Skip to content

XTM One in OpenCTI

In OpenCTI, XTM One can be used as a contextual AI layer on top of the threat intelligence workflow you are already using.

What this usually means for end users

Instead of leaving OpenCTI to ask for help elsewhere, you may see XTM One actions directly in the places where you work with intelligence content.

Depending on your deployment, this can happen around:

  • reports
  • documents or uploaded files
  • cases
  • other investigation or analysis workflows

Typical user-facing actions

The exact labels can vary, but common examples include:

  • summarizing a report
  • extracting indicators from a PDF or document
  • analyzing a case in context
  • generating a more focused explanation for a specific intelligence object

In some deployments, the available actions can also reflect the business context declared for the connected OpenCTI instance, such as CTI, FIMI, or Fraud-oriented workflows.

What to expect when you use it

When you trigger an XTM One action from OpenCTI:

  • the current OpenCTI context is used as the starting point
  • XTM One routes the request to the most appropriate configured assistant
  • the result is returned inside the OpenCTI experience rather than as a separate generic chat

This makes the feature feel more like an OpenCTI capability than a detached AI assistant.

Why a feature may be unavailable

You may not see a given XTM One action in OpenCTI if:

  • no compatible assistant is configured for that use case
  • the action is not enabled for your deployment
  • the connected OpenCTI instance does not expose that capability
  • the action is not available for your current business context

In some cases, the product can intentionally disable a feature when no suitable XTM One assistant is available.

Permissions and trust

As an end user, you should expect XTM One to act within the boundaries of your OpenCTI access.

That means:

  • the analysis is based on what your current session can access
  • results should be reviewed as contextual assistance, not as an automatic truth
  • if a workflow requires validation, your product can still ask for human review

Good practices

  • Launch the action from the most relevant report, case, or document.
  • Use the output to speed up investigation, not to skip validation.
  • If an action is missing, ask whether the relevant XTM One capability has been configured for your environment.

Next step

Continue with XTM One in OpenAEV if your organization also uses adversarial exposure validation workflows.