Automation and Orchestration in Cyber Threat Intelligence (CTI): A Survey

Abstract

Cyber Threat Intelligence (CTI) has become an essential part of security operations with the sudden rise in cyber threats. To manage the collection, enrichment, correlation, and response workflows for CTI, several automation and or- chestration technologies, such as SOAR (Security Orchestration, Automation, and Response) platforms and CTI pipelines are utilised. This survey reviews open-source as well as commercial SOAR platforms e.g. Splunk SOAR, Cortex XSOAR, IBM QRadar SOAR, TheHive, Shuffle) as well as frameworks used in CTI such as MISP and OpenCTI, comparing their features, integration capabilities, and limitations. Research done in the last 5-7 years on automated CTI processing, including methods for improving and linking data, AI and machine learning-driven analysis, and full-system architectures, is highlighted in this paper. Standard formats like STIX/TAXII and related sharing protocols help ensure different systems can communicate effec- tively. A comparison table shows the difference between major platforms based on key aspects such as data formats, integrations, response capabilities, and AI/ML support. Common challenges like data compatibility, source reliability, data quality, processing speed, and scalability are also discussed. Finally, a classification of automation components along with an example orchestration architecture, illustrated (Figure 1) is presented. The survey concludes with an overview of current challenges and potential future developments in CTI automation and orchestration.

Introduction

• CTI involves collecting, analyzing, and sharing cyber threat data to detect and prevent attacks.

• Security Operations Centers (SOCs) are overwhelmed with alerts, making manual threat handling inefficient.

• SOAR (Security Orchestration, Automation, and Response) platforms help by automating workflows, integrating security tools, and accelerating incident response.

• However, traditional SOAR systems often struggle with scalability, evolving threats, and require frequent manual updates.

???? 2. SOAR Platforms for CTI

???? Commercial Platforms:

• Splunk SOAR: 300+ integrations, ML threat scoring, supports MITRE ATT&CK.

• Palo Alto Cortex XSOAR: 900+ integrations, ML for triage, visual playbooks, collaborative "war room".

• IBM QRadar SOAR: Low-code playbooks, strong case management, JSON and dynamic looping support.

Limitations:
Vendor lock-in, high cost, and dependency on human input for handling novel threats.

???? Open-Source Tools:

• TheHive: Incident response platform; integrates with MISP and Cortex.

• MISP: Sharing platform for indicators of compromise (IoCs); supports STIX, OpenIOC.

• OpenCTI: Knowledge graph platform for managing CTI; latest version 6.6.16 supports GraphQL and automation.

• Shuffle: Visual SOAR platform using OpenAPI for integrations.

Tradeoff:
Free and customizable, but require more setup and technical expertise.

???? 3. Standards and Frameworks

• STIX (Structured Threat Information eXpression): Standard CTI format (JSON-based).

• TAXII (Trusted Automated eXchange of Indicator Information): Protocol for sharing STIX data.

• MISP taxonomies, MITRE ATT&CK, and OpenC2: Enhance structure and automation in CTI sharing.

Challenges:
Inconsistent format adoption, custom fields, and data quality issues affect interoperability.

???? 4. Advances in Automated CTI

???? Key Innovations:

• Enrichment: Adding context (e.g., IP geolocation, CVEs).

• Correlation: ML and graph analytics match threat data with internal logs (e.g., ETIP, HeteroCTI).

• NLP & AI: Used to extract threat info from unstructured text, detect anomalies, and automate triage.

???? Automated Response:

• Systems can auto-block threats, update firewalls/EDRs, or quarantine phishing emails.

• Human-in-the-loop remains critical to prevent false positives and ensure reliability.

????? 5. CTI Architecture and Pipelines

• Four stages: Data collection → Enrichment → Storage → Action.

• Use of cloud, microservices, and containerized architectures (e.g., ThreatWise AI on Docker/TensorFlow).

• Event-driven models and modular designs allow flexibility and scalability.

?? 6. Challenges in CTI Automation

1. Data compatibility: Different tools/formats; limited STIX/TAXII support.

2. Source reliability: Trust issues, potential poisoned feeds.

3. Data quality: Duplicate/noisy data; enrichment is crucial.

4. Speed: Automation helps reduce response time, but delays still occur.

5. Scalability: Handling millions of IoCs requires big data tools (e.g., Kafka, Spark).

6. Trust/Governance: Need for approvals, legal/privacy concerns (e.g., GDPR).

???? 7. Future Directions

1. AI-Driven Orchestration: LLMs for dynamic playbooks and autonomous decisions.

2. Enhanced Data Fusion: Linking CTI with EDR logs, dark web, and federated learning.

3. Trustworthy Intelligence: Blockchain, metadata tracking, and verification mechanisms.

4. Real-Time Pipelines: Serverless computing, CI/CD integration, and self-healing systems.

5. Usability: Better UIs, human-AI collaboration, visual workflows, and structured automation guides.

???? 8. Platform Comparison (Highlights)

Conclusion

While automation and orchestration are key to scaling CTI operations, complete autonomy is still a long way off. Future advancements will need to balance cutting-edge AI technology with practical security operations, ensuring that automated threat intelligence remains accurate, fast, and trustworthy.

References

[1] Pantelopoulos et al., “Toward Robust Security Orchestration and Auto- mated Response in SOCs with a HyperAutomation Approach,” Infor- mation, vol. 16, no. 5, 2025. (MDPI) [2] G. Gonza´lez-Granadillo et al., “ETIP: An Enriched Threat Intelligence Platform for improving OSINT correlation, analysis, visualization and sharing capabilities,” Journal of Information Security and Applications, vol. 58, 2021, article 102715. [3] Splunk Inc., “Splunk Security Orchestration, Automation and Response (SOAR),” product brief, 2024. [4] Palo Alto Networks, “Cortex XSOAR: Automate your manual work- flows,” product page, 2024. [5] IBM, “QRadar SOAR Platform – Features,” IBM product documenta- tion, 2024. [6] F. Lamanna and V. Pelissier, “MISP – The Malware Information Sharing Platform & Threat Sharing,” MISP Project (website), 2025. [7] Fre´de´ric By et al., “TheHive: A scalable open-source Security Incident Response Platform,” TheHive Project (GitHub README), 2025. [8] Shuffle Project, “Shuffle: Open source automation platform,” GitHub README, 2025. [9] Filigran (OpenCTI) Blog, “Introducing threat intelligence automation and playbooks in OpenCTI,” Oct. 2023. [10] OASIS CTI Technical Committee, “STIX™ Version 2.1,” standard specification, 2021. See also “Introduction to STIX” (OASIS). [11] OASIS, “TAXII™ Version 2.1,” standard specification, 2021. [12] AWS, “Cyber threat intelligence architecture on AWS,” AWS Prescrip- tive Guidance, 2023. [13] S. Spyros et al., “AI-based Holistic Framework for Cyber Threat Intelligence Management,” IEEE Access, Jan. 2025. [14] A. Lampis and M. Dekker, “Towards an AI-Enhanced Cyber Threat Intelligence Processing Pipeline,” Electronics, vol. 13, May 2024. [15] X. Shu, “Threat intelligence computing for efficient cyber threat hunt- ing,” Tech Xplore, Oct. 17, 2018.

Copyright

Copyright © 2025 Anauksa Das. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.