AI-Assisted IOC Enrichment Engine
An agent that calls scoped enrichment tools across VirusTotal, Shodan, AbuseIPDB, and internal CTI, reconciles results, normalizes confidence, and writes one structured artifact per case.
Problem statement
IOC enrichment is fragmented across many tools, with inconsistent confidence scoring and duplicate noise that slows analysts down.
Why it matters
Consistent, deduplicated, normalized enrichment is the substrate every downstream playbook and agent depends on. Get it wrong and every decision above it inherits the noise.
Threat model
- Over-querying paid TI APIs through unbounded agent calls.
- Inconsistent confidence scoring across sources.
- Sensitive context leaking into outbound tool arguments.
- Unauditable enrichment decisions.
Architecture
Tools are scoped and rate-aware; results are reconciled and written as one structured, auditable artifact.
Key features
- Scoped enrichment across VirusTotal, Shodan, AbuseIPDB, and internal CTI.
- Deduplication and normalized confidence scoring.
- SIEM/SOAR context attached per indicator.
- Analyst-ready summary and agent-consumable schema.
- Rate-aware tool access.
Guardrails & controls
Test scenarios
- Score consistency across overlapping sources.
- Dedupe correctness on noisy indicator sets.
- Rate-cap enforcement under burst load.
- Exfil attempt through enrichment tool arguments.
Example workflow
Receive IOC
An indicator arrives from a case or alert.
Enrich
Scoped TI tools are queried with rate awareness.
Reconcile
Results are deduplicated and confidence is normalized.
Write artifact
One structured, auditable summary is written back to the case.
Tech stack
- Language
- Python 3.12
- Sources
- VirusTotal · Shodan · AbuseIPDB · CTI
- Interface
- MCP / tool schema
- Output
- Structured case artifact
- Audit
- Per-enrichment log
Screenshots
Visual placeholders. Replace with real screenshots and a demo video.
Lessons learned
- Normalized confidence is harder — and more valuable — than adding sources.
- Rate awareness has to be built in, not bolted on.
- A stable output schema unblocks everything downstream.
Future roadmap
- More TI connectors.
- Confidence-model tuning per source reliability.
- Streaming enrichment for high-volume cases.
Want this pattern in your stack?
This enrichment engine, with normalized scoring and audit across threat-intel sources, is open work — get in touch if you're building something similar or want to compare notes.