STONES and STONEWORK are open ontologies for cyber threat intelligence, designed to make STIX 2.1 knowledge accessible to AI-driven analysis and knowledge graph platforms.
What is STONES?
STONES is a structured knowledge model — specifically, an OWL ontology — that gives STIX 2.1 a new form.
STIX 2.1 (Structured Threat Information eXpression) is the OASIS standard that most cyber threat intelligence platforms use to package and share threat data: threat actors, campaigns, malware, indicators, attack patterns, vulnerabilities, and the relationships between them. It is widely supported and well understood in the CTI community.
The challenge is that STIX 2.1 is a data exchange format — JSON bundles designed to move intelligence between systems. That format is not well suited to the way modern AI systems reason over knowledge. Tools like knowledge graphs, graph databases, and GraphRAG pipelines work best with data that has formal, queryable structure — where relationships are first-class and where reasoning across domains is possible.
STONES is a faithful ontological representation of STIX 2.1. Every STIX domain object, observable, and relationship is represented as a formal class or property. The semantics of STIX 2.1 are preserved — nothing is reinterpreted — but the knowledge is now available in a form that supports SPARQL queries, OWL reasoning, and integration into AI-driven analysis pipelines.
Note: STONES is independent work and is not affiliated with OASIS or the OASIS Cyber Threat Intelligence Technical Committee (CTI-TC), which develops and maintains the STIX 2.1 standard.
What is STONEWORK?
STONEWORK extends STONES to represent a broader picture of the cyber threat landscape.
STIX 2.1 covers what can be shared between CTI platforms. STONEWORK adds what analysts need for operational context: adversary techniques from MITRE ATT&CK, software weaknesses from CWE, and defensive controls from frameworks such as NIST SP 800-53 and CIS Controls.
STONES and STONEWORK are designed to work together. STONES provides the core threat intelligence vocabulary; STONEWORK connects it to the techniques, weaknesses, and controls that turn raw intelligence into actionable knowledge — the kind of structured terrain that AI-assisted analysis depends on.