github OpenCTI-Platform/opencti 7.260224.0
Version 7.260224.0
on GitHub

8 hours ago

Dear community, we're excited to announce the launch of OpenCTI version 7 (7.260224.0) 🥳.
We packed a lot of content on this release, and you will see important changes when using OpenCTI. This changes imply breaking changes.

Important

Make sure you read the Breaking Change section at the bottom of this Release Note.

We are also introducing a new version naming convention matching our current ability to deliver releases. All of it make it worth to jump into the 7 digit 🙂

📌 First of all, we’re introducing a new Long Term Support (LTS) License.

An LTS license allows Entreprise Edition users to stay on a LTS version for up to one year while receiving backported fixes for critical bugs and security issues. This licence is available to those of our On-Prem EE customers that might be tied by mandatory testing framework before going to production and that cannot match our current rythm of release.

We plan to release two LTS versions per year, giving you the option to align feature upgrades with a predictable twice‑yearly cycle.

You will find all information about the new Product Lifecycle of OpenCTI, including the new naming convention and the new Long Term Support offering, to this documentation page:  https://docs.opencti.io/latest/administration/product-life-cycle/

🍬 Important to note, OpenCTI v7 introduces first steps towards a full new UI Design System, helping users to focus on what matters & reduce the cognitive load. From the start, you will see the difference!

This Major release is also full of improvements and new features, focusing on solving key pain points and unlocking new use cases, including:

  • Manage authentication strategies, to increase autonomy in setting up the application
  • Control of capabilities in draft workspace, allowing you to force users to only edit data in a draft
  • A new browser extension, simplify data collection process by remaining in a single screen
  • User visibility, allowing users to keep data properly segregated
  • Automation improvements, simplify label cleanup & trigger playbooks manually
  • Securing the platform by providing state of the art token management solution

🔐 Manage Authentication Strategy via UI (EE)

In version 7 you will now be able to manage your SSO authentication mechanism via the OpenCTI UI (if your platform is Entreprise edition). This means that you will no longer need to update the configuration file (cross your fingers and hope) and reload the app to make changes. For all existing, your configurations will now be available via the UI and you can easily update and add new configurations as you require. This feature allows you be self sufficient, regardless of your deployment type (on-premise, SaaS).

Important

As announced in December 2025, SSO will fall under Entreprise Edition license in Version 7. This will mean that any Community Edition platforms that migrate to version 7.0.0 and onwards will not be able to login using SSO configured previously.
Moving SSO to the Enterprise Edition ensures that Filigran can sustainably maintain and continuously improve OpenCTI over the long term, while keeping investment strong in the Community Edition's core capabilities and responsibly managing the resources required to run a secure, high-quality open-source security platform.*

Almost all existing authentication methods will remain available in the UI. Configuration defined in files will still exist but migrated into the database and used for login. For migration details, authentication setup guidance, or troubleshooting, please refer to the links below.

🔒 Improved API Token Management (CE)

We've redesigned API token management in OpenCTI for better control, security, and visibility.

What's changed

  • Explicit token generation: Tokens must now be explicitly generated—no longer auto-assigned to every user.
  • Multiple tokens per user: Generate multiple tokens per account to manage integrations independently and revoke them individually.
  • Token expiration: Assign expiration dates to enforce rotation policies and limit credential lifespan.
  • Token value shown only at creation: Token values display only once at generation. Copy it immediately - it cannot be retrieved later.
  • Usage tracking: Monitor token activity with "last used" indicators to identify active tokens.

Existing tokens will continue working. We recommend reviewing tokens and transitioning to the new model for expiration controls and per-integration isolation.

💼 Control of capabilities in draft mode (EE)

Draft mode now supports granular capability controls, separate from platform-wide permissions.

This lets you restrict analysts to creating/updating data in drafts only, while others approve and validate—securing your platform and preventing unwanted changes.

This is the first step toward a validation workflow leveraging the draft workspace—more updates coming soon.

