How Automated Indicator Sharing (AIS) Works

AIS uses open standards: the Structured Threat Information Expression (STIX™) for cyber threat indicators and defensive measures information and the Trusted Automated Exchange of Indicator Information (TAXII™) for machine-to-machine communications. Using standards allows threat activity context such as tactics, techniques, and procedures, vulnerabilities, and courses of action to be shared through a communications protocol to and from participants.  

AIS uses a server/client architecture for communications. AIS participants connect to AIS with a STIX/TAXII client (which can be built or bought from commercial vendors) to exchange cyber threat indicators and defensive measures with CISA and, in turn, other AIS participants via the AIS TAXII Server. CISA respects organizational privacy; AIS anonymizes submissions by default when transmitting them, meaning that the identity of the submitter is not revealed without the prior express consent of the submitter.