Cyber Threat Intelligence Agent

A command-line tool for comprehensive threat intelligence analysis of software applications.

Features

• Automated SBOM Analysis: Parses CycloneDX SBOMs (JSON/XML) to identify all software components.
• AI-Powered Vulnerability Enrichment: Leverages the Gemini 2.5 Flash model to:
  • Generate an AI-powered executive summary of the findings.
  • Dynamically construct accurate Common Platform Enumeration (CPE) strings for components.
  • Map vulnerabilities to MITRE ATT&CK® tactics and techniques to understand adversary behavior.
  • Identify the underlying software weaknesses by linking to the Common Weakness Enumeration (CWE™).
  • Find and provide actionable defensive measures, including Sigma, Snort, and Yara rules.
• Real-World Threat Correlation: Flags vulnerabilities present in the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting immediate threats.
• Exploit Prediction Scoring System (EPSS) Integration: Incorporates EPSS scores to prioritize vulnerabilities based on the probability of exploitation in the wild.
• Intelligent Risk Prioritization: Moves beyond simple CVSS scores by using a multi-factor algorithm to prioritize vulnerabilities based on severity, real-world exploitation, predicted exploitability (EPSS), and potential impact.
• Persistent Analysis: Stores every analyzed SBOM in a local MongoDB database for historical tracking and future analysis, with de-duplication to prevent redundant entries.
• Interactive Chat Mode: Allows users to query stored SBOM and vulnerability data using natural language.

Prerequisites

• Python 3.10+
• uv
• Docker (for MongoDB)

Installation

1. Clone the repository:

   git clone https://github.com/your-username/cyber-threat-agent.git
   cd cyber-threat-agent

2. Create a virtual environment and install dependencies:

   uv venv
   uv pip install -e . # or `pip install -e .`

Configuration

1. Create a .env file from the example:

   cp .env.example .env

2. Obtain the necessary API keys and update the .env file:

   • GEMINI_API_KEY: Your Google Gemini API key.
   • NVD_API_KEY: Your NVD API key (from NVD API Key Request). This is highly recommended to avoid rate limiting and ensure reliable vulnerability lookups.

Database and Vector Store Setup (MongoDB & ChromaDB)

1. Start local MongoDB and ChromaDB instances using Docker Compose:

   docker-compose up -d

2. Update the .env file with your MongoDB and ChromaDB connection details if they differ from the defaults.

Usage

• Source Python virtual environment

source .venv/bin/activate

• Analyze an SBOM:

  cti-agent analyze --sbom-file <path-to-your-sbom.json> [--crawl-depth <depth>]

• Update local threat intelligence data:

  cti-agent update-data

• Start interactive chat mode:

  cti-agent chat

Report Output

The agent generates a comprehensive Markdown report saved to the reports/ directory. The report includes:

• An Executive Summary with key metrics, generated by an AI.
• A Prioritized Vulnerabilities table, ordered by the calculated RiskScore.
• Detailed analysis for each high-priority vulnerability, including:
  • CVE ID, CVSS score, CISA KEV status, and EPSS score.
  • Hyperlinked CWE and MITRE ATT&CK mappings.
  • Actionable defensive measures (Sigma, Snort, Yara rules), with clear indication if none are found.

The report filename follows a convention like report-<sbom_name>-<timestamp>.md.

Project Directory Structure

\ cyber-threat-agent
|--.env.example
|--.gitignore
|-- README.md
|-- pyproject.toml
|-- docker-compose.yml
|-- frameworks/
| |-- cisa_kev.json
| |-- cwec_v4.14.xml
| |-- enterprise-attack.json
|-- reports/
| |--.gitkeep
|-- src/
| |-- cti_agent/
| | |-- __init__.py
| | |-- main.py
| | |-- agent.py
| | |-- tools.py
| | |-- models.py
| | |-- data_manager.py
| | |-- vector_store_manager.py
|-- tests/
|-- vector_store/