT&CK dataset as STIX objects and maintains the relationship graph. The ATT&CK matrix view is one of OpenCTI’s strongest UI features.
MalCloud: Ships with 20,285 pre-loaded ATT&CK objects including techniques, sub-techniques, mitigations, software, and groups. Indicators are automatically mapped to techniques during ingestion. The detection-as-code pipeline uses ATT&CK mappings to generate technique-specific Sigma rules.
Unique capabilities
MISP
- Galaxies — community-maintained knowledge bases (threat actors, tools, sectors, countries) with 9,000+ clusters. Nothing else has this breadth of structured taxonomy data.
- Warninglists — curated lists of known-good indicators (RFC1918 ranges, top Alexa domains, Google IPs) that prevent false positive enrichment. Simple idea, massively useful.
- Sharing groups — fine-grained distribution controls for multi-org MISP instances (sync servers). MISP’s sharing model is the most mature of the three platforms.
- 15 years of community data — MISP’s default feeds include CIRCL’s OSINT feed, Botvrij, and dozens of community feeds with historical depth no other platform matches.
- PyMISP — a well-maintained Python library for API interaction that many security teams have already integrated into their tooling.
OpenCTI
- Connector ecosystem — 100+ connectors for data ingestion (AlienVault OTX, MITRE, VirusTotal, Mandiant, CrowdStrike, abuse.ch, and many more). This is OpenCTI’s strongest differentiator. Writing a new connector follows a documented framework.
- Investigation workbenches — visual graph exploration for analysts to pivot between entities, build timelines, and document findings interactively.
- Filigran Cloud — managed SaaS option for teams that want OpenCTI without the Elasticsearch ops burden. Pricing available on request.
- Multi-tenant — enterprise deployments can isolate data between business units while maintaining a shared platform.
- Activity streams — real-time feeds of platform activity for audit and analyst awareness.
MalCloud
- ZK-STIX — zero-knowledge proof-based indicator sharing. Share threat intelligence without revealing your watchlist. Covered in detail in our ZK-STIX post.
- Air-gapped AI inference — local LLM inference for report summarization, IOC extraction, and indicator classification. No data leaves your perimeter. Runs on consumer GPUs (RTX 4090 sufficient for 7B parameter models).
- Detection-as-code — automated Sigma rule generation from ingested indicators, mapped through ATT&CK techniques, with output in Splunk SPL, Elastic KQL, and Microsoft KQL. Covered in our detection-as-code post.
- 13 built-in extractors — VirusTotal, Hybrid Analysis, Malware Bazaar, URLhaus, ThreatFox, PhishTank, AlienVault OTX, abuse.ch, InQuest, MalwareBazaar, Malpedia, CAPE Sandbox, and Any.Run.
- 5 enrichment providers — Shodan, SecurityTrails, AbuseIPDB, RDAP, and URLScan integrated out of the box.
What MalCloud Does That Neither Platform Can
The features above cover table-stakes TIP functionality. The following four capabilities have no equivalent in OpenCTI or MISP today.
ZK Proof-of-Observation
When you observe an indicator in MalCloud, the platform generates a zk-SNARK proof binding that indicator to your organization and a timestamp. The proof is committed to a Merkle tree whose root is publicly verifiable. This gives you a cryptographic receipt proving you observed a threat before it was shared publicly — useful for insurance claims, regulatory compliance, and establishing priority in multi-party incident response.
Neither OpenCTI nor MISP can produce this. Both platforms record when data was imported, but neither can prove when an analyst first observed the underlying threat. Timestamps in both systems are mutable by database admins.
Real-time SIEM Push
MalCloud pushes enriched IOCs directly to your SIEM. Supported targets: Elasticsearch (ECS-native field mapping), Splunk (HEC), Microsoft Sentinel (Log Analytics API), Google Chronicle (UDM), and Syslog (CEF/LEEF). Median push latency is under 2 seconds from indicator creation to SIEM index.
OpenCTI requires either manual CSV/STIX export or building custom connectors to forward data to detection infrastructure. MISP supports feed-based sharing (pull model) and has a ZMQ pub/sub channel, but neither provides native, zero-config push to SIEM platforms with format-appropriate field mapping.
