The latest articles on DEV Community by Sgt.AzureDev (@sgtazuredev). https://dev.to/sgtazuredev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3649875%2F6029bac6-7f53-4c0c-8980-d62a7d9fc7bf.jpeg https://dev.to/sgtazuredev en Sgt.AzureDev Sun, 07 Dec 2025 07:17:30 +0000 https://dev.to/sgtazuredev/my-journey-building-a-cyber-threat-intelligence-agent-with-google-x-kaggle-4137 https://dev.to/sgtazuredev/my-journey-building-a-cyber-threat-intelligence-agent-with-google-x-kaggle-4137 <h2> Introduction </h2> <p>Hey!, I'm a passionate Cybersecurity Threat Intelligence student from India. Recently, I participated in the Google x Kaggle AI Agents Intensive course. For my capstone, I decided to build a Cyber Threat Intelligence (CTI) agent, aiming to automate threat research, correlation, and reporting. In this post I’ll walk through why I chose this project, how I built it, what I learned, and my final results.</p> <h2> Why a Threat-Intel Agent? </h2> <p>The cybersecurity landscape grows increasingly complex, SOC teams and defenders are overwhelmed by alerts, CVEs, logs and threat data from many sources.</p> <p>Manual threat intelligence workflows (looking up vulnerabilities, correlating IOCs, researching threat context, writing reports) are error prone and slow.</p> <p>I wanted to explore how modern AI agents could help by automating data gathering, analysis, correlation, and generating structured reports.</p> <p>This felt like a problem that would benefit greatly from automation and agent AI.</p> <h2> Overview of the Agent </h2> <h3> For the capstone I created the AI Cyber Threat Intel Agent </h3> <p>It uses a multi-agent architecture, a pipeline where sub-agents perform discrete tasks such as intake, analysis, reporting. </p> <p>It supports custom security tools e.g. CVE lookup, threat-intel scraping, log parsing. </p> <p>It keeps a persistent investigation context / memory (session storage + long-term threat-intel storage) so that accumulated intelligence can be reused. </p> <p>As input, you can feed a vulnerability (e.g. a CVE), logs, or threat indicators and the agent will fetch related intel, analyze, correlate, and produce a structured threat report with contextual information and risk assessment. </p> <p>I used Python and leveraged the agent framework from the course.</p> <h2> My Demo &amp; Results </h2> <h3> Using the AI Cyber Threat Intel Demo notebook </h3> <p>I tested the agent with sample inputs: e.g. CVE lookup (vulnerability), sample security log events (failed logins, suspicious IPs), and threat indicators (e.g. suspicious hashes or domains).</p> <p>The agent was able to gather relevant public intel about the vulnerability, threats (CVEs, known exploit campaigns), correlate them with the given log or indicator data, produce a consolidated, threat intelligence report summarizing findings, what the threat is, historical context, severity, and actionable recommendations (e.g. patching advice, hardening measures).</p> <p>This demonstrates how an AI driven workflow can reduce manual effort in early threat intel staging, and give a clean, audit report instantly.</p> <h2> What I Learned from the Intensive Course and My Capstone Work </h2> <p>Building a multi-agent pipeline forced me to think modularly; intake → analysis → reporting, which mirrors real SOC workflows. That modularization makes the system extensible.</p> <p>Important to maintain state, context, memory, threat intel often spans multiple sources and events; without memory, there's a risk of losing correlation across events.</p> <p>Combining structured threat data (CVEs, logs) with unstructured readable intel (reports, forums, OSINT feeds). AI agents excel at bridging that gap, parsing, summarizing, correlating.</p> <p>Even such a demo shows potential to speed up triage &amp; intelligence workflows, a hint of how AI and human analysts can work together in cybersecurity.</p> <h2> Challenges &amp; What I Would Improve </h2> <p>In reality, data sources are messy, noisy, and sometimes unreliable. I’d need robust validation, error handling, and integration with live threat intel feeds. </p> <p>For production, I would need secure handling of credentials, better logging and audit trails, and possibly fine tuned models or retrieval pipelines for accuracy.</p> <p>I could expand the agent to more functionalities e.g. periodic automated scanning, integration with security tools (SIEM, EDR), automated alerting, enriched vulnerability context (asset specific risk).</p> <h2> Conclusion &amp; My Thoughts </h2> <p>The capstone project and the course was a powerful learning experience. It helped me understand how agentic AI systems can be applied to cybersecurity challenges.</p> <p>By automating data collection, correlation, and reporting, such agents promise to help security teams reduce their workload, leaving room for deeper analysis and response. I believe this hybrid of AI and human oversight is where the future of threat intelligence lies.</p> <p>My capstone project is published on Github: <a href="https://github.com/SgtAzureDev/ai-cyber-threat-intel-agent" rel="noopener noreferrer">https://github.com/SgtAzureDev/ai-cyber-threat-intel-agent</a></p> <p>The Demo Kaggle Notebook I made for simulating how the agent works: <a href="https://www.kaggle.com/code/sreelakshmipanicker/ai-cyber-threat-intel-demo" rel="noopener noreferrer">https://www.kaggle.com/code/sreelakshmipanicker/ai-cyber-threat-intel-demo</a></p> <p>If you’re thinking of building something similar , or curious about AI for cybersecurity, I encourage you to try! The sky’s the limit..</p> googleaichallenge ai agents devchallenge