Skip to content

JakeBx/agentic-cti

BranchesTags

Repository files navigation

Agentic CTI

An agentic threat intelligence platform that orchestrates specialised sub-agents to answer complex CTI queries, enrich and persist intelligence, and deliver scheduled briefings. A managing CodeAgent (powered by smolagents) coordinates domain-specific agents — selecting and delegating to whichever combination is needed for the task.

Managing Agent
├── OpenCTI Agent         — structured CTI: threat actors, TTPs, malware, reports
├── OpenCTI Writer Agent  — persist reports, notes, indicators, and relationships back to OpenCTI
├── OSINT Agent           — CVE/NVD, CISA KEV, AlienVault OTX, asset-correlated vuln prioritisation
├── ATT&CK Agent          — MITRE ATT&CK Navigator layer generation from OpenCTI Attack-Patterns
├── Wikipedia Agent       — background context on threat actors and techniques
└── Refine Task Agent     — LLM-only task reformulation and query clarification

Agent configurations, model selections, and tool composition are managed via Hydra, making it straightforward to swap models and sweep across architectures without changing code.

Supported Use Cases

Intelligence Retrieval

  • Threat actor and campaign profiling — search OpenCTI Intrusion-Set and Campaign objects, enriched with Wikipedia background context
  • TTP and attack pattern discovery — query OpenCTI Attack-Pattern and Course-Of-Action objects aligned to MITRE ATT&CK
  • Malware and tool analysis — search OpenCTI Arsenal (Malware, Tool, Vulnerability objects)
  • Report and analysis retrieval — fetch recent Notes and Reports from OpenCTI filtered by keyword and time window
  • IOC reputation lookup — query AlienVault OTX for IP addresses, domains, file hashes, CVEs, and more

Vulnerability Intelligence

  • CVE research — keyword and ID-based search across NIST NVD
  • Known exploited vulnerability triage — retrieve and filter the CISA KEV list by product or keyword
  • Asset-correlated vulnerability prioritisation — cross-reference a comma-separated list of system names or vendor/product keywords against CISA KEV and NVD; results sorted by KEV status and CVSS score

ATT&CK Integration

  • Navigator layer generation — produce ATT&CK Navigator JSON for a named threat actor or keyword by querying OpenCTI Attack-Patterns; output is importable directly into the ATT&CK Navigator

Intelligence Persistence

  • Write-back to OpenCTI — create Reports, Notes, Indicators (IOCs), and STIX Relationships from agent-synthesised intelligence, marked TLP:AMBER by default

Reporting

  • On-demand threat briefs — generate structured markdown reports for government, financial, or sector-specific audiences via the Gradio UI or REST API
  • Scheduled briefings — automated cron-driven reports saved as markdown files (weekly threat brief, daily KEV digest, monthly threat actor review)

Programmatic Integration

  • REST API — submit tasks and retrieve results over HTTP for SIEM/SOAR integration and pipeline automation

Architecture

Agent Types

Three agent architectures are available, selectable via conf/dashboard.yaml:

Type Description
managing Orchestrating coordinator that dynamically delegates to specialised sub-agents. Recommended for complex, multi-source queries.
all_in_one Single agent with access to all tools. Simpler reasoning path; lower overhead for straightforward tasks.
simple Single domain-specific agent (e.g. opencti, osint, attack). Useful for focused queries.

Models

All models are accessed via OpenRouter:

Key Model
ms_ds_r1 Microsoft MAI-DS R1 (default)
qwen_235b Qwen 3 235B
qwen_2.5_coder Qwen 2.5 Coder 32B
deepseek_r1 DeepSeek R1

Tools

Module Tool Source
opencti_tools search_analyses OpenCTI Notes & Reports
search_threats OpenCTI Intrusion-Sets & Campaigns
search_techniques OpenCTI Attack-Patterns & Courses of Action
search_arsenal OpenCTI Malware, Tools & Vulnerabilities
get_systems OpenCTI System inventory
opencti_write_tools create_report OpenCTI write (TLP:AMBER default)
create_note OpenCTI write
create_indicator OpenCTI write
create_relationship OpenCTI write
osint_tools search_cves NIST NVD
get_cve NIST NVD
get_all_exploited_vulnerabilities CISA KEV
vulnerabilities_keyword_filter CISA KEV
search_indicator AlienVault OTX
correlate_systems_with_vulnerabilities CISA KEV + NIST NVD
attack_tools generate_navigator_layer OpenCTI → ATT&CK Navigator JSON
general todays_date System date

Building and Running the Project

Prerequisites

  • Python 3.11 (conda recommended)
  • A running OpenCTI instance
  • API keys for OpenRouter and AlienVault OTX

Environment Variables

Create a .env file in the project root:

OPENCTI_URL=http://localhost:8080
OPENCTI_TOKEN=your_opencti_token
ALIENVAULT_API_KEY=your_alienvault_api_key
OPENROUTER_API_KEY=your_openrouter_api_key

Setting Up the Environment

conda create -n agentic-cti python=3.11
conda activate agentic-cti
pip install -r requirements.txt

Running the Gradio UI

python dashboard.py

The interactive chat interface will be available at http://localhost:7861. The default configuration uses the Microsoft MAI-DS R1 model with the managing_agent architecture.