🥷 User visibility to ensure privacy (CE)

User visibility ensures no data leakage across organizations (available since 6.9.11)

  • Platforms with organization segregation: users only see users in their immediate organizations, not those in other organizations accessed via inference. This behavior is enforced when using organization segregation.
    • Example: Previously, if Filigran was the parent entity with Filigran France & Filigran USA as children, users of France & USA could see each other through Filigran (via inference rules). Now, this requires manually adding France & USA users to the Filigran parent.
    • Impact:
      • Fewer users will be visible on some platforms.
      • Benefit: enables sharing to organization groups without exposing users. Create an organization for sharing (e.g., "Energy" sector), add child organizations, and share to Energy. All organizations gain access without viewing other users.
  • Platforms without organization segregation: visibility restricted by organization is enabled by default on migration. Change this in the policy screen.

🎨 Revamping OpenCTI’s UI, helping users to focus on what matters & reduce the cognitive load (CE)

The platform interface has been completely modernized with the V7 design system. This comprehensive redesign touches nearly every visual element you interact with: buttons, navigation, drawers, cards, labels, header, and many other components.

The goal? Create a lighter, cleaner interface that helps you work faster and with less visual noise.

Key improvements include:

  • Streamlined user experience: A cleaner, more intuitive interface reduces cognitive load, making features easier to discover and use throughout the platform.
  • Design consistency: The V7 design system ensures predictable, uniform interactions across all features, eliminating confusion from inconsistent design patterns.
  • Enhanced accessibility: Improved contrast ratios, element sizing, and responsive behaviors make the platform more accessible to all users.
  • Modern aesthetic: The updated visual design reflects current standards and builds confidence in the platform's capabilities.

This foundational redesign addresses previous challenges with visual complexity and outdated patterns, transforming the interface into a modern, efficient workspace that helps security teams focus on what matters most: Threat intelligence and Analysis.

🌐 A new browser extension, simplify data collection process by remaining in a single screen (CE/EE)

We're introducing a browser extension that bridges any web page directly with your OpenCTI platform, eliminating the need to switch between your browser and OpenCTI when collecting threat intelligence.

How it works:

  • Automatic entity detection and enrichment: The extension scans the page you're viewing and detects cyber entities of interest such as IOCs, threat actors, and vulnerabilities. It then enriches them with contextual cards displaying information already present in your OpenCTI instance, shown directly next to the detected elements on the page.
  • One-click report creation: Convert any web page into a STIX 2.1 report that embeds the page content, models the identified entities and their relationships, and publishes it directly to your platform for immediate use.

The extension is available for all major browsers: Firefox, Chrome, Edge, and Safari.

What this solves:

Analysts spend significant time browsing the web for threat intelligence across blogs, social media, advisories, and other sources. When they find relevant content, they face a tedious workflow: checking if the information already exists in OpenCTI, then manually creating objects and relationships, or converting the page to PDF for AI-assisted extraction.

This extension eliminates that friction. You stay on the page you're reading while the extension handles detection, enrichment, and ingestion. No more context switching, no more manual modeling, no more PDF conversions.

Community vs. Enterprise capabilities:

  • CE version provides regex-driven indicator recognition for automatic detection of common IOC patterns.
  • EE version leverages AI extraction service to automatically detect entities, identify relationships between them, and generate article summaries, providing a complete intelligence picture with minimal effort.

This extension transforms casual web browsing into an active intelligence collection workflow, making it effortless to capitalize on threat intelligence wherever you find it.

⚙️ Automation improvements (EE)

  • Remove labels and markings definitively with playbooks

Playbooks can now remove specific labels and markings from entities, even if those values weren't added by the playbook itself. Previously, you could only remove values that were added within the same playbook execution, forcing manual cleanup for pre-existing labels or markings. This enhancement eliminates that limitation, allowing you to fully automate label and marking management without manual intervention.

  • Manual enrollment of entities in playbooks

You can now manually trigger playbooks on any entity type. A new "Enroll in playbook" button allows analysts to initiate automated workflows on-demand for specific entities. The interface displays available playbooks filtered by entity compatibility and trigger conditions, enabling one-click manual enrollment.

🔗 Connectors & Integrations (CE)

This milestone brings a significant expansion of the OpenCTI connector ecosystem, with new integrations and meaningful improvements across the board.

