Agentic AI in Threat Intelligence: How Analyst-in-the-Loop CTI Actually Works.
Agentic AI is a large language model given tools, memory, and a goal, so it can run a multi-step task on its own instead of answering one prompt at a time. Agentic threat intelligence applies that model to CTI: an agent can pull a report, extract the indicators, enrich them across several services, apply a structured analytic technique, check a source's reliability, and draft the assessment, calling each tool in turn without a human driving every click. Agentic security works best as a stack of specialised agents rather than one general one, and it works safely with an analyst-in-the-loop: the agents carry the mechanical and analytical legwork, and the analyst owns the judgement, the calls that carry consequences, and the sign-off. It is a force multiplier for the team you have, not an autonomous replacement for it.
This guide explains what “agentic” actually means, what the agent stack looks like in threat intelligence, and why keeping the analyst in the loop is a design choice rather than a limitation.
What “agentic” actually means
First we need to separate three things that often get lumped together as AI.
Classic machine learning scores and clusters: it flags anomalies, deduplicates events, and prioritises alerts. It has been part of mature security tooling for years. Generative AI reads and writes unstructured language: it summarises a report, extracts structured data from prose, translates between formats, and drafts text. Agentic AI is the step beyond that. It is a language model given three additional things: tools it can call, memory it can carry between steps, and a goal to work towards. With those, it stops being a thing you prompt once and becomes a function that runs a process.
The practical difference is autonomy across steps. Ask a chatbot about a suspicious domain and it answers from what it already knows. Give an agent the same domain and it can resolve it, check it against your threat-intelligence sources, pivot to the related infrastructure, rate what it finds, and hand you an assessment, deciding which tool to reach for at each step. That multi-step, tool-using autonomy is what the word “agentic” is pointing at.
The agent stack in agentic CTI
A serious agentic deployment is not one clever assistant. Ask what a threat intelligence AI agent looks like in practice, and it is multifaceted: a stack of specialised agents, each doing one job well, composed on every event. Our guide to AI for threat intelligence sets the six categories out in full; in short, integration agents call the external tools, entity-extraction agents pull indicators and techniques out of raw text, tradecraft agents apply structured analysis, self-maintaining knowledge agents hold and update the picture on a topic, organisation agents judge relevance to your business, and production agents write the finished product.
Two of those are what make agentic CTI more than a fast summariser. The tradecraft agents apply real analytical discipline, running Analysis of Competing Hypotheses, rating how far both a source and its data can be trusted on the NATO Admiralty scale, attaching calibrated confidence, and running a contrarian pass to surface disconfirming evidence, on every event rather than only when a human has time. The self-maintaining knowledge agents hold the whole body of knowledge on a topic, such as a named actor or the infostealer ecosystem, and keep it current, so each new datapoint is read in context rather than in isolation. Automation that skips these two gives you summaries, while agents that run them give you analysis.
Something has to orchestrate the stack: decide which agent runs when, pass each one's output to the next, and loop back when a result calls for another pass. A run can start from an analyst's request, but it can equally be triggered by a new article landing in a feed, a fresh vendor report, a malware sample, or an incident, any of which can set the same chain in motion automatically.
Why analyst-in-the-loop, not fully autonomous
Agentic does not have to mean unsupervised, and in intelligence work it should not. The right design keeps the analyst in the loop, and the reason is about where autonomy is safe and where it is not.
Autonomy is safe in the middle of the intelligence lifecycle. Collection and processing are low-risk to automate because the output is checkable: an agent can monitor hundreds of sources, extract and enrich indicators, and map activity to ATT&CK, and you can verify the result. The analytical scaffolding is shared ground, where tradecraft agents lay out hypotheses and rate sources, and a person makes the call.
The two ends of the lifecycle stay human. Deciding what the organisation needs to know is a stakeholder conversation, not a task you hand to a model, which is why your intelligence requirements are set by people. And the final judgement stays with the analyst: which hypothesis to back, whether a well-formatted report is simply wrong, what an actor's behaviour means for you, and whether an assessment going to an executive is sound. An agent can draft all of that and propose recommendations, but it cannot carry the accountability for the call, and it has no access to the relationship-based intelligence that runs on human trust, the tip from a peer or a researcher, which is often the most valuable data a team can get. Analyst-in-the-loop is how you get the speed of autonomy on the parts that are safe to automate and keep human judgement on the parts that are not.
