| name | threat-intelligence-integration |
| description | Monitor external threat intelligence feeds and update security rules automatically to defend against emerging attacks. |
Skill: Threat Intelligence Integration
Category: Agent Security
Priority: Medium
Description
This skill enables DevinOS to consume external threat intelligence feeds, correlate indicators of compromise with the project's dependencies and runtime, and update security rules or alerts automatically to defend against emerging threats.
Purpose
To provide proactive, evidence-based defense against evolving cyber threats by making the agent aware of the external threat landscape and its own exposure.
Trigger
Use this skill when:
- A new vulnerability is announced in a dependency or tool used by the project.
- The project needs continuous monitoring of threat feeds.
- A security review requires checking dependencies against known threat indicators.
- The user wants to automate security rule updates based on threat intelligence.
Context
- Dependency manifest (package.json, requirements.txt, Cargo.toml, etc.).
- Runtime environment and exposed services.
- Threat intelligence feeds (OSINT, vendor advisories, government alerts).
- Security policy for automatic vs. manual rule updates.
- Alerting and incident response channels.
Workflow
- Identify relevant feeds. Select reputable, low-noise sources: OSV, NVD, GitHub Advisory Database, vendor security bulletins.
- Map project surface. List dependencies, runtime, exposed ports, and cloud services.
- Ingest and normalize. Pull feed data and normalize it to a common schema (CVE, CWE, affected package versions).
- Correlate. Match indicators against the project's software bill of materials (SBOM) and runtime.
- Assess risk. Score threats by exploitability, impact, and relevance to the project.
- Update rules. For high-confidence matches, update dependency pins, blocklists, or security rules.
- Alert and escalate. Notify the team and create incidents for high-risk findings.
- Verify and record. Run scans, update documentation, and store lessons learned.
Examples
Good: Respond to a new dependency CVE
Scenario: A new CVE is published for a transitive dependency used by the project.
Agent Action:
- Ingests the advisory from OSV/GitHub.
- Correlates it with the lockfile and finds the affected version.
- Checks if the project is actually vulnerable based on usage.
- Creates a PR to upgrade the dependency or applies a patch if policy allows.
- Alerts the team and records the incident.
Bad: Block every package mentioned in any feed
Scenario: A feed mentions a package name that the project does not use.
Agent Action:
- Correlates carefully before taking action.
- Does not generate false-positive alerts or block benign dependencies.
Anti-patterns
- Acting on unverified or low-confidence threat data.
- Updating security rules without testing or rollback.
- Generating excessive false-positive alerts.
- Ignoring the difference between "mentioned in feed" and "actually vulnerable."
- Failing to document the source and rationale for each rule update.
Verification
Cross Skill References
- Security: Secure coding, vulnerability management, secure defaults.
- Agent Self-Healing: Applying automatic fixes for correlated threats.
- Incident Response: Escalating high-risk findings.
- Knowledge Distillation: Recording new threat patterns and rules.
References