Docker deployment for the eXtended Threat Management (XTM) stack, combining OpenCTI and OpenAEV into a unified threat intelligence and adversary emulation platform.
This repository provides a complete Docker Compose setup for running:
- OpenCTI — Open Cyber Threat Intelligence Platform
- OpenAEV — Open Adversary Emulation & Validation Platform
- XTM Composer — Unified connector/collector management
- Shared Infrastructure — Elasticsearch, MinIO, RabbitMQ
- Platform-specific — Redis (OpenCTI), PostgreSQL (OpenAEV)
- Docker Engine 20.10+
- Docker Compose v2.0+
- Minimum 16GB RAM (recommended 32GB for production)
- At least 50GB available disk space
┌───────────────────────────────────────────────────────────────────────────┐
│ XTM Stack │
├───────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌──────────────┐ ┌─────────────┐ │
│ │ OpenCTI │◄──────►│ XTM Composer │◄──────►│ OpenAEV │ │
│ │ :8080 │ │ │ │ :8081 │ │
│ └─────┬────┬──┘ └──────────────┘ └───┬───┬─────┘ │
│ │ │ │ │ │
│ │ │ │ │ │
│ ▼ │ │ ▼ │
│ ┌─────────┐│ │┌───────────┐ │
│ │ Redis ││ ││PostgreSQL │ │
│ └─────────┘│ │└───────────┘ │
│ │ │ │
│ │ ┌────────────────────────────┐ │ │
│ └─►│ Shared Infrastructure │◄──────┘ │
│ │ │ │
│ │ ┌──────────────────────┐ │ │
│ │ │ Elasticsearch │ │ │
│ │ └──────────────────────┘ │ │
│ │ │ │
│ │ ┌─────────┐ ┌─────────┐ │ │
│ │ │ MinIO │ │RabbitMQ │ │ │
│ │ └─────────┘ └─────────┘ │ │
│ └────────────────────────────┘ │
│ │
└───────────────────────────────────────────────────────────────────────────┘
git clone https://github.com/FiligranHQ/xtm-docker.git
cd xtm-dockerCreate a .env file with the required configuration. An example is available in .env.sample.
# PostgreSQL
POSTGRES_USER=openaev
POSTGRES_PASSWORD=<generate-strong-password>
# MinIO
MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=<generate-strong-password>
# RabbitMQ
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=<generate-strong-password>
# OpenCTI
OPENCTI_EXTERNAL_SCHEME=http
OPENCTI_HOST=localhost
OPENCTI_PORT=8080
[email protected]
OPENCTI_ADMIN_PASSWORD=<generate-strong-password>
OPENCTI_ADMIN_TOKEN=<generate-uuid-v4>
OPENCTI_HEALTHCHECK_ACCESS_KEY=<generate-uuid-v4>
# OpenAEV
OPENAEV_EXTERNAL_SCHEME=http
OPENAEV_HOST=localhost
OPENAEV_PORT=8081
[email protected]
OPENAEV_ADMIN_PASSWORD=<generate-strong-password>
OPENAEV_ADMIN_TOKEN=<generate-uuid-v4>
OPENAEV_HEALTHCHECK_KEY=<generate-uuid-v4>
# SMTP (mandatory)
SMTP_HOST=localhost
SMTP_PORT=25
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_AUTH=false
SMTP_SSL_ENABLE=false
SMTP_STARTTLS_ENABLE=false
# IMAP (optional)
OPENAEV_MAIL_IMAP_ENABLED=false
IMAP_HOST=
IMAP_PORT=993
IMAP_USERNAME=
IMAP_PASSWORD=
IMAP_AUTH=true
IMAP_SSL_ENABLE=true
IMAP_STARTTLS_ENABLE=falseTip: Generate UUIDs using
uuidgenor online tools like uuidgenerator.net
docker compose up -dOnce all services are healthy (this may take a few minutes on first start):
- OpenCTI: http://localhost:8080
- OpenAEV: http://localhost:8081
- RabbitMQ Management: http://localhost:15672
| Connector | Description |
|---|---|
| Export File STIX | Export data in STIX 2.1 format |
| Export File CSV | Export data in CSV format |
| Export File TXT | Export data in plain text format |
| Import File STIX | Import STIX 2.1 bundles |
| Import Document | Import and analyze PDF, HTML, and text documents |
| Import File YARA | Import YARA rules |
| Analysis | Document analysis connector |
| Import External Reference | Import external references |
| OpenCTI Datasets | Default marking definitions and identities |
| MITRE ATT&CK | MITRE ATT&CK framework data |
| Collector | Description |
|---|---|
| MITRE ATT&CK | Attack techniques and procedures |
| OpenAEV Datasets | Default datasets and configurations |
| Atomic Red Team | Red Canary's Atomic Red Team tests |
| NVD NIST CVE | CVE data from NVD (requires API key) |
| Injector | Description |
|---|---|
| Nmap | Network scanning capabilities |
| Nuclei | Vulnerability scanning with Nuclei |
Adjust ELASTIC_MEMORY_SIZE based on your available RAM:
| Total RAM | Recommended Setting |
|---|---|
| 16GB | 2G |
| 32GB | 4G |
| 64GB+ | 8G |
Modify the worker replicas in docker-compose.yml:
worker:
deploy:
mode: replicated
replicas: 3 # Increase for higher throughputTo expose the platforms externally (behind reverse-proxy for instance), update the environment variables:
OPENCTI_EXTERNAL_SCHEME=https
OPENCTI_HOST=opencti.yourdomain.com
OPENCTI_PORT=443
OPENAEV_EXTERNAL_SCHEME=https
OPENAEV_HOST=openaev.yourdomain.com
OPENAEV_PORT=443# All services
docker compose logs -f
# Specific service
docker compose logs -f opencti
docker compose logs -f openaevdocker compose psdocker compose downdocker compose down -v-
Check if Elasticsearch has enough virtual memory:
sudo sysctl -w vm.max_map_count=262144
-
Verify all environment variables are set in
.env -
Check logs for specific errors:
docker compose logs <service-name>
- Ensure all dependency services are healthy
- Verify tokens match between services
- Check network connectivity within Docker network
If you wish to report bugs or request new features:
- OpenCTI: GitHub Issues
- OpenAEV: GitHub Issues
For support or discussions about the XTM stack, join us on our Slack channel or email us at [email protected].
XTM is a product suite designed and developed by Filigran.
