* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [AI and Cybersecurity](https://www2.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/)
* Threat Intelligence in th...

# Threat Intelligence in the Era of AI

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthreat-intelligence-in-the-era-of-ai%2F)  
[](https://twitter.com/share?text=Threat+Intelligence+in+the+Era+of+AI&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthreat-intelligence-in-the-era-of-ai%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthreat-intelligence-in-the-era-of-ai%2F&title=Threat+Intelligence+in+the+Era+of+AI&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/threat-intelligence-in-the-era-of-ai/&ts=markdown)  
\[\](mailto:?subject=Threat Intelligence in the Era of AI)  
Link copied  
By [Tal Hagag](https://www.paloaltonetworks.com/blog/author/tal-hagag/?ts=markdown "Posts by Tal Hagag")  
Apr 29, 2026  
5 minutes  
[AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Agentic AI](https://www.paloaltonetworks.com/blog/tag/agentic-ai/?ts=markdown)  
[ASM](https://www.paloaltonetworks.com/blog/tag/asm/?ts=markdown)  
[Attack Surface Management](https://www.paloaltonetworks.com/blog/tag/attack-surface-management/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown)  
[cybersecurity](https://www.paloaltonetworks.com/blog/tag/cybersecurity/?ts=markdown)  
[EDR](https://www.paloaltonetworks.com/blog/tag/edr/?ts=markdown)  
[SecOps](https://www.paloaltonetworks.com/blog/tag/secops/?ts=markdown)  
[Security Agents](https://www.paloaltonetworks.com/blog/tag/security-agents/?ts=markdown)  
[security operations](https://www.paloaltonetworks.com/blog/tag/security-operations/?ts=markdown)  
[Security Operations Center](https://www.paloaltonetworks.com/blog/tag/security-operations-center/?ts=markdown)  
[SIEM](https://www.paloaltonetworks.com/blog/tag/siem/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)  
[XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown)  
[Xpanse](https://www.paloaltonetworks.com/blog/tag/xpanse/?ts=markdown)  
[XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown)  
[XSOAR](https://www.paloaltonetworks.com/blog/tag/xsoar/?ts=markdown)

![Fig 1: Threat Intelligence AI Agent workflow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/04/blog-image.png)
Fig 1: Threat Intelligence AI Agent workflow

When a novel EDR bypass drops on GitHub, or a critical CVE hits the CISA KEV catalog, the security teams don't just need to know it exists. They need the answer to one immediate question: "**Does our Cortex XDR detect this right now?**"

Historically, answering that question was a race against the clock. My research team would spend hours manually reading deep-dive blogs, extracting complex techniques, reverse-engineering newly published proofs-of-concept (PoCs), and manually validating our existing detection coverage. But by the time a human security researcher finds a new technique, triages it, checks whether the product detects it, and writes up a coverage, dozens more threats have landed.

We realized that to stay ahead of rapidly evolving threats, we needed an autonomous solution. We needed a system that could generate a personalized, trendy, and highly prioritized threat intelligence (TI) feed specifically tailored to our Cortex product's detection posture.

### **The Solution: Autonomous AI Threat Intelligence**

To close the time gap between a threat emerging and our product defending against it, we built a custom autonomous **threat intelligence AI agent**.

Instead of generic alerts or noisy lists of CVEs, this agent operates as a digital extension of our research team. It continuously ingests unstructured threat data from across the web, analyzes the underlying malicious techniques using LLM, and most importantly, **autonomously extracts and maps the exact primitives, TTPs, and PoCs that our researchers need to validate coverage.**

We aren't just using generative AI to summarize text. We are using it to combine the deep, low-level expertise of our human researchers with machine speed to drastically reduce our time-to-detection. By automating the most critical parts of threat hunting, identifying emerging, high-impact exploits, and breaking down their technical mechanics, the agent feeds our team with a highly customized intelligence pipeline. Instead of wasting hours searching for technical details, our researchers can instantly focus on analyzing our defenses, closing coverage gaps, and delivering proactive remediation to our customers.

### **Deconstructing the Agent Architecture**

To understand how this agent works, let's break down the autonomous workflow into its core building blocks. Just as a human security analyst does, the agent needs to perceive information, process it, remember it, and finally, act on it.

**Threat Perception Layer**

Acting as our digital scout, this layer leverages external APIs to continuously monitor the threat landscape. It polls structured threat feeds (such as CISA and NIST), scans unstructured code repositories (such as GitHub) for newly published proof-of-concept (PoC) exploits, and utilizes web search APIs to gather broader context on breaking security news.

