MISP vs OpenCTI vs IntelOwl: Best Self-Hosted Threat Intelligence Platform 2026

Threat intelligence has become a cornerstone of modern cybersecurity operations. Security teams need to enrich indicators of compromise (IOCs), correlate attack patterns, and share actionable intel across organizations — all without sending sensitive data to third-party cloud providers. In 2026, three open-source platforms dominate the self-hosted threat intelligence landscape: MISP, OpenCTI, and IntelOwl. Each takes a different approach to collecting, organizing, and acting on threat data. This guide compares all three in detail, with complete docker deployment instructions so you can run any of them on your own infrastructure.

Why Self-Host Your Threat Intelligence Platform

Sending IOCs — IP addresses, file hashes, domain names, email addresses — to hosted threat intelligence services creates several risks. A cloud-based TI platform sees every query you submit, building a picture of what threats you’re investigating, what vulnerabilities concern you, and what incidents you’re responding to. For organizations with compliance requirements (GDPR, HIPAA, CMMC), this telemetry itself can be a compliance issue.

Self-hosting a threat intelligence platform gives you:

• Full data sovereignty — all IOCs, analysis results, and correlation data stay within your network
• No query limits — analyze thousands of indicators per day without hitting API rate caps or pay-per-query pricing
• Custom integrations — connect directly to your SIEM, firewall, EDR, and ticketing systems without cloud API intermediaries
• Offline operation — continue enriching and sharing threat data even when external connectivity is disrupted
• Community participation — contribute to and consume from open-source threat intel sharing communities like MISP’s global instance network

For SOC teams, CERTs, and security researchers, a self-hosted TI platform is the foundation of an intelligence-driven security program.

MISP — The Open-Source Standard for Threat Sharing

MISP (Malware Information Sharing Platform) is the most established open-source threat intelligence platform. Originally developed by CIRCL (Computer Incident Response Center Luxembourg), MISP has become the de facto standard for threat intel sharing among CERTs, CSIRTs, and security teams worldwide.

MISP’s core strength is its data model and sharing ecosystem. It organizes threat intelligence into events (collections of related indicators), attributes (individual IOCs like IPs, hashes, or domains), and objects (structured groupings like malware samples or attack patterns). The platform supports the STIX format for interoperability and can synchronize with other MISP instances to create distributed intelligence-sharing networks.

Key Features

• Event-based intelligence sharing — create, tag, and distribute IOCs across MISP server networks
• Free-text import — paste raw incident reports and automatically extract IOCs
• Correlation engine — automatically link related indicators across events
• STIX 1.x/2.x support — import and export in standardized threat intel formats
• Galaxy clusters — pre-built threat actor, malware family, and TTP knowledge bases mapped to MITRE ATT&CK
• Extensive API — REST API with Python library (PyMISP) for automation
• Feeds — consume from 200+ open-source threat intelligence feeds out of the box

Docker Deployment

MISP provides an official Docker compose setup in the MISP/misp-docker repository. Clone it and deploy:

1
2
3

git clone https://github.com/MISP/misp-docker.git
cd misp-docker
cp template.env .env

Edit .env to set your base URL, email configuration, and Redis password. Then start the stack:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

# Simplified docker-compose.yml excerpt
services:
  redis:
    image: valkey/valkey:7.2
    restart: always
    environment:
      - REDIS_PASSWORD=your-secure-password
    healthcheck:
      test: ["CMD", "valkey-cli", "-a", "$REDIS_PASSWORD", "ping"]
      interval: 2s
    volumes:
      - cache_data:/data

  db:
    image: mariadb:11.4
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=root-password
      - MYSQL_DATABASE=misp
    volumes:
      - db_data:/var/lib/mysql

  misp-web:
    image: ghcr.io/misp/misp-web:latest
    restart: always
    ports:
      - "443:443"
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy

  misp-workers:
    image: ghcr.io/misp/misp-workers:latest
    restart: always
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
    depends_on:
      - misp-web

1

docker compose up -d

The web interface will be available at https://localhost. Default credentials are admin@admin.test / admin. Change these immediately after first login.

OpenCTI — Modern Threat Intelligence with Knowledge Graph

OpenCTI is a newer but rapidly growing platform that takes a knowledge-graph approach to threat intelligence. Developed by Filigran, it models the relationships between threat actors, campaigns, malware, vulnerabilities, and IOCs as a connected graph — making it powerful for understanding attack chains and adversary behavior.

OpenCTI’s differentiator is its rich data model and visual investigation capabilities. It natively supports STIX 2.1, provides an interactive knowledge graph for exploring relationships between threat entities, and offers a robust connector ecosystem for ingesting data from dozens of sources automatically.

