The latest articles on DEV Community by Karan (@kaldeo16). https://dev.to/kaldeo16 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4009048%2F8f553082-76ef-4231-9aef-dbb5a6481d4f.jpg https://dev.to/kaldeo16 en Karan Tue, 30 Jun 2026 09:31:09 +0000 https://dev.to/kaldeo16/building-threatdna-giving-cybersecurity-analysts-a-memory-that-never-forgets-2k8 https://dev.to/kaldeo16/building-threatdna-giving-cybersecurity-analysts-a-memory-that-never-forgets-2k8 <h2> Building ThreatDNA: Giving Cybersecurity Analysts a Memory That Never Forgets </h2> <p>I'm building ThreatDNA for the WeMakeDevs × Cognee hackathon — a cyber memory <br> intelligence platform that remembers every incident an organization has ever <br> faced, so analysts stop investigating the same attack from scratch every time.</p> <h2> The Problem </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Frcbeqypuuzu97b6v5yxk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Frcbeqypuuzu97b6v5yxk.png" alt="Scattered disconnected security incident cards representing fragmented SOC knowledge" width="800" height="452"></a></p> <p>Security teams generate mountains of data — incident reports, IOC feeds, <br> malware analysis, analyst notes. Once an incident is closed, all of that <br> knowledge usually disappears into a PDF or a Jira ticket. Six months later, <br> when something similar happens again, the team starts almost from zero.</p> <h2> Why Cognee </h2> <p>Most "AI security assistant" projects are just a chatbot wrapped around <br> search. They don't actually remember anything between sessions. Cognee is <br> different — it's a persistent, self-hosted knowledge graph that connects <br> incidents, malware, CVEs, and techniques over time, and gets smarter the <br> more you use it.</p> <p>I'm using all four of Cognee's core APIs:</p> <ul> <li> <code>remember()</code> — ingest incident reports, IOCs, and analyst notes</li> <li> <code>recall()</code> — graph-traversal search across the org's full incident history </li> <li> <code>improve()</code> — strengthen relationships after every investigation</li> <li> <code>forget()</code> — selectively wipe data (e.g. GDPR/customer-specific cleanup) without nuking the whole graph</li> </ul> <h2> What I've Built So Far </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F6lfe7z271mzjcqij6rfj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F6lfe7z271mzjcqij6rfj.png" alt="FastAPI docs page showing four Cognee memory endpoints" width="800" height="471"></a></p> <p>A FastAPI backend wired directly into Cognee, with working endpoints for <br> all four memory operations. I seeded it with a few fake incidents spanning <br> months to test something important: can it actually connect events across <br> time, not just search keywords?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F70yudv2qg4crnfcv23kv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F70yudv2qg4crnfcv23kv.png" alt="ThreatDNA recall response showing temporal reasoning across incidents" width="800" height="447"></a></p> <p>It can. When I asked "have we seen this attack pattern before," ThreatDNA <br> correctly traced a PowerShell-based attack from January back to a similar <br> one from months earlier — same technique, different payload — and explained <br> the connection in plain language. That's not a keyword match. That's a <br> knowledge graph reasoning across time.</p> <p>I also restarted the server completely and asked the same question again — <br> the memory persisted. Nothing was lost. That's the whole point: this isn't <br> a chatbot with amnesia between sessions.</p> <h2> What's Next </h2> <p>Over the next few days I'm building out:</p> <ul> <li>A graph visualization frontend so you can literally see incidents connect</li> <li>A "memory vs no-memory" side-by-side demo</li> <li>MITRE ATT&amp;CK technique overlays</li> <li>A polished demo video</li> </ul> <h2> Why This Matters </h2> <p>The real insight from working on this: most hackathon AI projects bolt <br> memory onto a chatbot as an afterthought. If you removed Cognee from those <br> projects, they'd basically still work. For ThreatDNA, if you remove Cognee, <br> there's no product left — the persistent graph memory IS the product. <br> The LLM just explains what the memory already figured out.</p> <p>Following along? I'll be posting daily progress on X: <a href="https://x.com/KaldeoDev" rel="noopener noreferrer">https://x.com/KaldeoDev</a>, <br> and check out the <a href="https://github.com/topoteretes/cognee" rel="noopener noreferrer">Cognee project</a> <br> if you want to see what's powering all this.<br> GitHub repo: <a href="https://github.com/Kaldeo1666/ThreatDNA" rel="noopener noreferrer">https://github.com/Kaldeo1666/ThreatDNA</a> — drop a star if this kind <br> of project interests you, more updates coming as the hackathon continues.</p> cognee hackathon ai cybersecurity