1. Introduction

This notebook demonstrates the architecture and functionality of a CVE-aware LLM triage agent built for contextual prioritization of security incidents.

- Combines semantic search over KEV, NVD, and historical triage records
- Uses an MCP tool-exposing agent to make structured, parsable LLM calls
- Maintains runtime metrics, batched execution, and persistent historical context

Why we do this:
Establishes the overall motivation and scope before diving into implementation. Helps readers orient themselves to why each later component exists.
Goal: Build a CVE-analysis agent for contextual security triage.
Setup: Jupyter notebook, Python 3.10+, Redis via Docker, .env file with OPENAI_API_KEY.


In [3]:
# Install dependencies
# Why we do this:
# Ensures all required Python packages are available in the current environment. This makes the notebook reproducible by others or on fresh systems.
!pip install -r requirements.txt

Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: https://pypi.org/simple, https://pypi.ngc.nvidia.com



[notice] A new release of pip is available: 25.0 -> 25.1.1
[notice] To update, run: C:\Python312\python.exe -m pip install --upgrade pip


# 2. Start Redis (for idempotency cache)

Redis is used by the FastAPI server for request ID deduplication and idempotency protection. Running it locally ensures the pipeline behaves consistently and avoids redundant processing.

In [6]:
# Start Docker Service for Redis:
!docker run -d --name local-redis -p 6379:6379 redis:latest

Unable to find image 'redis:latest' locally
latest: Pulling from library/redis
d76f79e53729: Pulling fs layer
4f4fb700ef54: Pulling fs layer
73134d65a174: Pulling fs layer
e09c770fca85: Pulling fs layer
6162363dcb24: Pulling fs layer
d6b0a8fda729: Pulling fs layer
4f4fb700ef54: Already exists
6162363dcb24: Download complete
d6b0a8fda729: Download complete
e09c770fca85: Download complete
d6b0a8fda729: Pull complete
e09c770fca85: Pull complete
73134d65a174: Download complete
d76f79e53729: Download complete
d76f79e53729: Pull complete
4f4fb700ef54: Pull complete
6162363dcb24: Pull complete
73134d65a174: Pull complete
Digest: sha256:1b7c17f650602d97a10724d796f45f0b5250d47ee5ba02f28de89f8a1531f3ce
Status: Downloaded newer image for redis:latest
docker: Error response from daemon: Conflict. The container name "/local-redis" is already in use by container "d7532e8e07eda16696991be756f16a983f49b82035ed57a286f0bc5f0aaafb22". You have to remove (or rename) that container to be able to reuse that 

3. Project Structure

Display top-level tree
Why we do this:
Helps both the developer and the reader understand the overall folder and file layout of the project. This is especially useful for mapping file roles to architectural components.

.
├── AI Engineer Take-Home Exercise_ Gen AI Agent for Contextual CVE Analysis.pdf
├── Context Summaries
├── RADSecurity_Security_Agent-TakeHome.ipynb
├── README.md
├── README_GEMINI.md
├── __init__.py
├── __pycache__
├── archive
├── data
│   ├── dummy_agent_incident_analyses.json # Synthetic incident analyses for demo's sake
│   ├── dummy_incidents.json # Synthetic historical incidents for demo's sake
│   ├── incident_analysis.db # SQLite database
│   ├── incidents.json # Actual input data, from RAD Security
│   ├── kev.json # Retrieved data via setup/download_cve_data.py
│   ├── nvd_subset.json # Isolated data via setup/download_cve_data.py
│   ├── nvdcve-1.1-2025.json # Uzipped via setup/download_cve_data.py
│   ├── nvdcve-1.1-2025.json.zip # Retrieved data via setup/download_cve_data.py
│   └── vectorstore # FAISS indexes
│       ├── historical_incidents # Dummy historical incidents + actual incidents (added upon analysis)
│       │   ├── index.faiss
│       │   └── index.pkl
│       ├── kev # Generated KEV data index
│       │   ├── index.faiss
│       │   └── index.pkl
│       └── nvd # NVD data index
│           ├── index.faiss
│           └── index.pkl
├── dev
│   ├── incident_dashboard.py # Streamlit app to view SQLite database
│   └── query_db.py # Helper to query SQLite database
├── examples # Posterity, early experiments with MCP server usage
├── experimental # Posterity, early experiments with agents using MCP tools
├── logs
│   ├── server.log
│   └── timing_metrics.log
├── main_security_agent_server.py # FastAPI server, hostss the main agent/LLM logic
├── mcp_cve_server.py # Hosts the tools used by the agent, called as a subprocess in main_security_agent_server.py
├── pyproject.toml
├── pytest.ini
├── requirements.txt
├── run_analysis.py # Main script to run the analysis, calls main_security_agent_server.py asynchronously
├── setup
│   ├── build_dummy_analyses_index.py # Builds the dummy analyses index
│   ├── build_faiss_KEV_and_NVD_indexes.py # Builds the KEV and NVD indexes
│   ├── build_historical_incident_analyses_index.py # Builds the historical incidents index
│   ├── download_cve_data.py # Downloads the CVE data
│   └── README.md # General instructions for initial setup
├── tests # Optional, helpful in early discovery and development
│   ├── __init__.py
│   ├── __pycache__
│   ├── test_decorators.py
│   └── test_mcp_cve_server.py
├── tree_structure.txt # This file for sanity's sake
├── utils # Main utility functions that power the project
│   ├── __init__.py
│   ├── __pycache__
│   ├── datastore_utils.py
│   ├── decorators.py
│   ├── flatteners.py
│   ├── logging_utils.py
│   ├── prompt_utils.py
│   └── retrieval_utils.py
└── uv.lock



