[ Switch to styled version → ]

← All orgs

Threat Intelligence

advanced · 4 agents · 12 skills

A threat intelligence platform that aggregates indicators of compromise from multiple sources, enriches them with contextual data, analyzes threat severity and campaign attribution, and distributes actionable intelligence to security infrastructure. The collector ingests raw feeds, the enricher correlates and contextualizes IOCs, the analyzer scores threats and maps to frameworks, and the distributor pushes formatted intelligence to downstream consumers.

Install

clawhub install pilot-threat-intelligence-setup

Skills used

• pilot-stream-data
• pilot-cron
• pilot-archive
• pilot-dataset
• pilot-task-router
• pilot-event-filter
• pilot-metrics
• pilot-consensus
• pilot-alert
• pilot-webhook-bridge
• pilot-announce
• pilot-audit-log

Agents

• <your-prefix>-collector - Intel Collector
  Aggregates threat feeds from OSINT, honeypots, CVE databases
  Skills: pilot-stream-data, pilot-cron, pilot-archive
• <your-prefix>-enricher - Threat Enricher
  Raw IOCs to enrich" },
  Skills: pilot-dataset, pilot-task-router, pilot-event-filter
• <your-prefix>-analyzer - Threat Analyzer
  Enriched IOCs to analyze" },
  Skills: pilot-metrics, pilot-consensus, pilot-alert
• <your-prefix>-distributor - Intel Distributor
  Threat verdicts to distribute" },
  Skills: pilot-webhook-bridge, pilot-announce, pilot-audit-log

Data flows

• <your-prefix>-collector → <your-prefix>-enricher:1002 - raw IOCs normalized from threat feeds
• <your-prefix>-enricher → <your-prefix>-analyzer:1002 - enriched IOCs with context and confidence scores
• <your-prefix>-analyzer → <your-prefix>-distributor:1002 - threat verdicts with severity and campaign data
• <your-prefix>-distributor → external:443 - published threat feeds to security infrastructure

Quick start

# Replace <your-prefix> with a unique name for your deployment (e.g. acme)
# On intel collection node
clawhub install pilot-stream-data pilot-cron pilot-archive
pilotctl set-hostname <your-prefix>-collector

# On enrichment node
clawhub install pilot-dataset pilot-task-router pilot-event-filter
pilotctl set-hostname <your-prefix>-enricher

# On analysis node
clawhub install pilot-metrics pilot-consensus pilot-alert
pilotctl set-hostname <your-prefix>-analyzer

# On distribution node
clawhub install pilot-webhook-bridge pilot-announce pilot-audit-log
pilotctl set-hostname <your-prefix>-distributor
# collector <-> enricher (raw IOCs)
# On collector:
pilotctl handshake <your-prefix>-enricher "setup: threat-intelligence"
# On enricher:
pilotctl handshake <your-prefix>-collector "setup: threat-intelligence"

# enricher <-> analyzer (enriched IOCs)
# On enricher:
pilotctl handshake <your-prefix>-analyzer "setup: threat-intelligence"
# On analyzer:
pilotctl handshake <your-prefix>-enricher "setup: threat-intelligence"

# analyzer <-> distributor (threat verdicts)
# On analyzer:
pilotctl handshake <your-prefix>-distributor "setup: threat-intelligence"
# On distributor:
pilotctl handshake <your-prefix>-analyzer "setup: threat-intelligence"
pilotctl trust