**Autonomous Data Ingestion**

Raw data from the internet is messy. This layer acts as the translator, taking unstructured HTML, JSON blobs, and API responses and running them through dedicated scrapers and parsers. The goal is to extract only the relevant signals, strip away the noise, and output clean, standardized threat data that the AI can analyze without hallucinating.

**Cognitive Processing Hub**

This is the core engine ("The Brain") of the agent. Here, an LLM is used not as a chatbot, but as a reasoning engine. Operating with schema-constrained prompts written from the perspective of a security researcher, it extracts offensive techniques, profiles potential threat actors, and analyzes vulnerability severity.

**Structured Knowledge Base**

An intelligent agent needs persistent memory to remember what it has already seen. The agent uses a MongoDB as its memory, storing all previously processed intelligence. This allows it to cross-reference new data against historical threats, leveraging semantic deduplication so that a single technique reported across three different blogs becomes a single clean unified entry.

**Intelligence Dispatch**

Once the brain synthesizes the intelligence, this layer formats and routes the findings. It automatically generates structured Markdown reports and triggers distributions via webhooks, including daily Slack reports and monthly deep-dives. It meets our researchers where they already work.

**Actionable Threat Intelligence Feed**

Instead of thousands of raw CVEs and noisy links, the end product is a highly curated, prioritized feed of security alerts. It gives our teams the bottom line: the exact threat, how the exploit works, and the precise actionable data needed to evaluate our current Cortex detection coverage.

Below are some examples of curated reports customized to the needs of the team:
![A screenshot of the AI agent's daily "911 Threat Feed Report," which is generated every 24 hours. It displays a structured table of high-impact, actively exploited vulnerabilities, categorized by CVE, title, detailed exploit status, and aggregated reference links.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/04/a-screenshot-of-the-ai-agents-daily-911-threat-f.png)
Fig 2: High Impact Exploit Threat Feed Report

![A screenshot of the "Vulnerable Driver Intelligence Report" generated for a 365-day period, reflecting the agent's custom timeframe capabilities. The table identifies drivers susceptible to "Bring Your Own Vulnerable Driver" (BYOVD) attacks, outlining the product name, specific driver files, exploit status descriptions, associated CVEs, and relevant file hashes.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/04/a-screenshot-of-the-vulnerable-driver-intelligenc.png)
Fig 3: Vulnerable Driver Intelligence Report

![A screenshot of the "Anti-Tampering \& XDR Evasion Techniques Report" generated by the AI agent for the last 365 days. The agent can generate this report for any custom timeframe. It shows a table that categorizes novel evasion methods into severity tiers such as KILLER, BLINDER, GHOST, and LOADER, and details the specific technique, target, and underlying mechanism.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/04/a-screenshot-of-the-anti-tampering-and-xdr-evasion.png)
Fig 4: Anti-Tampering \& XDR Evasion Techniques Report

![A screenshot of the "New Malicious Techniques Report" covering the last 365 days. Generated dynamically by the agent for customizable timeframes, the report features a table that maps newly identified threat techniques, organized by categories such as Privilege Escalation, Credential Access, and Impact, alongside detailed technical mechanisms.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/04/a-screenshot-of-the-new-malicious-techniques-repo.png)
Fig 5: New Malicious Techniques Report ![Fig 6: Vulnerability Family Analysis Report](https://www.paloaltonetworks.com/blog/wp-content/uploads/2026/04/image-13-e1777495183650.png)
Fig 6: Vulnerability Family Analysis Report

### **The Future of Autonomous Threat Hunting**

The days of manually refreshing feeds and drowning in noisy CVE lists are ending. By combining traditional data scraping with the reasoning power of modern LLMs and the deep technical expertise of our researchers, we are building custom intelligence pipelines that scale our capabilities infinitely.

In the AI era, resilience is an architectural choice. With autonomous tools like this, we are ensuring that Palo Alto Networks remains a step ahead of the adversary, translating technical threat data into real-time, actionable defense.

### **To learn more about this and other agentic AI agents available in Cortex, [reach out to a Palo Alto Networks representative](https://www.paloaltonetworks.com/cortex/agentix#engage) today for a demo.**

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://www2.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex: New Innovations for Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Defending against Phantom Taurus with Cortex](https://www2.paloaltonetworks.com/blog/security-operations/the-rise-of-phantom-taurus-unmasking-a-stealthy-new-threat-to-global-security-with-cortex/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### What's New in Cortex: The Latest Innovations for the World's #1 SecOps Platform (Feb '25 Release)](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-the-latest-innovations-for-the-worlds-1-secops-platform-feb-25-release/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language