From STIX to MISP and Back Again: How Hard Could It Be?

In this talk, Chris Horsley shares insights from his experience working with the STIX and MISP standards, explaining their different design philosophies: STIX as a graph-based, committee-driven format, and MISP as an incident-centric, community-driven platform. He highlights translation complexities, such as differences in attributes, objects, taxonomies, and relationships, and discusses the limitations of achieving ‘lossless’ conversion. The talk emphasises that while data can be translated between the two, perfect equivalence isn’t always possible, but ongoing improvements in MISP continue to narrow the gap. Ultimately, Chris encourages practical approaches, awareness of mapping challenges, and managing expectations when working across CTI platforms.