Docker deployment for the eXtended Threat Management (XTM) stack, combining OpenCTI, OpenAEV and XTM One into a unified threat intelligence, adversary emulation and AI-assisted analysis platform.
This repository provides a complete Docker Compose setup for running:
- OpenCTI — Open Cyber Threat Intelligence Platform
- OpenAEV — Open Adversary Emulation & Validation Platform
- XTM One — AI-powered assistant connecting OpenCTI and OpenAEV
- XTM Composer — Unified connector/collector management
- Shared Infrastructure — Elasticsearch, MinIO, RabbitMQ, Redis
- Platform-specific — PostgreSQL (OpenAEV), PostgreSQL+pgvector (XTM One)
- Docker Engine 20.10+
- Docker Compose v2.0+
- Minimum 16GB RAM (recommended 32GB for production)
- At least 50GB available disk space
graph TB
OpenCTI["OpenCTI<br/>:8080"]
OpenAEV["OpenAEV<br/>:8081"]
XTMOne["XTM One<br/>:8090"]
Composer["XTM Composer"]
Worker["OpenCTI Worker"]
XTMOneWorker["XTM One Worker"]
OpenCTI <--> Composer
Composer <--> OpenAEV
OpenCTI <--> XTMOne
XTMOne <--> OpenAEV
Worker --> OpenCTI
XTMOneWorker --> XTMOne
subgraph Shared["Shared Infrastructure"]
ES[("Elasticsearch")]
MinIO[("MinIO")]
RabbitMQ[("RabbitMQ")]
Redis[("Redis")]
end
subgraph Stores["Dedicated databases"]
PG[("PostgreSQL — OpenAEV")]
PGV[("PostgreSQL + pgvector — XTM One")]
end
OpenCTI --> ES
OpenCTI --> MinIO
OpenCTI --> RabbitMQ
OpenCTI --> Redis
OpenAEV --> ES
OpenAEV --> MinIO
OpenAEV --> RabbitMQ
OpenAEV --> PG
XTMOne --> MinIO
XTMOne --> Redis
XTMOne --> PGV
git clone https://github.com/FiligranHQ/xtm-docker.git
cd xtm-dockerCreate a .env file with the required configuration. An example is available in .env.sample.
# PostgreSQL
POSTGRES_USER=openaev
POSTGRES_PASSWORD=<generate-strong-password>
# MinIO
MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=<generate-strong-password>
# RabbitMQ
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=<generate-strong-password>
# OpenCTI
OPENCTI_EXTERNAL_SCHEME=http
OPENCTI_HOST=localhost
OPENCTI_PORT=8080
OPENCTI_ADMIN_EMAIL=admin@filigran.io
OPENCTI_ADMIN_PASSWORD=<generate-strong-password>
OPENCTI_ADMIN_TOKEN=<generate-uuid-v4>
OPENCTI_HEALTHCHECK_ACCESS_KEY=<generate-uuid-v4>
# OpenAEV
OPENAEV_EXTERNAL_SCHEME=http
OPENAEV_HOST=localhost
OPENAEV_PORT=8081
OPENAEV_ADMIN_EMAIL=admin@filigran.io
OPENAEV_ADMIN_PASSWORD=<generate-strong-password>
OPENAEV_ADMIN_TOKEN=<generate-uuid-v4>
OPENAEV_HEALTHCHECK_KEY=<generate-uuid-v4>
# SMTP (mandatory)
SMTP_HOST=localhost
SMTP_PORT=25
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_AUTH=false
SMTP_SSL_ENABLE=false
SMTP_STARTTLS_ENABLE=false
# IMAP (optional)
OPENAEV_MAIL_IMAP_ENABLED=false
IMAP_HOST=
IMAP_PORT=993
IMAP_USERNAME=
IMAP_PASSWORD=
IMAP_AUTH=true
IMAP_SSL_ENABLE=true
IMAP_STARTTLS_ENABLE=falseTip: Generate UUIDs using
uuidgen.OPENCTI_ENCRYPTION_KEYmust be a 32-byte base64 string produced withopenssl rand -base64 32, not a UUID.XTM_ONE_SECRET_KEYandPLATFORM_REGISTRATION_TOKENcan be any long random string (e.g.openssl rand -hex 32).The full XTM One configuration (admin credentials, image tag, dedicated Postgres credentials, S3 bucket, license) lives at the bottom of .env.sample.
PLATFORM_REGISTRATION_TOKENis the shared secret that lets OpenCTI and OpenAEV register themselves with XTM One — it MUST be identical for the three platforms.
docker compose up -dOnce all services are healthy (this may take a few minutes on first start):
- OpenCTI: http://localhost:8080
- OpenAEV: http://localhost:8081
- XTM One: http://localhost:8090
- RabbitMQ Management: http://localhost:15672
| Connector | Description |
|---|---|
| Export File STIX | Export data in STIX 2.1 format |
| Export File CSV | Export data in CSV format |
| Export File TXT | Export data in plain text format |
| Import File STIX | Import STIX 2.1 bundles |
| Import Document | Import and analyze PDF, HTML, and text documents |
| Import File YARA | Import YARA rules |
| Analysis | Document analysis connector |
| Import External Reference | Import external references |
| OpenCTI Datasets | Default marking definitions and identities |
| MITRE ATT&CK | MITRE ATT&CK framework data |
| Collector | Description |
|---|---|
| MITRE ATT&CK | Attack techniques and procedures |
| OpenAEV Datasets | Default datasets and configurations |
| Atomic Red Team | Red Canary's Atomic Red Team tests |
| NVD NIST CVE | CVE data from NVD (requires API key) |
| Injector | Description |
|---|---|
| Nmap | Network scanning capabilities |
| Nuclei | Vulnerability scanning with Nuclei |
Adjust ELASTIC_MEMORY_SIZE based on your available RAM:
| Total RAM | Recommended Setting |
|---|---|
| 16GB | 2G |
| 32GB | 4G |
| 64GB+ | 8G |
Modify the worker replicas in docker-compose.yml:
worker:
deploy:
mode: replicated
replicas: 3 # Increase for higher throughputTo expose the platforms externally (behind reverse-proxy for instance), update the environment variables:
OPENCTI_EXTERNAL_SCHEME=https
OPENCTI_HOST=opencti.yourdomain.com
OPENCTI_PORT=443
OPENAEV_EXTERNAL_SCHEME=https
OPENAEV_HOST=openaev.yourdomain.com
OPENAEV_PORT=443# All services
docker compose logs -f
# Specific service
docker compose logs -f opencti
docker compose logs -f openaevdocker compose psdocker compose downdocker compose down -v-
Check if Elasticsearch has enough virtual memory:
sudo sysctl -w vm.max_map_count=262144
-
Verify all environment variables are set in
.env -
Check logs for specific errors:
docker compose logs <service-name>
- Ensure all dependency services are healthy
- Verify tokens match between services
- Check network connectivity within Docker network
If you wish to report bugs or request new features:
- OpenCTI: GitHub Issues
- OpenAEV: GitHub Issues
For support or discussions about the XTM stack, join us on our Slack channel or email us at contact@filigran.io.
XTM is a product suite designed and developed by Filigran.
