This is blog #3 in a series of 6 discussing AI Agents, the Query Security Data Mesh, and why normalized data is the differentiator in AI for Security Operations. As part of this blog series, we’re introducing the release of six mission-specific AI Agents now available in preview to Query customers. These agents are designed to assist with core SOC workflows, bringing targeted automation to key areas like triage, investigation, and response.

Background: The “Why” – Drowning in a Sea of Intelligence

In cybersecurity, knowledge is power. But today’s security teams are facing a paradox: they have access to more threat intelligence than ever before, yet they struggle to make it actionable. Every day brings a new wave of data—detailed reports from security vendors, government advisories from agencies like CISA, open-source intelligence (OSINT) from blogs, and structured feeds in formats like STIX. The result is a constant, manual struggle. Analysts spend hours, not minutes, meticulously reading through lengthy PDFs and web pages, manually copying and pasting Indicators of Compromise (IOCs), and attempting to connect the dots between a threat actor’s tactics and their own defensive posture.

This manual process is slow, prone to human error, and fundamentally unscalable. By the time an analyst has deconstructed a report and is ready to hunt for the threats within their own environment, the adversary may have already achieved their objectives. The core problem is not a lack of intelligence, but a bottleneck in processing it. We need to bridge the gap between receiving a threat report and taking defensive action.

This is the precise “Why” for the Threat Research Agent. By combining specialized AI with the unified access of a federated security data mesh, we can automate the entire intelligence extraction and contextualization process. This agent acts as a digital threat intelligence analyst, reading and understanding disparate sources at machine speed, and transforming raw information into structured, actionable intelligence that can be used for immediate defensive action.

The “What”: Deconstructing the Threat Research Agent

The Threat Research Agent is purpose-built to ingest, parse, and contextualize unstructured threat intelligence. It systematically breaks down complex reports and advisories, extracting the critical elements a security team needs to understand and respond to a threat.

Core Capabilities and Architecture

The agent is an intelligent system that integrates a powerful Large Language Model (LLM) with a suite of specialized tools and a deep, curated knowledge base.

  • LLM Engine: At its heart, the agent uses an LLM trained and prompted to understand the nuance and context of human language in security reports. It doesn’t just find keywords; it comprehends the relationships between malware, vulnerabilities, and adversary techniques.
  • Specialized Tools: The agent’s true power comes from its purpose-built toolkit, which allows it to interact with the digital world like a human analyst, only faster:
    • Omnivorous Parsers: The agent can ingest data from almost any source. It has tools to fetch content directly from URLs (fetch_url_content) and parse a wide variety of formats, including PDFs (parse_pdf_from_url), JSON (parse_json_from_url), and XML (parse_xml_from_url). A fallback parser ensures that even unconventional web content can be converted into analyzable text.
    • Automated Link Extraction: The agent doesn’t stop at the first page. It automatically finds and processes relevant hyperlinks embedded within a source document, allowing it to follow a trail of intelligence from a blog post to a detailed STIX file on GitHub.
    • CVE and IOC Enrichment: The agent can identify CVEs (extract_cves) and automatically enrich them with critical context using its retrieve_cve_details tool. This includes pulling real-time Exploit Prediction Scoring System (EPSS) data to determine the likelihood of a vulnerability being exploited in the wild.
  • Federated Search Integration: This is the critical link from passive intelligence to active defense. After extracting IOCs like IP addresses, file hashes, and domains, the next logical step is to ask: “Are any of these in my environment?” The agent’s output is perfectly structured to be fed into Query Federated Search, enabling an analyst to immediately hunt for these threats across all their connected data sources—EDR, SIEM, cloud and more—without moving any data. It closes the loop between knowing about a threat and finding it.
  • Curated Knowledge Base: The agent’s analysis is grounded in industry-standard frameworks. It has embedded knowledge of:
    • STIX 2.1: To understand and interpret structured threat intelligence.
    • MITRE ATT&CK®: To map observed adversary behaviors to specific Tactics, Techniques, and Procedures (TTPs).
    • EPSS: To provide data-driven context on vulnerability prioritization.

The “So What”: Strategic, Operational, and Tactical Value

The Threat Research Agent transforms a manual, reactive process into an automated, proactive one. It delivers immediate value by saving time, improving accuracy, and accelerating response.

Use Case 1: Deconstructing a Government Advisory

  • Scenario: CISA releases a new alert as a PDF detailing a nation-state actor’s recent campaign, including dozens of IOCs and multiple CVEs.
  • Traditional Workflow (Hours): An analyst downloads the PDF. They manually read through all 20 pages, carefully copying each IP address, domain, and file hash into a separate document. They might miss one or transpose a character. They then look up each CVE one by one on multiple websites to assess its severity and search for patch information. Only after this laborious process can they begin to search for the IOCs in their security tools.
  • Agent Workflow (Minutes): The analyst gives the URL of the CISA PDF to the Threat Research Agent. The agent ingests and reads the document. It automatically extracts all IOCs, categorizes them by type (IP, domain, hash), and presents them in clean markdown tables. It simultaneously enriches every CVE with its CVSS and EPSS score. The analyst receives a complete, actionable intelligence package, ready for threat hunting, in a fraction of the time.

Use Case 2: The Deep-Dive Threat Report

  • Scenario: A trusted security vendor publishes a deep-dive report on a new ransomware family. The report is dense with information and links to external resources, including the malware’s configuration file hosted on a code-sharing site.
  • Traditional Workflow (Days): An analyst spends the day reading the report. They extract the primary IOCs but may not have time to follow every external link. The linked configuration file, which contains a rich set of command-and-control (C2) domains, might be missed entirely.
  • Agent Workflow (Minutes): The analyst provides the report URL to the agent. The agent not only extracts the IOCs from the main body but also identifies the external link to the malware configuration. It automatically fetches and parses this nested link, extracts the C2 domains, and adds them to the consolidated intelligence report, providing a more complete picture of the threat than a manual review might have produced.

The “Now What”: The Future is a Team of Specialists

The Threat Research Agent is a foundational component of the modern, AI-enabled SOC. It acts as the intelligent “front door” for all incoming threat intelligence, ensuring that your team is never starting from scratch. It perfectly embodies the shift from general-purpose AI to specialized agents that solve specific, high-value problems.

The key takeaway is this: augmenting your human team with specialized AI is the only scalable way to operate at the speed of today’s threats. The Threat Research Agent handles the toil of data extraction and contextualization, freeing up your most valuable resource—your analysts—to focus on strategic activities: validating threats, hunting for adversaries, and hardening defenses. This isn’t about replacing analysts; it’s about supercharging them.