[_8j50]

That's a valid concern, It makes a lot of sense to store files separately on a dedicated file server, your TIP should only track hashes.

I have heard both good and bad things about openCTI. But you can say the same about MISP as well. I agree people should check out both. But IMO, I have seen people pick a TIP like this without a long term evaluation and it always ends up with some important thing you want to do with it but that isn't possible, practical or supported. I think there are better platforms tha MISP (depending on use case), but if you just have a bunch of intel and you want to put it somewhere and let the rest of your security stack integrate to operationalize that data, MISP is the best. Then see if all the other platforms can meet the same needs and if your team and resources can save time/money without it.

I also like how I don't have to worry about MISP taking a radically different direction (thehive and their dbms for example) or lose support down the road (cuckoo and its many forks!) because someone is paying to support it. Love the devs too, they don't get enough praise!