My journey building a Cyber Threat Intelligence Agent with Google Kaggle

Source: Dev.to

Introduction

Hey! I’m a passionate Cybersecurity Threat Intelligence student from India. Recently, I participated in the Google × Kaggle AI Agents Intensive course. For my capstone, I decided to build a Cyber Threat Intelligence (CTI) agent, aiming to automate threat research, correlation, and reporting. In this post I’ll walk through why I chose this project, how I built it, what I learned, and my final results.

Why a Threat‑Intel Agent?

• The cybersecurity landscape is increasingly complex; SOC teams and defenders are overwhelmed by alerts, CVEs, logs, and threat data from many sources.
• Manual threat‑intelligence workflows (looking up vulnerabilities, correlating IOCs, researching threat context, writing reports) are error‑prone and slow.
• I wanted to explore how modern AI agents could help by automating data gathering, analysis, correlation, and generating structured reports.
• This problem benefits greatly from automation and agentic AI.

Overview of the Agent

For the capstone I created the AI Cyber Threat Intel Agent.

• It uses a multi‑agent architecture: a pipeline where sub‑agents perform discrete tasks such as intake, analysis, and reporting.
• It supports custom security tools (e.g., CVE lookup, threat‑intel scraping, log parsing).
• It keeps a persistent investigation context/memory (session storage + long‑term threat‑intel storage) so that accumulated intelligence can be reused.
• Input can be a vulnerability (e.g., a CVE), logs, or threat indicators; the agent fetches related intel, analyzes, correlates, and produces a structured threat report with contextual information and risk assessment.
• Implemented in Python, leveraging the agent framework from the course.

My Demo & Results

Using the AI Cyber Threat Intel Demo notebook, I tested the agent with sample inputs:

• CVE lookup (vulnerability)
• Sample security log events (failed logins, suspicious IPs)
• Threat indicators (suspicious hashes or domains)

The agent gathered relevant public intel about the vulnerability and known exploit campaigns, correlated them with the provided log or indicator data, and produced a consolidated threat‑intelligence report summarizing findings, historical context, severity, and actionable recommendations (e.g., patching advice, hardening measures). This demonstrates how an AI‑driven workflow can reduce manual effort in early threat‑intel staging and deliver a clean audit report instantly.

What I Learned from the Intensive Course and My Capstone Work

• Building a multi‑agent pipeline forced me to think modularly (intake → analysis → reporting), mirroring real SOC workflows and making the system extensible.
• Maintaining state and context is crucial; threat intel often spans multiple sources and events, and without memory correlation can be lost.
• Combining structured data (CVEs, logs) with unstructured intel (reports, forums, OSINT feeds) is where AI agents excel—parsing, summarizing, and correlating disparate information.
• Even a demo shows potential to speed up triage and intelligence workflows, hinting at how AI and human analysts can collaborate in cybersecurity.

Challenges & What I Would Improve

• Real‑world data sources are messy, noisy, and sometimes unreliable; robust validation, error handling, and integration with live threat‑intel feeds are needed.
• For production, secure handling of credentials, better logging, and audit trails are essential, along with possibly fine‑tuned models or retrieval pipelines for higher accuracy.
• Future expansions could include periodic automated scanning, integration with security tools (SIEM, EDR), automated alerting, and enriched vulnerability context (asset‑specific risk).

Conclusion & My Thoughts

The capstone project and the course were a powerful learning experience, showing how agentic AI systems can be applied to cybersecurity challenges. By automating data collection, correlation, and reporting, such agents promise to help security teams reduce workload, freeing analysts for deeper investigation and response. I believe this hybrid of AI and human oversight is where the future of threat intelligence lies.

• GitHub repository:
• Demo Kaggle Notebook: