Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time


A python library for parsing, manipulating, and generating Structured Threat Information eXpression (STIX™) v1.2.0 content.


Build Status Code Health Version


The python-stix library is hosted on PyPI and the most recent stable version can be installed with pip:

$ pip install stix

The python-stix library can also be installed via the distutils script included at the root directory:

$ python install


The python-stix library depends on the presence of certain packages/libraries to function. Please refer to their installation documentation for installation instructions.

Installation on Ubuntu 14.04 (and older)

$ sudo apt-get install python-dev python-pip libxml2-dev libxslt-dev zlib1g-dev
$ sudo pip install stix

Installation on Windows

Download the Lxml wheel for your version of Python from, then install it via "pip install <filename>.whl". For example, to install it on 64-bit Windows running Python 2.7:

$ pip install lxml-3.6.1-cp27-cp27m-win_amd64.whl
$ pip install stix


Releases of the python-stix library will be given version numbers of the form major.minor.update.revision, where major, minor, and update correspond to the STIX version being supported. The revision number is used to indicate new versions of the python-stix library itself.


The python-stix package layout is as follows:

  • stix/ : root level package.
  • examples/ : example python scripts that leverage the python-stix library.
  • stix/utils/ : utility classes and modules used internally by the python-stix library.
  • stix/bindings/ : generateDS generated xml-to-python bindings (leveraged for parsing and output of STIX XML content).
  • stix/campaign/ : APIs for STIX Campaign constructs.
  • stix/coa/ : APIs for STIX Course Of Action constructs.
  • stix/core/ : APIs for core STIX constructs (e.g., STIX Header, STIX Package).
  • stix/common/ : APIs for common STIX constructs (e.g., Structured Text, Information Source).
  • stix/exploit_target/ : APIs for STIX Exploit Target constructs.
  • stix/incident/ : APIs for common Incident constructs.
  • stix/indicator/ : APIs for STIX Indicator constructs.
  • stix/extensions/ : APIs for STIX extensions (e.g., CIQ Identity).
  • stix/report/: APIs for STIX Report constructs.
  • stix/threat_actor/ : APIs for STIX Threat Actor constructs.
  • stix/ttp/ : APIs for STIX TTP constructs.

Please refer to examples for concrete examples of how to interact with the python-stix library.