Keeping agents honest
Giving agents autonomy raises the obvious worry: what stops one inventing an indicator or asserting a confident answer that is wrong. The answer is to not let them free-associate, and to run several defences at once.
Every assessment is grounded in provided source material and stays traceable to it, so the agents work from the reporting in front of them rather than from whatever a model absorbed in training. The knowledge agents supply current, sourced context, so a new event is judged against what is actually known. The tradecraft agents apply source rating, calibrated confidence, and Analysis of Competing Hypotheses, which keep an agent from over-claiming, and contrarian passes actively hunt for disconfirming evidence. Because every assessment carries its sourcing and confidence, it stays checkable, so your own analyst can review anything that carries consequences and own the final call.
None of these guardrails were invented for machines. They are the same techniques human analysts already use to fight their own biases: rate the source before you trust the data, force competing hypotheses onto the table, appoint a devil's advocate. Applied to agents they work the same way, with one advantage: a human team runs them when time allows, while the agents run them on every analytical product, every time, without the time investment. No single guardrail is enough on its own; the point is that they compound.
Build it yourself, or run it managed
You can assemble agentic CTI yourself with a coding agent and the open CTI skills pack, running the tradecraft and integration building blocks against your own keys, which we cover in our guide to using Claude Code for threat intelligence. Or you can run the managed version, where the full stack, including the self-maintaining knowledge agents and the organisation agents that judge relevance, runs continuously against your requirements without you maintaining the orchestration. If you want the role rather than the plumbing, our AI threat intelligence analyst page covers what that looks like. Either way the principle holds: the agents do the work, and the analyst stays in the loop on the calls that matter.
Frequently asked questions.
What is agentic AI in security?
Agentic AI is a large language model given tools, memory, and a goal so it can run a multi-step task on its own, rather than answering a single prompt. In security it lets an agent chain steps together: enriching an indicator across several services, pivoting on infrastructure, applying a structured analytic technique, and drafting the result, deciding which tool to use at each step. It works best as a stack of specialised agents and safest with an analyst in the loop on the judgement.
What is agentic threat intelligence?
Agentic threat intelligence is the application of agentic AI to CTI work: specialised agents that collect reporting, extract entities, enrich indicators, apply analytical tradecraft such as Analysis of Competing Hypotheses and source rating, and draft finished intelligence, with a human analyst owning the judgement and sign-off. It differs from AI-assisted summarisation in that the agents run the process, not just the prose.
What is agentic security, and how is it different from generative AI?
Generative AI reads and writes language: it summarises a report or extracts structured data from prose. Agentic security adds autonomy across steps by giving the model tools, memory, and a goal, so it can run a whole investigation rather than answer one question. Generative AI is a component; agentic security is what you get when you let a model use it to drive a multi-step process.
Will agentic AI replace threat intelligence analysts?
No. Agentic AI takes on the high-volume mechanical and analytical legwork, but the analyst still directs the programme, makes the attribution and relevance calls, holds the stakeholder relationships, and signs off anything that carries consequences. It is a force multiplier for the team you have, and teams that adopt it tend to produce more intelligence, not need fewer people.
What does analyst-in-the-loop mean?
It means the agents do the collection, processing, and analytical scaffolding autonomously, while the analyst keeps control of the judgement: which hypothesis to back, what activity means for the organisation, and whether to sign off an assessment that carries consequences. It gives you the speed of automation on the safe-to-automate work and human accountability on the calls that matter.
Can agentic AI run threat intelligence without any human involvement?
It can run the mechanical and analytical legwork without a human driving each step, but it should not own the final judgement. Direction, attribution calls, relevance to your business, relationship-based intelligence, and accountability for an assessment stay with people. Fully autonomous intelligence would mean nobody is answerable for the call, which is not a position a serious programme wants to be in.


