Threat Intelligence
The ReAct agent
The heart of threat intelligence is a ReAct (Reasoning + Acting) agent implemented with LangGraph. Unlike fixed pipelines, the agent:
- Reasons about the IOC type and decides which tools to use
- Executes the selected tools
- Observes the results
- Reasons again about what was found
- Repeats until it has enough information to write the assessment
Example of internal reasoning
For 185.220.101.34:
Thought: It's an IP. I should query VirusTotal for reputation,AbuseIPDB for abuse reports, Shodan for exposed services,AlienVault for threat pulses, and IPInfo for geolocation.
Action: virustotal_ip_lookup("185.220.101.34")Observation: 87 AV detections, classified as "TOR exit node"
Thought: High detection. Shodan might reveal more about services.Action: shodan_host_lookup("185.220.101.34")Observation: Port 9001 open (Tor relay), 9030 (Tor directory)
Thought: Confirmed as Tor node. High risk. Let me checkassociated domains to pivot...Automatic tool selection
The agent selects tools based on detected IOC type:
| IOC Type | Primary Tools | Secondary Tools |
|---|---|---|
| IP | VirusTotal, AbuseIPDB, Shodan, AlienVault, IPInfo | Threat Feeds, History |
| Domain | VirusTotal, WHOIS, DNS, crt.sh, AlienVault | URLScan, Threat Feeds |
| URL | URLScan, VirusTotal, DNS | Threat Feeds |
| Hash | VirusTotal | History |
| Contextual query | GDELT, RSS, ACLED, Country Risk | Financial, AIS |
Auto-pivot
When a tool returns related IOCs, the agent extracts and investigates them automatically:
IP 185.220.101.34 ↓ VirusTotal returns associated domains ├─ evil-c2.example.com → investigates └─ malware-host.net → investigates ↓ WHOIS returns registrant email └─ attacker@protonmail.com → notes for reportConfigurable parameters:
MAX_PIVOTS=2 # Maximum pivot depth (default: 2)Risk Dashboard
The scoring system aggregates signals from multiple sources into a composite 0-100 score:
| Score | Level | Color | Meaning |
|---|---|---|---|
| 0-20 | CLEAN | Green | No signs of malicious activity |
| 21-40 | LOW | Yellow | Minor indicators, monitor |
| 41-60 | MEDIUM | Orange | Suspicious activity, investigate |
| 61-80 | HIGH | Light Red | High probability of malice |
| 81-100 | CRITICAL | Red | Malicious with high confidence |
Factors contributing to score
- AV detections in VirusTotal (high weight)
- Abuse score in AbuseIPDB (high weight)
- Presence in threat feeds (very high weight)
- Pulses in AlienVault OTX (medium weight)
- Suspicious ports/services in Shodan (medium weight)
- History in previous investigations (low weight)
Intelligent caching
To avoid redundant API calls (especially with rate limits), all results are cached in SQLite:
CACHE_TTL_SECONDS=86400 # 24 hours (default)Caching is transparent — tools check cache first before making real calls. You can see cache status with:
osint> /cache statsLive threat feeds
The agent can analyze IOCs directly from feeds:
| Feed | What it contains | Command |
|---|---|---|
| Feodo Tracker | IPs of active botnet C2s | --feed feodo |
| URLhaus | URLs distributing malware | --feed urlhaus |
| IPsum | Malicious IPs by source count | --feed ipsum |
| C2IntelFeeds | Known C2 infrastructure | --feed c2intel |
osint-agent --feed feodo --limit 5 # Investigate 5 most recent C2 IPsosint-agent --feed urlhaus --limit 3 # Investigate 3 most recent malware URLsThreat intelligence reports
After an investigation session, generate a Markdown report with:
- Executive summary: main findings in a few sentences
- Per-IOC assessments: detailed analysis of each indicator
- Risk dashboard: table with all IOCs and their scores
- Timeline: chronological order of investigated events
- Recommendations: suggested actions based on findings
osint> /report save# → reports/osint-report-2026-03-07-143022.md