Collective Intelligence via Threat Pool
MalCloud’s Threat Pool aggregates sighting counts and sector velocity (how fast an indicator is spreading across industry verticals) across all participating tenants. Analysts see that an IP has been sighted 47 times across 12 organizations in the financial sector this week — without learning which organizations reported it. The underlying mechanism uses the same ZK primitives as Proof-of-Observation.
MISP’s sharing groups require revealing the indicators themselves to group members. Correlation works within a single MISP instance or across synchronized instances, but participants see each other’s data. OpenCTI has no collective signal mechanism — each deployment is an island unless you manually import from shared feeds.
Provenance-Tracked Graph Context
Every relationship, annotation, and enrichment action in MalCloud is recorded as an immutable provenance chain. When you export a subgraph, the export includes the full analyst reasoning trail: who linked which nodes, what evidence supported the link, and when each decision was made.
Exports from OpenCTI and MISP give you the graph structure (nodes and edges) but not the analyst context that makes the graph valuable. There is no built-in audit trail for why a relationship exists — only that it does. In MalCloud, the provenance chain is part of the data model, not a separate audit log.
Community and ecosystem
This is where honesty matters most, because community size is a genuine competitive advantage.
| MISP | OpenCTI | MalCloud | |
|---|---|---|---|
| GitHub stars | ~6,100 | ~9,100 | Early stage |
| First release | 2011 | 2019 | 2025 |
| Contributing orgs | NATO, CIRCL, CERTs globally | Filigran (220+ employees) | ThreatFight |
| Community feeds | Dozens (15 years of data) | 100+ connectors | 13 extractors |
| Documentation | Extensive (wiki + training) | Good (docs + academy) | Growing |
| Commercial support | CIRCL, community | Filigran (enterprise licenses) | ThreatFight |
MISP has the largest community and the deepest institutional adoption. It’s the default platform for CERTs and ISACs globally. OpenCTI has strong momentum and corporate backing — Filigran raised a $35M Series B in 2024. MalCloud is early-stage. We’re not pretending otherwise.
Pricing
| MISP | OpenCTI | MalCloud | |
|---|---|---|---|
| License | AGPL-3.0 | Apache 2.0 (EE features separate) | Proprietary (free community tier) |
| Self-hosted cost | Free + your ops time | Free (community) / paid (enterprise features) | Free tier + paid tiers |
| Managed cloud | No official option | Filigran Cloud (pricing on request) | Planned |
| Enterprise support | CIRCL (EU-based) | Filigran (pricing on request) | Contact us |
When to choose what
Choose MISP if:
- You want the largest community and most extensive sharing network
- You’re a CERT, CSIRT, or ISAC that needs to sync with other MISP instances
- You need 15 years of community feed data
- Your team is comfortable with PHP and the MISP data model
- You need a proven, battle-tested platform with institutional backing
Choose OpenCTI if:
- You want a mature UI with graph visualization and investigation workbenches
- You need the connector ecosystem (100+ data sources)
- You want a managed cloud option (Filigran Cloud)
- Your organization runs GraphQL-native tooling
- You have the infrastructure budget for Elasticsearch clusters
Choose MalCloud if:
- You need cryptographic proof of when you observed a threat (ZK Proof-of-Observation)
- You want enriched IOCs pushed to your SIEM in seconds, not exported manually
- You need collective intelligence across organizations without revealing who contributed what
- You need provenance-tracked graph exports that include analyst reasoning, not just nodes and edges
- You operate air-gapped environments that need local AI inference
- You want detection-as-code automation (IOC to Sigma to SIEM query pipeline)
- You want a lightweight deployment (no Elasticsearch dependency)
- You’re building a new TIP deployment and want STIX 2.1 native from day one
There’s no single best platform. There’s the best platform for your constraints. We built MalCloud because we think cryptographic provenance, real-time SIEM integration, privacy-preserving collective intelligence, and detection automation are the next frontier for threat intelligence platforms. If those aren’t your priorities, MISP and OpenCTI are excellent choices.
If you want to evaluate MalCloud against your requirements, get in touch or request a demo.
Interested in self-hosted threat intelligence?
Request a Briefing