DEV Community

SOC-CERT: Automated Threat Intelligence System with n8n & AI

Malika on August 27, 2025

This is a submission for the AI Agents Challenge powered by n8n and Bright Data 🛡️ What I Built ⚡ TL;DR: SOC-CERT is an AI-powered ...

Read full post

Daniel Trix Smith • Feb 9

This stands out because it’s designed like a real SOC system, not a challenge prototype.

Most submissions stop at “collect CVEs + send alerts.”
You went further and solved the actual hard problems:

Preventing alert fatigue with deduplication and correlation

Designing for partial failures instead of assuming perfect data sources

Treating AI as a constrained component, not a decision-maker

The asynchronous pipeline, retry strategy, and health monitoring show strong production thinking. That’s how security systems survive unreliable feeds and high-volume events.

What’s most impressive is the balance:
government intelligence + community signals + AI scoring, all normalized into something teams can actually act on.

Open-sourcing this while keeping it enterprise-grade sets a high bar for what “automation” should mean.

anamika • Jan 20

An impressive and well-documented submission showcasing how automation and AI can meaningfully reduce alert fatigue in SOC operations. The multi-source threat intelligence approach, strong architecture, and focus on reliability and scalability make this a solid, real-world security workflow.

Karanveer Singh • Mar 7

This is a very impressive implementation of an automated threat intelligence pipeline. The integration of multiple authoritative sources such as CISA, NIST, CERT-FR, and BleepingComputer combined with AI-based CVE analysis creates a powerful SOC automation workflow. I especially like the use of n8n for orchestration and Bright Data for reliable scraping, since handling anti-bot protections and rate limits is often one of the hardest parts of continuous monitoring systems.

The duplicate detection using hash-based change tracking is also a smart design choice because security teams frequently suffer from alert fatigue when the same CVE appears across multiple feeds. Another strong point is the multi-channel notification architecture (Slack, Gmail, and Google Sheets), which ensures alerts reach both operational teams and management dashboards.

The Slack interactive buttons (Ack, Investigate, Dismiss) are a great step toward full SOAR-style incident lifecycle management, and once webhook actions are fully integrated, this could function similarly to lightweight incident response tooling.

For future improvements, you might consider:

• Adding CVSS score correlation from the NVD API for more precise severity ranking
• Integrating with SIEM platforms like Splunk or Elastic Security for centralized logging
• Implementing deduplication across time windows to avoid resurfacing previously acknowledged CVEs
• Adding threat intelligence enrichment from MITRE ATT&CK mapping

Overall, SOC-CERT looks like a scalable and practical open-source solution for automated vulnerability intelligence, especially for small security teams that cannot afford commercial threat-intel platforms.

Malika • Mar 7

Karanveer Singh, Thank you so much for this incredibly detailed and thoughtful feedback! 🙏

You perfectly captured the core philosophy behind SOC-CERT - building an accessible, automated threat intelligence pipeline that small security teams can actually afford and maintain.

Your observations are spot-on:

n8n + Bright Data combo: Exactly! Reliable data collection was our first challenge. Anti-bot protections are a nightmare, and Bright Data's rotation capabilities made this production-ready rather than a script that breaks after 100 requests.

Hash-based deduplication: You're absolutely right about alert fatigue. Security teams drown in noise. We wanted every alert to represent a genuinely NEW CVE or meaningful update, not the same vulnerability reposted across 5 different feeds.

Slack interactive buttons: This was our first step toward SOAR-lite functionality. The vision is that a SOC analyst could Investigate directly from Slack, auto-create Jira tickets, or even trigger automated firewall rules. The webhook integration is definitely next on our roadmap.

Your suggestions for improvement are gold:

CVSS correlation - Currently in our v2 planning. We want dynamic severity scoring, not just static feed labels.
SIEM integration (Splunk/Elastic) - Great idea. Making SOC-CERT a native data source for enterprise SIEMs would bridge the gap between open-source intel and enterprise monitoring.
Time-window deduplication - Brilliant. "Acknowledged" CVEs shouldn't resurface. We're exploring Redis-based state tracking for exactly this.
MITRE ATT&CK mapping - This is the holy grail. Mapping raw CVEs to actual attacker TTPs transforms "a vulnerability exists" into "here's how they might exploit it."

Since this review, SOC-CERT has evolved even further:

📊 From Pipeline to Dashboard

We transformed the n8n workflow into a KendoReact-powered dashboard with real-time Cohere AI integration:

🔗 From SOC-CERT Winner to Live Dashboard

🚀 From Dashboard to Chrome Extension

Now we're pioneering Virtual CVE Intelligence with a Chrome Extension using 5 built-in AI APIs - solving the 90-day NVD delay problem by creating real-time virtual CVEs for emerging threats:

🔗 From n8n Winner to Chrome AI Pioneer

Building SOC-CERT taught us that effective threat intelligence isn't about having more data - it's about having the RIGHT data, deduplicated, enriched, and delivered where decisions happen (Slack, email, dashboards). Your feedback validates that we're heading in the right direction.

If you'd like to follow the project's evolution or contribute ideas, we'd love to have you in the conversation! 🚀

Thanks again for taking the time to write such a comprehensive review - this kind of feedback is what drives open-source innovation.

Malika

Malika • Sep 11 '25 • Edited

🎉 THANK YOU & FEEDBACK
To the amazing n8n and Bright Data teams,
I just learned that SOC-CERT won the AI Agents Challenge, and I'm absolutely thrilled!

I wanted to express my deepest gratitude for organizing this incredible opportunity. This challenge wasn't just about winning - it was about:

✅ Learning advanced n8n workflow automation
✅ Building a real-world cybersecurity solution
✅ Connecting with an amazing community of developers
✅ Growing as a developer and problem-solver

Special thanks for:

The well-designed challenge structure
The quality documentation and resources
The responsive community support
The focus on real-world applications

This experience has been transformative, and I'm excited to continue building with n8n and Bright Data!

Keep up the amazing work! 🚀
Malika (@joupify)

Winner - AI Agents Challenge 2025

Abhishek R • Aug 31 '25

Hi author is cybersecurity in demand what's the pay I am from India 🇮🇳 I want to learn cybersecurity

Malika • Sep 3 '25

Hi! Yes, cybersecurity is definitely in demand. Salaries depend a lot on location and skills, so it’s best to check local job boards in India for accurate information. Good luck with your learning journey!

Abhishek R • Sep 3 '25

Hey I don't know anything about cybersecurity where should I start please tell me also I am not in a state to pay for university courses

Oliver • Jan 31

Hey Malika
Am interested
I'm looking forward to the next article