This AI Platform Does Security Teams' Threat Intel Grunt Work

Here's the pitch that should make every security analyst's ears perk up: wake up to a Slack message telling you exactly which new vulnerabilities affect your specific environment, complete with the context you need to prioritize, the evidence trail to support your decisions, and—if you want—a pre-generated ticket ready to go.

That's what Jonathan Cran built with Mallory, an AI-powered threat intelligence platform he demoed recently for Daniel Miessler's Unsupervised Learning channel. But the interesting part isn't the automation of busywork, though that's admittedly satisfying. It's what happens when you stop thinking of threat intelligence as a product and start thinking of it as infrastructure.

Cran started building Mallory in 2024 while at Google, driven by a problem that every security team knows intimately: keeping up is impossible. "I mean everything that's happening every day in security operations outside your organization," he explained. "Whether it's breach, whether there's a supply chain attack going on, new techniques, things like that."

His solution was to build a collection engine that ingests open-source intelligence continuously, uses LLMs to extract insights, then maps relationships between threat actors, attack patterns, vulnerabilities, and affected products. The result is a platform that does what would normally require hours of blog-hopping and note-taking: it aggregates breaking security news into coherent "stories" with timelines, source attribution, and entity extraction.

Take the recent Team PCP campaign targeting security tools via GitHub pull requests. Mallory's story page shows the full timeline from late February, pulls quotes and indicators from sources ranging from Dark Reading to individual researcher blogs, and maps all related entities—actors, malware, attack patterns—with evidence tables showing exactly where each piece of information came from. It's the report a junior analyst would spend half a day assembling, generated automatically and updated in real-time.

The Database You Didn't Know Was the Hard Part

What looks like a slick UI for browsing threat intelligence is actually sitting on top of years of entity resolution work. When Mallory encounters "Lazarus Group," it knows that's the same actor as 29 other aliases used across different vendor reports. When it sees "Team PCP," it maps that to all variants: Team PCP Group, Team PCP ransomware, Shell Force.

"The entity resolution system allows us to say like, oh, Shell Force is Team PCP or whenever this word Team PCP is mentioned," Cran noted. "It'll all get mapped into this particular entity." That Rosetta Stone of threat actor aliases, maintained and enriched continuously, is what makes the platform's contextual intelligence actually useful rather than just another alert firehose.

Every observable in the platform is evidence-backed. Click on an attack pattern and you see not just the MITRE ATT&CK classification, but the actual blog posts and reports where that pattern was discussed, with full context. It's the difference between a threat intelligence platform that tells you what's happening and one that shows you why it believes that.

The free community tier gives access to this data through rate-limited APIs. Paying customers get the full threat intelligence features plus something more interesting: the ability to contextualize external threat intel against their own environment.

When Threat Intel Meets Your Asset Database

Cran demonstrated this by asking Mallory about a zero-day in the news. The platform pulled up the vulnerability details, listed indicators of compromise, then answered the question security teams actually care about: "Are we affected?"

It could answer because Mallory had ingested the organization's software inventory. Cisco SD-WAN, CrowdStrike agents, GitHub repositories—all mapped to upstream products, which are themselves mapped to relevant threat intelligence. When a new story breaks, the platform can automatically determine exposure.

"The goal here is just to make this stuff automatic," Cran said. "You should wake up to, hey, we're affected by these things. We got to deal with them."

That shift from passive intelligence consumption to active contextualization is where things get interesting. The built-in AI agent can generate tabletop exercises based on specific threat actor TTPs, schedule daily intelligence briefings filtered to your interests, or even draft tickets for vulnerabilities that affect your environment. During the demo, Cran scheduled a recurring Slack message with updates on Lazarus Group tactics, configured to send only when new information appears.

But scheduled reports are still human-driven workflows. The next phase is more autonomous.

The Agent Future Nobody Wants to Say Out Loud

Cran was refreshingly direct about where this is headed. "I think the interface is going to be useful still for a number of years," Miessler observed, "and I think that will slowly taper down most likely because the human interface will be talking to their agent and their agent will just be hitting all these APIs."

The platform already supports this through its open API and what Cran calls "programmatic tool calling"—agents that can query threat intelligence, generate code, and execute workflows. The community tier users are building custom integrations because API access doesn't cost Mallory tokens; they're just serving data.

What happens when your security operations agent proactively monitors for threats, cross-references them against your environment, and takes preliminary response actions without being asked? Cran acknowledged the challenges: "There's a good amount to build there" in terms of agent control, monitoring, and auditability. Organizations will want to use their own models and infrastructure, which means building the guardrails for agents that can reach into production environments.

The technical challenge isn't the AI—it's trust and verification. How do you audit an agent's decision-making? How do you prevent an automated response from making things worse? These aren't theoretical questions. They're the gap between "this is cool" and "this is production-ready."

Cran mentioned something that stuck with me: "All of our security systems were built around checks and alerts generated off checks. But like if you have the upstream data and you know what to look for, you don't necessarily need a check."

That's the fundamental shift. Traditional security monitoring runs predefined checks looking for known patterns. An AI agent with access to current threat intelligence and your environment's context can reason about threats without those checks—or generate new checks on the fly as threats evolve.

The question isn't whether security teams will adopt AI agents for threat intelligence. It's whether they'll build the operational maturity to deploy them safely before the pressure to keep up with threats forces compromises. Mallory is betting on the former, but building for the reality that we might get the latter.

Rachel "Rach" Kovacs is Buzzrag's cybersecurity and privacy correspondent.