Key Features

• STIX 2.1 native support — built on the latest STIX standard from the ground up
• Knowledge graph visualization — explore relationships between threats, actors, and infrastructure visually
• Connector ecosystem — 40+ connectors for automatic ingestion (VirusTotal, AlienVault OTX, MISP, MITRE ATT&CK, etc.)
• Role-based access control — granular permissions for multi-team deployments
• Case management — track investigations, create tasks, and manage findings
• Observables enrichment — automatically enrich IOCs with external data sources
• Worker-based architecture — scalable processing pipeline for high-volume ingestion

Docker Deployment

OpenCTI requires a more complex stack with Elasticsearch, RabbitMQ, Redis, and MinIO. The platform provides deployment files through the opencti-docker project:

1
2

git clone https://github.com/OpenCTI-Platform/opencti.git
cd opencti

A minimal deployment requires the following services:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

services:
  opencti:
    image: opencti/platform:latest
    environment:
      - NODE_OPTIONS=--max-old-space-size=8096
      - APP__PORT=8080
      - APP__ADMIN__PASSWORD=ChangeMeAdmin
      - APP__SYNC_DIRECT=true
      - ELASTICSEARCH__URL=http://elastic:9200
      - REDIS__HOSTNAME=redis
      - RABBITMQ__HOSTNAME=rabbitmq
      - MINIO__ENDPOINT=minio
    ports:
      - "8080:8080"
    depends_on:
      - elastic
      - redis
      - rabbitmq
      - minio

  worker:
    image: opencti/worker:latest
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=ChangeMeWorker
    depends_on:
      - opencti

  elastic:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.15.0
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - ES_JAVA_OPTS=-Xms2g -Xmx2g
    mem_limit: 4g

  rabbitmq:
    image: rabbitmq:3.13-management
    environment:
      - RABBITMQ_DEFAULT_USER=guest
      - RABBITMQ_DEFAULT_PASS=guest

  redis:
    image: redis:7.4.1-alpine

  minio:
    image: minio/minio:latest
    command: server /data --console-address ":9001"
    environment:
      - MINIO_ROOT_USER=change-me
      - MINIO_ROOT_PASSWORD=ChangeMe123

1

docker compose up -d

OpenCTI requires significant resources — a minimum of 8 GB RAM for the Elasticsearch instance alone. The web UI is available at http://localhost:8080. Log in with the admin credentials set in the environment variables.

IntelOwl — Threat Intelligence Enrichment at Scale

IntelOwl takes a different approach from MISP and OpenCTI. Rather than being a knowledge management platform, IntelOwl is an enrichment engine — it takes an observable (IP, domain, hash, URL, or file) and runs it through dozens of analyzers simultaneously to return a consolidated intelligence report.

IntelOwl is built by Certego (a Managed Detection and Response provider) in partnership with The Honeynet Project. It excels at rapid, parallel analysis of IOCs against both external services (VirusTotal, Shodan, AbuseIPDB) and local analysis tools (Yara rules, static file analysis, string extraction).

Key Features

• 100+ analyzers — analyze IOCs against external APIs and local tools in parallel
• Playbook system — define reusable analysis workflows that chain multiple analyzers
• File analysis — submit malware samples for static analysis, string extraction, Yara matching, and more
• Playbooks and pivots — automatically trigger follow-up analysis based on initial results
• Built-in dashboard — web UI for submitting IOCs, viewing results, and managing analysis jobs
• Python and Go SDKs — official client libraries (pyintelowl, go-intelowl) for automation
• Ingestor framework — automatically process streams of IOCs from feeds or APIs
• Connectors to MISP and OpenCTI — push enriched results to either platform for long-term storage

Docker Deployment

IntelOwl uses a multi-service Docker compose architecture with its own compose files in the docker/ directory:

1
2
3
4

git clone https://github.com/intelowlproject/IntelOwl.git
cd IntelOwl/docker
cp env_file_app_template env_file_app
cp .env.start.test.template .env

Edit env_file_app to configure your API keys for external analyzers (VirusTotal, Shodan, etc.):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

# docker/default.yml — core services
services:
  uwsgi:
    image: intelowlproject/intelowl:${REACT_APP_INTELOWL_VERSION}
    container_name: intelowl_uwsgi
    volumes:
      - ../configuration/intel_owl.ini:/etc/uwsgi/sites/intel_owl.ini
    expose:
      - "8001"
    env_file:
      - env_file_app
      - .env
    healthcheck:
      test: ["CMD-SHELL", "nc -[nginx](https://nginx.org/)alhost 8001 || exit 1"]
      interval: 5s

  nginx:
    image: intelowlproject/intelowl_nginx:${REACT_APP_INTELOWL_VERSION}
    container_name: intelowl_nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - static_content:/var/www/static
    depends_on:
      uwsgi:
        condition: service_healthy

  postgres:
    image: postgres:16-alpine
    container_name: intelowl_postgres
    environment:
      - POSTGRES_PASSWORD=change-me
    volumes:
      - postgres_data:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine
    container_name: intelowl_redis

1

docker compose -f default.yml -f postgres.override.yml -f redis.override.yml up -d

The web interface is available at http://localhost (port 80). The default admin account is created during the first startup — check the logs for the initial password.

