Why Your Threat Intelligence Context Doesn't Export
STIX bundles carry nodes and edges. They don't carry the analyst reasoning, confidence history, or provenance chains that make your graph valuable.
Every TIP buyer says the same thing during evaluation: “We can always export to STIX and leave.” It’s the security blanket of procurement. The exit door is right there, labeled in OASIS standard formatting, and it makes the commitment feel reversible.
The exit door is real. The question is what fits through it.
What STIX actually carries
STIX 2.1 is a good standard. We use it as MalCloud’s internal data model. A STIX bundle exported from any competent TIP gives you:
- STIX Domain Objects — indicators, threat actors, malware, campaigns, attack patterns, vulnerabilities, and the other 12 SDO types defined in the spec
- STIX Relationship Objects — edges connecting those nodes (
threat-actor --uses--> malware,indicator --indicates--> campaign) - Basic metadata — created/modified timestamps, confidence scores (a single integer, 0-100), TLP markings, external references
This is the graph structure. Nodes and edges with properties. If your threat intelligence is purely structural — you imported feeds, you linked objects, you never annotated anything — then STIX export gives you most of what you had. You can reimport it into OpenCTI, MISP (via misp-stix), or another STIX-native platform and lose relatively little.
Most organizations don’t stop at structure.
What stays behind
The moment your analysts start working inside a TIP, they generate context that lives outside the STIX data model. This context is where the actual intelligence value accumulates.
Analyst annotations
Your senior analyst marks an IP indicator with a note: “False positive — this is a Cloudflare CDN egress node. Confirmed via ASN lookup and three separate customer reports. Do not alert.” That annotation is the difference between a useful indicator and a noisy one. STIX 2.1 has no standard field for free-text analyst reasoning attached to an indicator’s confidence assessment. The opinion SDO exists but it’s a blunt instrument — it captures agree/disagree, not the reasoning chain behind a judgment call.
In practice, annotations accumulate fast. A mid-size SOC running a TIP for 12 months will generate thousands of these micro-assessments. Each one encodes institutional knowledge: which feeds produce false positives for your environment, which threat actor attributions your team trusts, which indicators fired in your network versus which are theoretical.
Confidence history
STIX gives you a confidence score. One number. Right now.
It doesn’t give you the trajectory. That indicator started at confidence 90 when it came from a trusted ISAC feed on March 3. On March 10, an analyst downgraded it to 70 after noticing the IP appeared in legitimate CDN ranges. On March 15, a false positive investigation dropped it to 40. On March 22, a new sighting from a honeypot bumped it back to 75.
That history is a signal. An indicator with stable confidence of 75 is fundamentally different from one that oscillated between 40 and 90 over three weeks. The oscillation tells you something about the indicator’s reliability that the current score cannot. STIX snapshots the final state. The journey disappears.
Provenance chains
Your graph says threat actor APT-X is linked to campaign Y. Why? Because enrichment source Z found infrastructure overlap between APT-X’s known C2 servers and domains registered with the same privacy service used in campaign Y, corroborated by a YARA rule match on a sample first seen in honeypot session Q, which your analyst cross-referenced against a Mandiant report from November.
That chain of reasoning — the why behind the edge — is the most valuable thing in your graph. It’s what separates a high-confidence attribution from a guess. STIX Relationship Objects carry a description field, but in practice, platforms store the relationship and lose the investigative trail that justified it. Export the graph, and you get “APT-X —attributed-to—> Campaign Y” with maybe a sentence of description. The enrichment logs, the honeypot session data, the analyst’s reasoning process, the chronology of how the link was built: gone.
Everything else
Investigation timelines. Case management notes. SLA tracking on how fast your team triaged specific indicator types. Workflow state — which indicators were reviewed, which are queued, which were escalated. Dashboard configurations tuned over months to surface what matters to your SOC. Saved queries. Alert suppression rules. Integration configurations mapping your TIP outputs to your specific SIEM field names.
None of this fits in a STIX bundle. None of it is proprietary lock-in in the traditional sense. It’s operational context that accumulates through use.
What MalCloud does differently
We built MalCloud’s Graph Context layer specifically because we watched this problem play out at organizations migrating between TIPs.
Provenance-tracked relationships. Every edge in MalCloud’s graph carries an immutable provenance chain. When an analyst links two nodes, the platform records who made the link, what evidence supported it, which enrichment sources contributed, and the timestamp sequence of the investigation. This isn’t a separate audit log — it’s part of the data model. When you export a subgraph, the provenance exports with it.
Annotation layer. Analyst notes attach to any STIX object with full history. Annotations are versioned, attributed to specific analysts, and timestamped. They’re queryable — you can search across all annotations for references to specific techniques, false positive patterns, or environmental context.
Confidence trajectories. MalCloud stores every confidence change as an immutable event. The current score is the head of a linked list. You can query the full history, graph confidence over time, and set alerts when indicators exhibit unusual volatility. Exports include the trajectory, not just the snapshot.
Immutable audit trail. Every action in MalCloud — every enrichment, every annotation, every relationship created or modified — is recorded in an append-only log. This serves compliance requirements (DORA Article 28 exit strategy documentation, NIS2 audit mandates), but more importantly, it preserves the institutional knowledge your team builds daily.
The data gravity equation
Here’s where we’re going to be direct about something most vendors avoid.
Every day your analysts use MalCloud, they deposit context that increases the platform’s value to your organization. Annotations, provenance chains, confidence histories, investigation workflows — this context accumulates, and it cannot be fully reconstructed elsewhere. Not because we encrypt it or lock it behind proprietary formats. Because the context is genuinely non-portable. It’s the analyst equivalent of institutional memory: you can transfer the facts, but you can’t transfer the judgment that organized them.
This creates switching cost. We know it. You should know it too.
The data gravity concept isn’t new. Every SaaS platform that stores your work product creates it. Salesforce has your pipeline history. Jira has your sprint velocity data. Confluence has your team’s documentation. The question isn’t whether switching cost exists — it always does. The question is whether the value you’re accumulating justifies the gravity.
The honest take
We built the Graph Context layer because it’s what analysts need. Provenance tracking makes investigations reproducible. Confidence histories prevent false positive fatigue. Annotation layers preserve institutional knowledge when senior analysts leave.
And yes, these features create switching cost. An organization that’s been running MalCloud for two years, with thousands of analyst annotations and provenance chains woven through their threat graph, will lose real value if they export to bare STIX and reimport elsewhere.
We’d rather earn retention through value than fight it through contracts. MalCloud has no minimum commitment terms. There’s no penalty for leaving. Your STIX export works and will always work — you get every node and edge. We’re betting that the context layer is valuable enough that you’ll choose to stay, not that you’ll be trapped into staying.
That’s a bet on our product, not on your procurement team’s oversight.
If you’re evaluating TIPs and want to understand what your export actually contains, run this test: export your current platform’s data as STIX, reimport it into a clean instance, and see what’s missing. The gap between what you exported and what you had is your platform’s context gravity. Every TIP has it. We just think you should know about it before you sign.
Request a briefing or request a briefing to see the Graph Context layer in practice.
Interested in self-hosted threat intelligence?
Request a Briefing