Vulnerability Intelligence Agent
Overview
The Vulnerability Intelligence Agent is a powerful AI-driven tool designed to streamline vulnerability management and security operations. It automates the process of identifying, enriching, and prioritizing vulnerabilities within your environment. By leveraging internal security data and external threat intelligence, the agent provides security teams with the context-rich insights needed to make informed decisions and take swift, effective action against threats.
The agent's primary function is to process cybersecurity vulnerability data, focusing on Common Vulnerabilities and Exposures (CVEs). It uses a variety of tools to extract CVEs from security advisories and news, research CVE data, and correlate this information with data from your connected platforms to determine the impact on your environment and guide remediation efforts.
How It Works
The Vulnerability Intelligence Agent operates through a systematic, multi-stage workflow to transform raw vulnerability data into actionable intelligence. Each step is powered by a specialized set of tools and knowledge sources.
Intelligent Data Ingestion and CVE Extraction
The process begins when you provide the agent with an input, such as a URL to a security advisory, a block of text, or a direct query. The agent uses a suite of parsing tools (parse_pdf_from_url, parse_json_from_url, fetch_url_content) to ingest and understand the content. Its first critical task is to use the extract_cves tool to meticulously scan the text and identify every unique CVE identifier mentioned. This list of CVEs becomes the foundation for the entire investigation.
Federated Search for Environmental Context
With a list of CVEs, the agent's next priority is to determine the "blast radius" within your specific environment. It does this by querying the Query Security Data Mesh, which federates data across all your connected platforms. The agent selects the most appropriate tool for the job based on your query, such as get_vulnerabilities_by_cve_id, get_vulnerabilities_by_asset_names, or get_vulnerabilities_by_ips. This search correlates the CVEs against your internal asset inventories and vulnerability scan data to find every affected device, workload, and resource. The agent then intelligently parses the structured summary and events data returned from the tools to build a clear picture of the affected assets.
Multi-Source Threat Intelligence Enrichment
Understanding that a vulnerability exists is only half the battle. To provide true intelligence, the agent enriches the internal findings with external context. For each unique CVE found in your environment, it automatically calls the retrieve_cve_details tool. This tool gathers critical data points from multiple industry-standard sources, which the agent then interprets using its built-in knowledge bases:
- CVSS (Common Vulnerability Scoring System): Provides the base severity score.
- EPSS (Exploit Prediction Scoring System): Offers a probability score (e.g., 95%) indicating the likelihood of active exploitation in the wild, helping to separate theoretical risks from immediate threats.
- SSVC (Stakeholder-Specific Vulnerability Categorization): Delivers a decision-making framework to help prioritize remediation based on the potential operational impact to your organization.
Synthesized Analysis and Actionable Reporting
In the final stage, the agent synthesizes all the correlated internal data and enriched external intelligence into a single, cohesive report. Following its "Standard Analysis and Reporting Workflow," it produces a concise, actionable summary for each vulnerability. This report explicitly links each CVE to the specific assets it affects, explains the vulnerability's risk in the context of your organization using the enriched data, and provides clear remediation guidance informed by its knowledge of the NIST SP 800-40r4 patch management framework. The result is a prioritized list of actions that allows your security team to bypass manual data correlation and move directly to mitigation.
Use Cases
This agent is designed to support a variety of security operations and vulnerability management tasks.
| Use Case | Description |
|---|---|
| Triage Security Advisories | Provide the agent with a URL to a security advisory or threat intelligence report. It will automatically parse the content, extract all CVEs, and check your environment for impacted assets. |
| Investigate Specific CVEs | Ask the agent for information on a specific CVE (e.g., "Find assets affected by CVE-2023-12345"). It will query your systems and return a list of affected devices along with enriched data about the vulnerability. |
| Prioritize by Severity | Request a list of vulnerabilities based on severity levels (e.g., "Show me all 'Critical' and 'High' severity vulnerabilities"). The agent will retrieve the relevant findings and provide context to help with prioritization. |
| Assess Asset-Based Risk | Search for vulnerabilities affecting specific assets by providing identifiers like hostnames, IP addresses, or MAC addresses. This helps in understanding the risk posture of critical systems. |
| Analyze by OS or CVSS | Query for vulnerabilities based on specific operating systems (e.g., Windows, Linux) or by providing a CVSS vector string to find vulnerabilities with specific characteristics. |
Supported Workflows
The agent is flexible and can be initiated through several conversational queries:
Finding Vulnerabilities by Severity
- User: "Find all Critical vulnerabilities."
- Agent: Uses the
get_vulnerabilities_by_severity()tool and proceeds with the standard analysis and reporting workflow.
Processing a URL
- User: "Analyze this advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"
- Agent: Fetches and parses the content, extracts CVEs, and begins the analysis workflow
Searching by CVSS Vector
- User: "Are there any vulnerabilities matching the vector 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'?"
- Agent: Uses the
get_vulnerabilities_by_cvss_vector()tool to find matching findings.
Searching by Operating System
- User: "Show me all vulnerabilities on our Linux servers."
- Agent: Uses the
get_vulnerabilities_by_device_os()tool to retrieve relevant data.
Searching by Asset Identifiers
- User: "What vulnerabilities are on the device with IP 10.1.2.3?"
- Agent: Uses the
get_vulnerabilities_by_ips()tool to find vulnerabilities on that specific asset.
Recommended Connectors
To maximize the effectiveness of the Vulnerability Intelligence Agent, we recommend connecting to data sources that provide comprehensive asset and vulnerability information. The more context the agent has, the more accurate and actionable its insights will be.
Highly Recommended
- Endpoint Detection & Response (EDR): (e.g., CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) Provides rich asset data, including hostnames, OS versions, and installed software.
- Vulnerability Management: (e.g., Tenable, Qualys, Rapid7) The primary source for vulnerability findings and asset-to-vulnerability mappings.
- Asset Management/CMDB: (e.g., ServiceNow, Jira) Offers a centralized repository of asset information and business context.
Also Recommended
- Cloud Platforms: (e.g., AWS, Azure, GCP) Crucial for identifying vulnerabilities in cloud workloads and infrastructure.
- SIEM/Data Lakes: (e.g., Splunk, Microsoft Sentinel, Elastic) Can provide supplementary log data and security events related to assets.
Updated about 4 hours ago