CTI AI Agent + Guide

Submit an IOC. Get a Full Intelligence Report, STIX 2.1 Bundle & MITRE Navigator Layer. Automatically.

You get an alert. You copy an IP address.

1. Then you open VirusTotal.
2. Then AbuseIPDB.
3. Then OTX. You try to remember the MITRE technique from last month.
4. You start writing the STIX bundle manually.
5. Thirty minutes later, you have something useful.

Or: you submit the IP to this workflow. In under 30 seconds, you get a structured intelligence report, a STIX 2.1 bundle, and a MITRE ATT&CK Navigator layer delivered to Discord, Slack, and email simultaneously. That's the difference.

What You Get Per Submission

Intelligence Report — 3 layers:

• Technical — related IOCs, blocking recommendations (Block / Hunt / Quarantine / Patch)
• Tactical — MITRE technique IDs, Sigma/YARA/KQL detection rule ideas
• Strategic — threat actor attribution, victimology, executive brief

STIX 2.1 Bundle — automatic indicators, threat-actors, attack-patterns, relationships — all linked. Drop it into MISP, OpenCTI, Sentinel, Splunk ES, or TheHive. Zero manual authoring.

MITRE ATT&CK Navigator Layer Every technique highlighted on the live matrix, color-coded by severity. Ready for purple team scoping, detection engineering, or compliance evidence.

How It Works

1. Submit — web form or webhook API. Single IOC or batch up to 100.
2. Cache check — repeated lookups return instantly. Zero quota burned during incidents.
3. Parallel enrichment — VirusTotal, AbuseIPDB, AlienVault OTX, GreyNoise, Shodan. Simultaneously.
4. AI analysis — verdict, confidence, per-artifact rationale citing real numbers. No hallucination.
5. Deliver — Discord, Slack, Email, API response. One channel failing never blocks the rest.

Verdict levels: 🔴 Malicious · 🟠 Suspicious · 🟡 Mixed · 🟢 Benign · ⚪ Unknown

Every verdict cites its evidence: "VT 12/89 malicious, AbuseIPDB 87/100, OTX 3 pulses" If data is missing — verdict is UNKNOWN. No speculation.

Works With Your Stack

LLM: any — local or cloud. One field to configure. Delivery: Discord, Slack, Email, Gmail, webhook API response. Downstream: MISP, OpenCTI, Anomali, Sentinel, Splunk ES, TheHive. Submissions: web form (no code) or REST API (automation-ready).

What's Included

• ✅ 21-node n8n workflow JSON
• ✅ Web form + webhook API (both ready to use)
• ✅ 5-source parallel enrichment
• ✅ Auto-generated STIX 2.1 bundle — every run
• ✅ Auto-generated MITRE ATT&CK Navigator layer — every run
• ✅ 5-level verdict system with confidence scoring
• ✅ Smart cache — sub-second on repeated lookups
• ✅ Batch support — up to 100 IOCs, one consolidated report
• ✅ TLP marking on all outputs (WHITE / GREEN / AMBER / RED)
• ✅ Step-by-step setup guide

Setup in 6 Steps

1. Import CTI_AI_agent.json into n8n
2. Paste API keys into the KEYS object — one node, all keys
3. Configure your LLM (any backend)
4. Add Discord webhook credential
5. Hit Manual Trigger
6. Submit 8.8.8.8 — first report arrives in under 60 seconds

Free API keys needed: VirusTotal · AbuseIPDB · AlienVault OTX · Shodan GreyNoise requires no key.

Who This Is For

CTI analysts spending 30 minutes per IOC across five tabs — this cuts it to 30 seconds.

SOC teams on active incidents — the cache means 10 analysts querying the same IP burns zero duplicate API quota.

Detection engineers who need MITRE IDs and rule ideas as a byproduct, not a separate step.

MSSPs producing structured, TLP-marked client intelligence reports without burning analyst hours on formatting.

Built and tested in a real multi-client SOC. Every edge case — API timeouts, batch deduplication, output channel failures — was encountered in production first.

Questions after purchase? Reach out directly.