AI Threat Intelligence
AI for Threat Intelligence.
AI threat intelligence is the use of large language models and agents to automate the high-volume parts of the intelligence cycle: collecting from hundreds of sources, enriching indicators, mapping activity to frameworks, and drafting reports. It does the mechanical roughly 80% of the work in minutes, so analysts get the time back for the judgement that turns information into intelligence.
Where AI fits, and where it does not.
AI is strongest in the middle of the intelligence lifecycle: collection, processing, and the structured parts of analysis and dissemination, where the work is high-volume and the output is checkable. It is weakest at the two ends, direction and feedback, where humans decide what the organisation needs to know and whether the intelligence proved useful.
It cannot assess intent, weigh attribution responsibly, or decide what matters to your specific organisation, and it does not know when its own input is wrong. That is why every serious deployment keeps the analyst in the loop on the calls that matter. AI is a force multiplier for the team you have, not a substitute for it.
Not one model, but six kinds of agent.
A serious AI deployment is a stack of specialised agents, each doing one job well. Composing them is what turns automation into analysis.
Integration agents
Call the external tools: enrich indicators across VirusTotal, URLScan, Shodan, GreyNoise and AbuseIPDB, pull intel from CrowdStrike and Google Threat Intelligence, and push into MISP, your SIEM, or Slack.
Entity-extraction agents
Each pulls one thing from raw reports: indicators of compromise, MITRE ATT&CK techniques, named actors and malware, targeted sectors and regions, assets and suppliers.
Tradecraft agents
Apply real analytical technique on every event: Analysis of Competing Hypotheses, the NATO Admiralty scale for source reliability, calibrated confidence and likelihood, indicator pivoting, and contrarian bias checks.
Knowledge agents
Self-maintaining experts on a topic. Each holds and continuously updates everything known about, say, Russian cybercrime or infostealers, and contextualises each new datapoint against it.
Organisation agents
Trained on your organisation, or on each one an MSSP serves. They know your assets, suppliers and threat profile, and judge the relevance of every event to you specifically.
Production agents
Turn the finished analysis into the right product: a strategic brief, a technical report, detection rules, IOCs, STIX bundles and blocklists, all from the same underlying work.
Agentic threat intelligence.
The most concrete shift is agentic CTI: LLMs given tools and a goal, able to run a multi-step task on their own. With a coding agent like Claude Code or Cursor, an analyst can run a stack of skills that each handle one part of the lifecycle, against their own API keys and their own MISP instance. The analyst orchestrates; the agents do the legwork.
Liberty91 publishes an open pack of these workflows so practitioners can run them on their own stack. You can browse them on the CTI Skills page, see the discipline-wide picture in our guide to AI for threat intelligence, or meet the managed version, an AI threat intelligence analyst that runs the lifecycle against your intelligence requirements.
Ready to do more with less?
Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.