Skip to content

Indicators Lifecycle Management


OpenCTI enforces strict rules to determine the period during which an indicator is effective for detection. This period is defined by the valid_from and valid_until dates. In the future, all along this life, the indicator score will decrease according to a customizable algorithm.

After the indicator fully expires, the object is marked as revoked and the detection field is automatically set to false. Here, we outline how these dates are calculated within the OpenCTI platform. This documentation will be enhanced also for the score impact.

Setting validity dates

Data source provided the dates

If a data source provides valid_from and valid_until dates when creating an indicator on the platform, these dates are used without modification.

Fallback rules for unspecified dates

If a data source does not provide validity dates, OpenCTI applies specific rules to determine these dates based on the "main observable type" of indicator and its associated markings.

Indicator type Marking TTL (in days)
IPv4-Addr and IPv6-Addr TLP:CLEAR to TLP:AMBER 30
IPv4-Addr and IPv6-Addr TLP:AMBER+STRICT and TLP:RED 60
IPv4-Addr and IPv6-Addr Others 60
URL Others 180
Others (e.g. Domain-Name, File, YARA) All 365

Understanding Time-To-Live (TTL)

The TTL represents the duration for which an indicator is considered valid - i.e. here, the number of days between valid_from and valid_until. After this period, the indicator is marked as revoked.


If a URL indicator with TLP:AMBER marking is created without specific validity dates, it will be considered valid for 180 days from its valid_from date. After 180 days, the valid_until date will be reach and the indicator will be automatically revoked.


Understanding how OpenCTI calculates validity periods is essential for effective threat intelligence analysis. These rules ensure that your indicators are accurate and up-to-date, providing a reliable foundation for threat intelligence data.