External Import

  • Orange Cyber Defense: Introduces a new external import connector, replacing the previous version.
  • Echo CTI: Retrieves indicators (IP, URL, Hash, IP Range) from the Echo CTI platform and ingests them into OpenCTI.
  • Dogesec SIEM Rules: Synchronizes detection rules from SIEM Rules Detection Packs directly into OpenCTI.
  • VMRay: Ingests high-quality IOCs and analysis context from the VMRay Platform into OpenCTI.
  • DigIntLab Double Extorsion: Ingests** ransomware and data leak announcements published on the DoubleExtortion Platform by DigIntLab.
  • CrowdStrike: The connector has been enhanced to support two new data collections: Malware and Vulnerabilities intelligence.
  • Recorded Future: The connector has been enhanced to support the ingestion of “Vulnerabilities Playbook Alerts” and ingestion of “Vulnerability Risk List”.

Enrichment

  • Orange Cyber Defense: New enrichment connector, replacing the previous version.
  • IsMalicious: New enrichment connector for isMalicious, a threat intelligence platform aggregating malicious IP and domain data from 50+ sources.
  • Onyphe: New enrichment connector to enrich IP addresses, domains, hostnames, certificates, text and IOCs with data from Onyphe.
  • Team Cymru Scout: New enrichment connector to enrich IP addresses and domain names with Pure Signal Scout data.
  • Team Cymru Scout Search: Enriches Text observables using Team Cymru Scout Search API for playbook-based threat intelligence queries.

Third-Party Applications

  • OpenCTI for Splunk Enterprise: A new Splunk application for OpenCTI has been published on Splunkbase, offering two ingestion modes: “index-based” and “KVStore-based”, enabling compatibility with distributed and Splunk Cloud deployments. Additionally, ingested indicators are now automatically enriched with their full threat context, including related malware, threat actors, vulnerabilities, attack patterns, and intelligence reports.

Additionally, a large set of connectors has been added to the OpenCTI catalog with one-click deployment support: DNSTwist, Red Flag Domains, Microsoft Sentinel Incidents, Valhalla, MITRE Atlas, MalwareBazaar, Wiz Cloud Landscape, URLHaus, MISP, CPE, Recorded Future Enrichment, DISARM, Phishunt, AbuseIPDB Blacklist, MISP Feed, Dragos, Microsoft Defender Intel, Silobreaker, Microsoft Sentinel Intel, Intel471, and First EPSS.

BREAKING CHANGES

For all the breaking changes, please have a look at our documentation: https://docs.opencti.io/latest/deployment/breaking-changes/?h=breaking+change.

  • OpenCTI 7 will only be compatible with OpenAEV 2.2.0
  • Python 3.9 is no longer supported:
    • Please review any script that may use some functionalities available in this version
  • Token management:
    • Security improvement replacing the legacy single cleartext api_token per user with a modern multi-token system featuring HMAC-hashed storage, expiration policies, per-token usage tracking, and capability-based access control. Connector-to-platform authentication is upgraded from raw token passthrough to JWT-based mutual authentication using platform-derived Ed25519 key pairs. All existing tokens are automatically migrated to the new system. After migration existing tokens will be encrypted and so no longer be retrievable by the user.
    • Breaking changes in APIs
      • User.api_tokenUser.api_tokens (type changed from String! to [ApiToken!]!)
      • MeUser.api_tokenMeUser.api_tokens
      • meTokenRenew mutation removed
      • UserEditMutations.tokenRenew mutation removed
    • Breaking change in client python
      • MeUser.api_tokenMeUser.api_tokens
      • token_renew() method removed, replaced by create_token() / remove_token()
  • Mandatory Cryptography configuration
    • Upgrading to OpenCTI 7 requires configuring a cryptography key in the application settings. This is now necessary for the secure storage of secrets/credentials (e.g., SSO secrets). 
- Env variable: APP__ENCRYPTION_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- Configuration file: app { encryption_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }

What's Changed

New Contributors

Full Changelog: 6.9.22...7.260224.0

Check out latest releases or
releases around OpenCTI-Platform/opencti 7.260224.0

Don't miss a new opencti release

NewReleases is sending notifications on new releases.

Get notifications