Running with Docker

docker build -t threat-intel-agent .
docker run -p 7861:7861 --env-file .env threat-intel-agent

Running the REST API

The REST API exposes the agent system over HTTP for SIEM/SOAR integration and automation pipelines.

uvicorn api:app --host 0.0.0.0 --port 8000

Endpoints:

Method Path Description
POST /query Submit a task; returns a job ID immediately
GET /results/{id} Poll for results by job ID
GET /health Liveness check

Example:

# Submit a task
curl -X POST http://localhost:8000/query \
  -H "Content-Type: application/json" \
  -d '{"task": "What are the top 5 TTPs used by APT28?", "agent": "managing_agent", "model": "ms_ds_r1"}'

# Poll for the result
curl http://localhost:8000/results/<job-id>

Running the Scheduler

The scheduler runs automated threat briefings on a cron schedule, saving markdown reports to the reports/ directory.

python scheduler.py

Default schedules (configurable in conf/schedules.yaml):

Schedule Cron Description
weekly_threat_brief Monday 08:00 UTC Weekly threat intelligence summary
daily_kev_digest Daily 07:00 UTC New CISA KEV entries from the past 24 hours
monthly_threat_actor_review 1st of month 09:00 UTC Monthly review of active threat actors

To modify schedules or add new ones, edit conf/schedules.yaml. Each entry specifies a cron expression, agent, model, and task prompt.

Running Evaluations

Tasks are defined in task.txt (one per line). Each run saves a JSON result to results/ containing the model name, agent name, raw output, and quality scores.

Run a single configuration (defaults to qwen_2.5_coder + managing_agent):

python evaluations.py

Sweep all model × agent combinations in parallel:

python evaluations.py --multirun

The sweep covers {qwen_235b, qwen_2.5_coder, deepseek_r1} × {managing_agent, all_task_agent, opencti, osint, wikipedia}. Sweep configuration is in conf/validation.yaml.

Each result includes a scores block with heuristic quality signals (markdown structure, recommendation content, threat actor mentions) to support comparison across runs.

Synthetic Organisation Test Harness

The project includes a reference synthetic organisation profile — the Federal Financial Intelligence Unit (FFIU) — for use in integration testing and evaluation against realistic, organisation-scoped scenarios.

Why a Synthetic Organisation?

Generic evaluation tasks (task.txt) test general capability but cannot validate asset-specific queries like "which of our systems have known exploited vulnerabilities?" or "generate an ATT&CK layer for the threat actors targeting us." The FFIU profile fills this gap by providing a realistic but entirely fictional organisation with a defined asset inventory and threat actor context.

FFIU Profile

Name:    Federal Financial Intelligence Unit (FFIU)
Sector:  Government / Financial Regulation
Mission: Financial crime intelligence, interbank reporting, sanctions monitoring
Staff:   800  |  Systems: 60

Representative system inventory (subset used in harness tasks):

System Vendor Product Criticality
Case Management Platform Palantir Gotham Critical
Sanctions Screening Engine Actimize AML/Sanctions Critical
Interbank Messaging Gateway SWIFT Alliance Gateway Critical
SIEM Splunk Enterprise High
Identity & Access Management Okta Workforce Identity High
VPN / Remote Access Palo Alto GlobalProtect High
Financial Reporting Portal Microsoft SharePoint High
Email Gateway Proofpoint Email Protection Medium

Threat actors of concern: APT28, APT41, FIN7, Lazarus Group, TA505

Harness Tasks

These tasks exercise the four priority use cases against the FFIU context:

  1. Vulnerability prioritisation (US-03) — Cross-reference CISA KEV and NVD against FFIU's system inventory and return a prioritised remediation list
  2. ATT&CK Navigator (US-05) — Generate an ATT&CK Navigator JSON layer for APT28 and Lazarus Group targeting financial regulatory infrastructure
  3. Detection rule generation (US-06) — Produce Sigma detection rules for the top 5 TTPs used by FIN7 against financial sector organisations
  4. Scheduled threat brief (US-04) — Generate a weekly threat brief for FFIU scoped to APT28, APT41, and FIN7 activity

To run FFIU-scoped tasks against the managing agent:

# Example — asset-correlated vulnerability prioritisation
# Adjust the task text to match the FFIU system inventory
python evaluations.py agent_name=managing_agent model_name=ms_ds_r1

For full harness automation with a seeded OpenCTI instance, see tests/fixtures/ (seed scripts to be added).

Running Tests

pytest tests/

Project Structure

agentic-cti/
├── agents.py                    # Agent factory — simple, all-in-one, and managing configurations
├── api.py                       # FastAPI REST interface (port 8000)
├── dashboard.py                 # Gradio UI entry point (port 7861)
├── scheduler.py                 # APScheduler cron runner for automated briefings
├── evaluations.py               # Evaluation harness — sweeps model × agent combinations
├── task.txt                     # Evaluation task definitions (one per line)
├── Dockerfile                   # Container build
├── requirements.txt             # Python dependencies
├── conf/
│   ├── dashboard.yaml           # Model library, agent library, default selections
│   ├── schedules.yaml           # Scheduled briefing definitions (cron, agent, model, task)
│   └── validation.yaml          # Evaluation sweep parameters
├── tools/
│   ├── __init__.py              # Package exports
│   ├── opencti_tools.py         # Read tools: search threats, techniques, arsenal, analyses, systems
│   ├── opencti_write_tools.py   # Write tools: create reports, notes, indicators, relationships
│   ├── osint_tools.py           # OSINT tools: NVD, CISA KEV, AlienVault OTX, asset correlation
│   ├── attack_tools.py          # ATT&CK Navigator layer generation
│   └── general.py               # Utility tools (todays_date)
├── tests/
│   ├── test_agents.py           # Agent factory and scoring tests
│   └── test_tools.py            # Tool functionality tests
├── experiments/
│   └── dspy_agent.py            # Experimental DSPy-based implementation (not integrated)
└── reports/                     # Output directory for scheduled briefing markdown files

About

smolagents implementation for an ad-hoc agentic threat intelligence on top of opencti

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages