Edited by humans. Written by AI. How our editing works
All articles

This AI Platform Does Security Teams' Threat Intel Grunt Work

Jonathan Cran's Mallory platform automates threat intelligence aggregation and contextualizes security operations—but the real shift is what comes next.

Rachel "Rach" Kovacs

Written by AI. Rachel "Rach" Kovacs

April 11, 20266 min read
Share:
Two men sit in a yellow-lit studio setting with chairs and plants behind them, identified as Jonathan Cran (Founder & CEO…

Photo: Unsupervised Learning / YouTube

Here's the pitch that should make every security analyst's ears perk up: wake up to a Slack message telling you exactly which new vulnerabilities affect your specific environment, complete with the context you need to prioritize, the evidence trail to support your decisions, and—if you want—a pre-generated ticket ready to go.

That's what Jonathan Cran built with Mallory, an AI-powered threat intelligence platform he demoed recently for Daniel Miessler's Unsupervised Learning channel. But the interesting part isn't the automation of busywork, though that's admittedly satisfying. It's what happens when you stop thinking of threat intelligence as a product and start thinking of it as infrastructure.

Cran started building Mallory in 2024 while at Google, driven by a problem that every security team knows intimately: keeping up is impossible. "I mean everything that's happening every day in security operations outside your organization," he explained. "Whether it's breach, whether there's a supply chain attack going on, new techniques, things like that."

His solution was to build a collection engine that ingests open-source intelligence continuously, uses LLMs to extract insights, then maps relationships between threat actors, attack patterns, vulnerabilities, and affected products. The result is a platform that does what would normally require hours of blog-hopping and note-taking: it aggregates breaking security news into coherent "stories" with timelines, source attribution, and entity extraction.

Take the recent Team PCP campaign targeting security tools via GitHub pull requests. Mallory's story page shows the full timeline from late February, pulls quotes and indicators from sources ranging from Dark Reading to individual researcher blogs, and maps all related entities—actors, malware, attack patterns—with evidence tables showing exactly where each piece of information came from. It's the report a junior analyst would spend half a day assembling, generated automatically and updated in real-time.

The Database You Didn't Know Was the Hard Part

What looks like a slick UI for browsing threat intelligence is actually sitting on top of years of entity resolution work. When Mallory encounters "Lazarus Group," it knows that's the same actor as 29 other aliases used across different vendor reports. When it sees "Team PCP," it maps that to all variants: Team PCP Group, Team PCP ransomware, Shell Force.

"The entity resolution system allows us to say like, oh, Shell Force is Team PCP or whenever this word Team PCP is mentioned," Cran noted. "It'll all get mapped into this particular entity." That Rosetta Stone of threat actor aliases, maintained and enriched continuously, is what makes the platform's contextual intelligence actually useful rather than just another alert firehose.

Every observable in the platform is evidence-backed. Click on an attack pattern and you see not just the MITRE ATT&CK classification, but the actual blog posts and reports where that pattern was discussed, with full context. It's the difference between a threat intelligence platform that tells you what's happening and one that shows you why it believes that.

The free community tier gives access to this data through rate-limited APIs. Paying customers get the full threat intelligence features plus something more interesting: the ability to contextualize external threat intel against their own environment.

When Threat Intel Meets Your Asset Database

Cran demonstrated this by asking Mallory about a zero-day in the news. The platform pulled up the vulnerability details, listed indicators of compromise, then answered the question security teams actually care about: "Are we affected?"

It could answer because Mallory had ingested the organization's software inventory. Cisco SD-WAN, CrowdStrike agents, GitHub repositories—all mapped to upstream products, which are themselves mapped to relevant threat intelligence. When a new story breaks, the platform can automatically determine exposure.

"The goal here is just to make this stuff automatic," Cran said. "You should wake up to, hey, we're affected by these things. We got to deal with them."

That shift from passive intelligence consumption to active contextualization is where things get interesting. The built-in AI agent /article/zero-trust-security-faces-its-ai-agent-test can generate tabletop exercises based on specific threat actor TTPs, schedule daily intelligence briefings filtered to your interests, or even draft tickets for vulnerabilities that affect your environment. During the demo, Cran scheduled a recurring Slack message with updates on Lazarus Group tactics, configured to send only when new information appears.

But scheduled reports are still human-driven workflows. The next phase is more autonomous.

The Agent Future Nobody Wants to Say Out Loud

Cran was refreshingly direct about where this is headed. "I think the interface is going to be useful still for a number of years," Miessler observed, "and I think that will slowly taper down most likely because the human interface will be talking to their agent and their agent will just be hitting all these APIs."

The platform already supports this through its open API and what Cran calls "programmatic tool calling"—agents that can query threat intelligence, generate code, and execute workflows. The community tier users are building custom integrations because API access doesn't cost Mallory tokens; they're just serving data.

What happens when your security operations agent proactively monitors for threats, cross-references them against your environment, and takes preliminary response actions without being asked? Cran acknowledged the challenges: "There's a good amount to build there" in terms of agent control, monitoring, and auditability. Organizations will want to use their own models and infrastructure, which means building the guardrails for agents that can reach into production environments.

The technical challenge isn't the AI—it's trust and verification. How do you audit an agent's decision-making? How do you prevent an automated response from making things worse? These aren't theoretical questions. They're the gap between "this is cool" and "this is production-ready."

Cran mentioned something that stuck with me: "All of our security systems were built around checks and alerts generated off checks. But like if you have the upstream data and you know what to look for, you don't necessarily need a check."

That's the fundamental shift. Traditional security monitoring runs predefined checks looking for known patterns. An AI agent with access to current threat intelligence and your environment's context can reason about threats without those checks—or generate new checks on the fly as threats evolve.

The question isn't whether security teams will adopt AI agents for threat intelligence. It's whether they'll build the operational maturity to deploy them safely before the pressure to keep up with threats forces compromises. Mallory is betting on the former, but building for the reality that we might get the latter.

Rachel "Rach" Kovacs is Buzzrag's cybersecurity and privacy correspondent.

From the BuzzRAG Team

AI Moves Fast. We Keep You Current.

Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.

Weekly digestNo spamUnsubscribe anytime

More Like This

Tech reviewer rates desk setup components with scores from 4-9/10, displaying computer, monitors, keyboard, and mobile…

The Security Risks Hiding in Your $50,000 Desk Setup

A tech reviewer's decade-old workspace reveals what happens when premium gear outlives its security updates. The Mac Pro problem nobody wants to discuss.

Rachel "Rach" Kovacs·4 months ago·6 min read
Live stream vlog thumbnail featuring a high-end PC build with RGB cooling system and hardware components against an orange…

Microsoft's Encryption Key Dilemma: Security vs. Privacy

Explore Microsoft's encryption key policy, its implications for privacy, and how it compares to Apple's approach.

Rachel "Rach" Kovacs·6 months ago·3 min read
Two professionals sit in yellow chairs facing each other in a studio setting, with text identifying Sarit Tager from Palo…

Why AI AppSec Needs Organizational Context to Work

AI finds more vulnerabilities than ever—but without organizational context, it still can't tell you which ones actually matter. Here's what that gap costs.

Rachel "Rach" Kovacs·1 week ago·7 min read
Tech stack logos for Next.js, AI SDK, and deployment tools above four fantasy creature cards showcasing a dark, mystical…

Unleashing Creativity: Build a Fantasy GitHub App

Explore building a fantasy creature app with GitHub stats, combining creativity and tech.

Rachel "Rach" Kovacs·6 months ago·3 min read
Terminal window displaying assembly code with "MAGIC HAPPENS" overlaid in large golden text

Life Emerged From Code Merging, Not Just Mutation

Researcher demonstrates self-replicating programs emerge from random code through symbiogenesis—challenging how we think evolution works.

Rachel "Rach" Kovacs·5 months ago·6 min read
Developer at desk with dual monitors displaying analytics dashboards and data visualizations in a neon-lit tech environment

34 Self-Hosted Projects That Could Replace Your Cloud Stack

From AI email agents to thermal printer dashboards, these trending GitHub projects show what happens when developers get tired of subscription fees.

Rachel "Rach" Kovacs·3 months ago·6 min read
Bearded man wearing glasses and a beanie gestures toward camera with confused expression, text reads "NOW WHAT?

Why Your AI Agent Sits Idle After Installation

Installing an AI agent takes 10 minutes. Making it actually useful takes 40 hours. Here's why the industry keeps solving the wrong problem.

Rachel "Rach" Kovacs·3 months ago·6 min read

RAG·vector embedding

2026-04-15
1,499 tokens1536-dimmodel text-embedding-3-small

This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.