Threat Advisories

Automated threat advisory engine that ingests security feeds, classifies threats, and maps them to ThreatOps protections.

Complete Auto-Refresh 6 Feed Sources

Overview

The Threat Advisories module provides a customer-facing intelligence feed that automatically ingests security articles from multiple sources, classifies them by threat type, maps each advisory to ThreatOps' existing protection capabilities, and presents them with actionable recommended responses. This enables SOC analysts and customer security teams to instantly understand how ThreatOps already protects them against emerging threats.

Unlike raw RSS aggregators, this module adds a protection mapping layer that correlates each advisory to specific detection rules, SOAR playbooks, monitoring capabilities, and intelligence integrations already active in the platform.

What Was Proposed

Automated ingestion from 6+ security RSS/JSON feeds (CISA, NVD, The Hacker News, BleepingComputer, Krebs on Security, US-CERT)
AI-powered threat classification into 8 categories (ransomware, phishing, vulnerability exploitation, credential theft, supply chain, insider threat, cloud misconfiguration, zero-day)
MITRE ATT&CK tactic mapping per advisory
ThreatOps protection status mapping (Detection, Response, Monitoring, Intelligence)
Auto-refresh every 30 minutes with manual refresh capability
Frontend filtering by severity and threat type

What's Built

Backend Service: `ThreatAdvisoryEngine`

Capabilities

Fetches from 6 configured security feeds (CISA KEV JSON, NIST NVD JSON, 4 RSS feeds)
Parses both RSS/Atom XML and structured JSON (CISA KEV, NVD CVE) formats
Keyword-based threat classification across 8 threat types + default
Automatic severity inference based on threat type
MITRE ATT&CK tactic mapping per threat type
ThreatOps capability mapping with specific detection, response, monitoring, and intelligence descriptions for each threat category
Content deduplication via MD5 hash of article title
Rolling buffer of last 100 advisories
Recommended actions per threat type (4 actions each)

Feed Sources

Feed	Type	URL
CISA Known Exploited Vulnerabilities	JSON	`cisa.gov/.../known_exploited_vulnerabilities.json`
NIST NVD Recent CVEs	JSON	`services.nvd.nist.gov/rest/json/cves/2.0`
US-CERT Alerts	RSS	`cisa.gov/cybersecurity-advisories/all.xml`
The Hacker News	RSS	`feeds.feedburner.com/TheHackersNews`
BleepingComputer	RSS	`bleepingcomputer.com/feed/`
Krebs on Security	RSS	`krebsonsecurity.com/feed/`

Threat Classification Mapping

Threat Type	Severity	MITRE Tactics
Ransomware	Critical	TA0040-Impact, TA0005-Defense Evasion, TA0008-Lateral Movement
Zero-Day	Critical	TA0001-Initial Access, TA0002-Execution
Vulnerability Exploitation	High	TA0001-Initial Access, TA0002-Execution
Credential Theft	High	TA0006-Credential Access, TA0008-Lateral Movement
Phishing	High	TA0001-Initial Access, TA0009-Collection
Supply Chain	High	TA0001-Initial Access, TA0003-Persistence
Insider Threat	Medium	TA0009-Collection, TA0010-Exfiltration
Cloud Misconfiguration	Medium	TA0001-Initial Access, TA0005-Defense Evasion

Architecture

Data Flow

Security Feeds (6) → ThreatAdvisoryEngine.fetch_all_feeds() → Parse RSS/JSON → classify_threat() → generate_advisory() → Map to ThreatOps Capabilities → Advisory Store (in-memory)

Singleton instance: advisory_engine shared across all API requests. Deduplication via content hash. Rolling 100-advisory buffer.

API Routing

Router prefix: /api/v1/advisories — Tag: advisories

GET /api/v1/advisories/

List all threat advisories. Filters: severity (critical/high/medium/low), threat_type, limit (1-100, default 50). Returns newest first.

GET /api/v1/advisories/stats

Get advisory counts by severity and type, total count, last refresh timestamp, feed count.

GET /api/v1/advisories/{advisory_id}

Get a single advisory by ID. Returns 404 if not found.

POST /api/v1/advisories/refresh

Trigger a manual feed refresh. Returns count of new advisories and total count.

Frontend Route

/threat-advisories — Full React page with stats bar, severity/type filters, expandable advisory cards, protection mapping, MITRE tactic tags, and recommended action checklists.

Prerequisites

Network access to external feed URLs from the API container
httpx Python package (async HTTP client with redirect following)
No database dependency -- the advisory store is in-memory with a singleton pattern
Frontend auto-refreshes every 5 minutes via setInterval

Data Model

Advisories are stored as plain dictionaries in the ThreatAdvisoryEngine.advisories list (in-memory). No database models required.

Advisory Object Schema

{
  "id": "string (MD5 hash prefix)",
  "title": "string",
  "source": "string (feed name)",
  "source_url": "string (original article URL)",
  "published_at": "ISO 8601 datetime",
  "ingested_at": "ISO 8601 datetime",
  "threat_type": "ransomware|phishing|vulnerability_exploitation|credential_theft|supply_chain|insider_threat|cloud_misconfiguration|zero_day|default",
  "severity": "critical|high|medium|low",
  "summary": "string (max 500 chars)",
  "cve_id": "string|null",
  "threatops_protection": {
    "status": "protected",
    "detection": "string",
    "response": "string",
    "monitoring": "string",
    "intelligence": "string"
  },
  "mitre_tactics": ["string"],
  "recommended_actions": ["string"]
}

UI Description

The frontend at /threat-advisories presents:

Header with shield icon, title, and orange "Refresh Feeds" button
Stats Bar -- 4 cards: Total Advisories, Critical count, Active Feeds count, Last Refresh time
Filter Bar -- Dropdown selects for severity (All/Critical/High/Medium/Low) and threat type (8 categories)
Advisory Cards -- Expandable cards showing:
- Severity dot and badge, threat type badge, CVE badge (if applicable), "Protected" status badge
- Source name, relative time ("2h ago"), and 2-line summary preview
- Expanded section: "How ThreatOps Protects You" grid (Detection, Response, Monitoring, Intelligence)
- MITRE ATT&CK tactic tags as monospace badges
- Checkable recommended actions list
- Footer with publish date, ingest date, advisory ID, and "View Source" external link
Loading spinner and empty-state illustration
Fallback mock data (6 advisories) when API is unavailable

Source Files

Component	Path
API Router	`platform/api/app/routers/advisories.py`
Service Engine	`platform/api/app/services/threat_advisory_service.py`
Frontend Page	`platform/frontend/src/app/threat-advisories/page.tsx`