Introduction
Hey!, I'm a passionate Cybersecurity Threat Intelligence student from India. Recently, I participated in the Google x Kaggle AI Agents Intensive course. For my capstone, I decided to build a Cyber Threat Intelligence (CTI) agent, aiming to automate threat research, correlation, and reporting. In this post I’ll walk through why I chose this project, how I built it, what I learned, and my final results.
Why a Threat-Intel Agent?
The cybersecurity landscape grows increasingly complex, SOC teams and defenders are overwhelmed by alerts, CVEs, logs and threat data from many sources.
Manual threat intelligence workflows (looking up vulnerabilities, correlating IOCs, researching threat context, writing reports) are error prone and slow.
I wanted to explore how modern AI agents could help by automating data gathering, analysis, correlation, and generating structured reports.
This felt like a problem that would benefit greatly from automation and agent AI.
Overview of the Agent
For the capstone I created the AI Cyber Threat Intel Agent
It uses a multi-agent architecture, a pipeline where sub-agents perform discrete tasks such as intake, analysis, reporting.
It supports custom security tools e.g. CVE lookup, threat-intel scraping, log parsing.
It keeps a persistent investigation context / memory (session storage + long-term threat-intel storage) so that accumulated intelligence can be reused.
As input, you can feed a vulnerability (e.g. a CVE), logs, or threat indicators and the agent will fetch related intel, analyze, correlate, and produce a structured threat report with contextual information and risk assessment.
I used Python and leveraged the agent framework from the course.
My Demo & Results
Using the AI Cyber Threat Intel Demo notebook
I tested the agent with sample inputs: e.g. CVE lookup (vulnerability), sample security log events (failed logins, suspicious IPs), and threat indicators (e.g. suspicious hashes or domains).
The agent was able to gather relevant public intel about the vulnerability, threats (CVEs, known exploit campaigns), correlate them with the given log or indicator data, produce a consolidated, threat intelligence report summarizing findings, what the threat is, historical context, severity, and actionable recommendations (e.g. patching advice, hardening measures).
This demonstrates how an AI driven workflow can reduce manual effort in early threat intel staging, and give a clean, audit report instantly.
What I Learned from the Intensive Course and My Capstone Work
Building a multi-agent pipeline forced me to think modularly; intake → analysis → reporting, which mirrors real SOC workflows. That modularization makes the system extensible.
Important to maintain state, context, memory, threat intel often spans multiple sources and events; without memory, there's a risk of losing correlation across events.
Combining structured threat data (CVEs, logs) with unstructured readable intel (reports, forums, OSINT feeds). AI agents excel at bridging that gap, parsing, summarizing, correlating.
Even such a demo shows potential to speed up triage & intelligence workflows, a hint of how AI and human analysts can work together in cybersecurity.
Challenges & What I Would Improve
In reality, data sources are messy, noisy, and sometimes unreliable. I’d need robust validation, error handling, and integration with live threat intel feeds.
For production, I would need secure handling of credentials, better logging and audit trails, and possibly fine tuned models or retrieval pipelines for accuracy.
I could expand the agent to more functionalities e.g. periodic automated scanning, integration with security tools (SIEM, EDR), automated alerting, enriched vulnerability context (asset specific risk).
Conclusion & My Thoughts
The capstone project and the course was a powerful learning experience. It helped me understand how agentic AI systems can be applied to cybersecurity challenges.
By automating data collection, correlation, and reporting, such agents promise to help security teams reduce their workload, leaving room for deeper analysis and response. I believe this hybrid of AI and human oversight is where the future of threat intelligence lies.
My capstone project is published on Github: https://github.com/SgtAzureDev/ai-cyber-threat-intel-agent
The Demo Kaggle Notebook I made for simulating how the agent works: https://www.kaggle.com/code/sreelakshmipanicker/ai-cyber-threat-intel-demo
If you’re thinking of building something similar , or curious about AI for cybersecurity, I encourage you to try! The sky’s the limit..
Top comments (0)