Feature Comparison

Which Platform Should You Choose?

The right choice depends on your team’s primary workflow:

Choose MISP if you need to share threat intelligence with other organizations. MISP’s federation model — syncing events between MISP instances — is unmatched for building collaborative threat intel networks. If your team participates in information-sharing communities (ISACs, CERT networks), MISP is the lingua franca. Its free-text import feature also makes it ideal for quickly converting raw incident reports into structured intelligence.

Choose OpenCTI if you want a modern, visual threat intelligence platform with full knowledge graph capabilities. OpenCTI excels at modeling the relationships between threat actors, their infrastructure, their campaigns, and the techniques they use. The visual investigation interface is powerful for analysts exploring complex attack chains. The connector ecosystem also means less manual work — data flows in automatically from dozens of sources.

Choose IntelOwl if your primary need is rapid enrichment of IOCs. IntelOwl is not a knowledge management platform — it’s an analysis engine that takes an indicator and returns enriched intelligence from dozens of sources in seconds. It pairs perfectly with MISP or OpenCTI: use IntelOwl for enrichment, then push results to either platform for long-term storage and correlation.

Use IntelOwl + MISP together for a common architecture: IntelOwl enriches IOCs at ingestion time, then feeds structured results into MISP for sharing with your intelligence community. This combination covers both the speed of automated analysis and the breadth of collaborative sharing.

Installation Prerequisites

All three platforms require Docker and Docker Compose. For production deployments, plan for:

• MISP: 4 GB RAM, 2 CPU cores, 40 GB disk
• OpenCTI: 16 GB RAM, 4 CPU cores, 100 GB disk (Elasticsearch-heavy)
• IntelOwl: 4 GB RAM, 2 CPU cores, 40 GB disk

For OpenCTI especially, ensure your host has sufficient memory for Elasticsearch — the search engine will refuse to start with less than 4 GB dedicated. All platforms benefit from running behind a reverse proxy with TLS termination.

For organizations already running a self-hosted SIEM, threat intelligence platforms integrate as enrichment sources — feeding IOC context into alerts and detections. Pair with vulnerability scanning tools to correlate external threat intelligence with your internal asset risk posture, and with network traffic analysis for comprehensive threat visibility.

FAQ

What is the difference between MISP and OpenCTI?

MISP focuses on threat intelligence sharing between organizations through a federated event/attribute model. OpenCTI focuses on building a knowledge graph of threat entities and their relationships, with built-in case management. MISP is better for intel sharing communities; OpenCTI is better for internal SOC knowledge management and visual investigation.

Can IntelOwl replace MISP or OpenCTI?

No. IntelOwl is an enrichment engine, not a knowledge management platform. It analyzes IOCs and returns results but does not store long-term threat intelligence or support sharing with other organizations. IntelOwl is designed to complement MISP or OpenCTI — enrich first, then store and share.

Which platform is easiest to deploy with Docker?

IntelOwl has the most self-contained Docker setup. MISP’s official Docker compose (misp-docker) is also straightforward. OpenCTI requires the most resources and the most services (Elasticsearch, RabbitMQ, Redis, MinIO) and should be deployed on a machine with at least 16 GB RAM.

Do these platforms support MITRE ATT&CK mapping?

Yes. MISP has Galaxy clusters that map to MITRE ATT&CK techniques and threat actors. OpenCTI natively imports the MITRE ATT&CK dataset and maps entities to techniques. IntelOwl can output results tagged with ATT&CK technique IDs through specific analyzers.

Is it safe to submit malware samples to external analyzers?

IntelOwl runs many analyzers locally (Yara, strings, PE analysis) without sending data externally. However, analyzers like VirusTotal will upload file hashes or contents to external services. Review which analyzers are active in your configuration and disable any that send data to third parties if this is a concern for your organization.

Can I run all three platforms together?

Yes, and this is actually a common architecture. Use IntelOwl for initial IOC enrichment, push enriched results to MISP for community sharing, and use OpenCTI for knowledge graph analysis and case management. All three platforms have connectors or APIs for inter-operation.