We will be undergoing planned maintenance on January 16th, 2026 at 1:00pm UTC. Please make sure to save your work.

AgentThreat

AgentThreat saves security researchers hours by collecting and turning noisy, high volume of CTI feeds into clean, enriched, valuable intelligence using Multi AI Agents built with Google’s ADK.

Comment

Inspiration

I realized that security researchers and threat hunters constantly needs to monitor a wide range of sources like news articles, blog posts, and technical reports to stay updated on evolving threats. However, digging through all this unstructured information every day can be exhausting and time-consuming. Many researchers end up spending more time collecting and filtering information than actually analyzing threats.

AgentThreat aims to solve these challenges and help security researchers, threat hunters save valuable time by automatically transforming noisy, unstructured threat feeds into clear intelligence so so they can work more productively and focus their efforts where it matters most.

What it does

AgentThreat is an AI-Driven Multi Agent system built with Google’s Agent Development Kit (ADK). It collects and processes threat intelligence from multiple cyber security related sources using specialized AI agents to filter irrelevant noise, deduplicate threats, extract critical indicators of compromise(IOCs) like IPs and malware hashes, map attacks to MITRE ATT&CK techniques, and generate concise threat summaries.

How We Built It

AgentThreat was built using Google's Agent Development Kit (ADK) to create a system of intelligent agents, each handling a specific part of the cyber threat intelligence (CTI) processing workflow.

We designed the project around three specialized agents:

  1. RSS Fetcher Agent
    This agent is responsible for fetching and validating RSS feeds from trusted CTI sources. It parses both structured and unstructured content and forwards valid entries for processing. The sources we include:

    • Google Cloud Threat Intelligence Blog
    • Google Threat Analysis Group Blog
    • Sophos Threat Research Blog
    • Microsoft Security Blog – Threat Intelligence
    • Check Point Research Blog
    • Palo Alto Networks Unit 42 Blog
    • Cisco Talos Intelligence Blog
    • SANS Internet Storm Center
    • SentinelOne Research Blog

  2. Feed Cleaner Agent
    This agent filters out non-relevant, duplicate, or low-signal entries. It applies filters and deduplication logic to ensure only valuable threat entries move forward. Cleaned data is then stored in a structured format in BigQuery.

  3. Threat Analyzer Agent
    The analyzer enriches cleaned entries by extracting Indicators of Compromise (IOCs), identifying threat actors and malware, mapping techniques to the MITRE ATT&CK framework, and generating concise summaries. This enriched information is saved to BigQuery.

The whole system is developed using Python & Google Agent Development Kit (ADK) and runs on the Google Cloud ecosystem. So we used:

  • Python for programming language
  • Google Agent Development Kit (ADK) for building and orchestrating the agents
  • BigQuery for storing and querying structured threat data
  • Gemini 2.0 Flash for analyzing and summarizing entries

The modular design makes it easy to add more agents in the future, enabling further analysis or automation steps.

Challenges We Ran Into

One of the main challenges was fine-tuning the prompts for each agent to ensure accurate, consistent results. Since each agent had a specific role like cleaning, analyzing, or extracting IOCs, I had to carefully design and adjust their instructions through multiple iterations.

To test the quality of each agent’s output, I manually reviewed a large number of threat intelligence reports and blog posts during that time. This was time-consuming but necessary to ensure the system could handle real-world CTI content accurately and extract useful insights.

Additionally, building a reliable workflow using Google’s Agent Development Kit (ADK) required careful coordination between agents. Ensuring that cleaned data was properly passed to the next agent, and that the output was stored correctly in BigQuery, involved both prompt engineering and system-level debugging.

After working on this project, I get why prompt engineering really matters now especially when you are building multiple AI Agents.

Accomplishments that we're proud of

I built a working multi-agent system that can automatically gather, clean, and analyze cyber threat intelligence from many sources without much manual work. The way the agents work together smoothly to process noisy and complex data was satisfying. I’m happy knowing this can help security researchers work more efficiently.

What we learned

I have learned a lot about building multiple AI Agents using Google’s Agent Development Kit (ADK) and Google Cloud Ecosystem. One of the biggest takeaways was realizing just how important prompt engineering is, especially in a multi-agent system. A well-crafted prompt can make the difference between a smart, reliable agent and one that misunderstands its job.

What's next for AgentThreat

  • Automated Scheduling: Enable daily/weekly autonomous runs to continuously fetch and analyze new threat feeds.

  • Insight Reports: Generate weekly/monthly intelligence summaries, highlighting top IOCs, trending threat actors across sources.

  • Search & Query Interface: Add a simple UI or query endpoint for users to explore and chat the analyzed CTI data stored in BigQuery.

Built With

Share this project:

Updates