This talk will cover the use of Large Language Model (LLM) agent workflows (agentic AI) - to coordinate the research and compilation of a tailored cyber threat intelligence feed customized to the threat model of a given organization.
Beginning with a review of the current commercial threat intelligence landscape and its associated challenges - including overgeneralization and a lack of specificity particularly within non-US regions, we then provide a definition and description of LLM agent workflows. We then use present an architecture where the AI agents autonomously search a wide range of public and private data sources for relevant new threat intelligence, which is then aggregated and compiled into a single deliverable in the recipient’s format of choice (email, etc).
The technical architecture is enabled by the development of per-source Model Context Protocol (MCP) servers, which we show can be generated by LLM to rapidly integrate new sources. We demonstrate the configurability of the architecture by enabling the guided selection of specific threat actors, techniques, targets, or technologies - enabling a bias towards the most recent, actionable data.
We also address security considerations such as input sanitization to avoid common security issues such as prompt injection or data poisoning. For future considerations, we discuss the incorporation of multi-modal intelligence sources such as podcasts or videos, as well as the integration of this system into a larger vulnerability management ecosystem with automated remediation of newly-reported security gaps.
