MAEC 5.0

This is the current release of MAEC.

Feedback or questions about this release are welcome on the MAEC Community Email Discussion List, or directly to

Release Notes

The most significant changes in the MAEC 5.0 release include: a more graph-based approach through the definition of MAEC top-level objects and MAEC relationships; JSON serialization, which significantly reduces the size and complexity of MAEC documents and allows for better integration with other applications; a single standardized output format (the MAEC Package); a new object for capturing properties associated with malware families; a new type for capturing metadata about signatures and rules (e.g., YARA rules) triggered by a malware instance; and a new type for capturing details of how a malware instance is obfuscated. A complete list of changes is available in Section 1.2 of the MAEC 5.0 “Core” Specification.

This release of MAEC 5.0 includes the following:

  • MAEC 5.0 “Core” Specification
  • MAEC 5.0 “Vocabularies” Specification
  • A full set of JSON schemas that correspond with the specifications
  • A Cuckoo Sandbox 2.x reporting module that produces native MAEC 5.0 output


JSON Schemas

Cuckoo Reporting Modules

The Cuckoo Sandbox 2.x reporting module produces native MAEC 5.0 output.