Problem

Problem statement

IOC enrichment is fragmented across many tools, with inconsistent confidence scoring and duplicate noise that slows analysts down.

Stakes

Why it matters

Consistent, deduplicated, normalized enrichment is the substrate every downstream playbook and agent depends on. Get it wrong and every decision above it inherits the noise.

Threat Model

Threat model

  • Over-querying paid TI APIs through unbounded agent calls.
  • Inconsistent confidence scoring across sources.
  • Sensitive context leaking into outbound tool arguments.
  • Unauditable enrichment decisions.
Architecture

Architecture

Tools are scoped and rate-aware; results are reconciled and written as one structured, auditable artifact.

Features

Key features

  • Scoped enrichment across VirusTotal, Shodan, AbuseIPDB, and internal CTI.
  • Deduplication and normalized confidence scoring.
  • SIEM/SOAR context attached per indicator.
  • Analyst-ready summary and agent-consumable schema.
  • Rate-aware tool access.
Controls

Guardrails & controls

Scoped TI API accessRate capsNormalized scoringStructured, auditable output
Testing

Test scenarios

  • Score consistency across overlapping sources.
  • Dedupe correctness on noisy indicator sets.
  • Rate-cap enforcement under burst load.
  • Exfil attempt through enrichment tool arguments.
Workflow

Example workflow

01

Receive IOC

An indicator arrives from a case or alert.

02

Enrich

Scoped TI tools are queried with rate awareness.

03

Reconcile

Results are deduplicated and confidence is normalized.

04

Write artifact

One structured, auditable summary is written back to the case.

Stack

Tech stack

Language
Python 3.12
Sources
VirusTotal · Shodan · AbuseIPDB · CTI
Interface
MCP / tool schema
Output
Structured case artifact
Audit
Per-enrichment log
Visuals

Screenshots

Visual placeholders. Replace with real screenshots and a demo video.

UI · ENRICHMENT VIEW
DEMO · CASE ARTIFACT
Lessons

Lessons learned

  • Normalized confidence is harder — and more valuable — than adding sources.
  • Rate awareness has to be built in, not bolted on.
  • A stable output schema unblocks everything downstream.
Roadmap

Future roadmap

  • More TI connectors.
  • Confidence-model tuning per source reliability.
  • Streaming enrichment for high-volume cases.
Put this to work

Want this pattern in your stack?

This enrichment engine, with normalized scoring and audit across threat-intel sources, is open work — get in touch if you're building something similar or want to compare notes.