4. Data Ingestion

Load and inspect incidents.json
Why we do this:
Verifies the most essential input dataset is present, correctly formatted, and structured. This provides a foundation for downstream processing like semantic search and matching.


In [9]:
import json
from pathlib import Path

data_dir = Path('data')
with open(data_dir / 'incidents.json') as f:
    incidents = json.load(f)

# Display number of incidents and first entry keys
print(f"Total incidents: {len(incidents)}")
print("Fields in first incident:", list(incidents[0].keys()))

Total incidents: 39
Fields in first incident: ['incident_id', 'timestamp', 'title', 'description', 'affected_assets', 'observed_ttps', 'indicators_of_compromise', 'initial_findings']


Next Steps:
- Run `setup/download_cve_data.py` to pull KEV and NVD feeds
- Preview kev.json and nvd_subset.json

In [10]:
# Example: load kev.json
# Why we do this:
# The KEV file contains the CISA Known Exploited Vulnerabilities. Ensuring this loads correctly means the semantic index will have meaningful input to match against.
with open(data_dir / 'kev.json') as f:
    kev = json.load(f)
print(f"KEV entries: {len(kev.get('vulnerabilities', []))}")

KEV entries: 1342


In [15]:
# Example: load nvd_subset.json
# Why we do this:
# The NVD subset is a filtered snapshot of a much larger feed. We load it to confirm we have a valid, scoped data source for broader CVE coverage beyond KEV.
with open(data_dir / 'nvd_subset.json') as f:
    nvd_subset = json.load(f)
print(f"NVD subset CVEs: {len(nvd_subset)}")

NVD subset CVEs: 3062


5. Index Construction & Semantic Retrieval

In this section, we build and verify the FAISS indexes for KEV, NVD, and historical data, then demonstrate semantic search.
This shows the robustness of our retrieval layer and ensures the agent has high-signal context.

In [16]:
# 5.1 Import necessary utilities
from utils.flatteners import flatten_kev, flatten_nvd, flatten_incident
from utils.retrieval_utils import initialize_embeddings, initialize_indexes, _search
from langchain.docstore.document import Document

# 5.2 Initialize Embeddings & Indexes
# Why we do this:
# Embeddings and FAISS indexes underpin retrieval-augmentation. Initializing once at startup ensures fast, consistent access during agent execution.

initialize_embeddings()
initialize_indexes()
print("Embeddings and FAISS indexes initialized successfully.")

AttributeError: 'OutStream' object has no attribute 'reconfigure'

5.3 Inspect Flattener Outputs
Why we do this:
Flatteners convert complex JSON entries into embedding-ready text. Verifying these transformations ensures that our search corpus is well-formed.

In [None]:
# Example KEV entry flattening
sample_kev = kev.get('vulnerabilities', [])[0]
doc_kev = flatten_kev(sample_kev)
print("Flattened KEV document preview:")
print(doc_kev.page_content[:200], "...")

# Example NVD entry flattening
sample_nvd = list(nvd.values())[0]
doc_nvd = flatten_nvd(sample_nvd)
print("
Flattened NVD document preview:")
print(doc_nvd.page_content[:200], "...")

# Example Incident flattening
doc_inc = Document(page_content=flatten_incident(incidents[0]), metadata={"incident_id": incidents[0]["incident_id"]})
print("
Flattened Incident document preview:")
print(doc_inc.page_content[:200], "...")

5.4 Perform a Semantic Search
Why we do this:
A simple query over KEV and NVD indexes demonstrates that our retrieval layer returns relevant results. This forms the context the agent uses for decision-making.


In [None]:
query_text = incidents[0]['title']
print(f"Search query: {query_text}")

kev_results = _search(KEV_FAISS, query_text, k=3)
print("Top 3 KEV matches:")
for r in kev_results:
    print(f"- {r['cve_id']} (score: {r['similarity']:.3f})")

nvd_results = _search(NVD_FAISS, query_text, k=3)
print("
Top 3 NVD matches:")
for r in nvd_results:
    print(f"- {r['cve_id']} (score: {r['similarity']:.3f})")

Next Steps:
- Build historical FAISS index (with synthetic past analyses)
- Demonstrate retrieval from history using `_search` on INCIDENT_HISTORY_FAISS
- Proceed to configure the MCP agent with these indexes