DEV Community

Cover image for Building ThreatDNA: Giving Cybersecurity Analysts a Memory That Never Forgets
Karan
Karan

Posted on

Building ThreatDNA: Giving Cybersecurity Analysts a Memory That Never Forgets

#cognee #hackathon #ai #cybersecurity

Building ThreatDNA: Giving Cybersecurity Analysts a Memory That Never Forgets

I'm building ThreatDNA for the WeMakeDevs × Cognee hackathon — a cyber memory
intelligence platform that remembers every incident an organization has ever
faced, so analysts stop investigating the same attack from scratch every time.

The Problem

Scattered disconnected security incident cards representing fragmented SOC knowledge

Security teams generate mountains of data — incident reports, IOC feeds,
malware analysis, analyst notes. Once an incident is closed, all of that
knowledge usually disappears into a PDF or a Jira ticket. Six months later,
when something similar happens again, the team starts almost from zero.

Why Cognee

Most "AI security assistant" projects are just a chatbot wrapped around
search. They don't actually remember anything between sessions. Cognee is
different — it's a persistent, self-hosted knowledge graph that connects
incidents, malware, CVEs, and techniques over time, and gets smarter the
more you use it.

I'm using all four of Cognee's core APIs:

  • remember() — ingest incident reports, IOCs, and analyst notes
  • recall() — graph-traversal search across the org's full incident history
  • improve() — strengthen relationships after every investigation
  • forget() — selectively wipe data (e.g. GDPR/customer-specific cleanup) without nuking the whole graph

What I've Built So Far

FastAPI docs page showing four Cognee memory endpoints

A FastAPI backend wired directly into Cognee, with working endpoints for
all four memory operations. I seeded it with a few fake incidents spanning
months to test something important: can it actually connect events across
time, not just search keywords?

ThreatDNA recall response showing temporal reasoning across incidents

It can. When I asked "have we seen this attack pattern before," ThreatDNA
correctly traced a PowerShell-based attack from January back to a similar
one from months earlier — same technique, different payload — and explained
the connection in plain language. That's not a keyword match. That's a
knowledge graph reasoning across time.

I also restarted the server completely and asked the same question again —
the memory persisted. Nothing was lost. That's the whole point: this isn't
a chatbot with amnesia between sessions.

What's Next

Over the next few days I'm building out:

  • A graph visualization frontend so you can literally see incidents connect
  • A "memory vs no-memory" side-by-side demo
  • MITRE ATT&CK technique overlays
  • A polished demo video

Why This Matters

The real insight from working on this: most hackathon AI projects bolt
memory onto a chatbot as an afterthought. If you removed Cognee from those
projects, they'd basically still work. For ThreatDNA, if you remove Cognee,
there's no product left — the persistent graph memory IS the product.
The LLM just explains what the memory already figured out.

Following along? I'll be posting daily progress on X: https://x.com/KaldeoDev,
and check out the Cognee project
if you want to see what's powering all this.
GitHub repo: https://github.com/Kaldeo1666/ThreatDNA — drop a star if this kind
of project interests you, more updates coming as the hackathon continues.

Top comments (0)