Skip to content

[17] Real-time threat intelligence (CISA KEV + GreyNoise) #46

Description

@rfunix

Problem

CVE findings are reported without context about active exploitation. No integration with live threat feeds to prioritize critical findings.

Implementation Steps

  1. Create `src/tengu/intelligence/kev.py`:
  2. Create `src/tengu/intelligence/greynoise.py`:
    • GreyNoise Community API client
    • `get_ip_context(ip: str) -> dict` — returns noise/riot classification
  3. Register new resources in `server.py`:
    • `intel://cisa-kev` — Full KEV catalog
    • `intel://greynoise/{ip}` — IP context
  4. Enrich `correlate_findings` to flag CVEs with active exploitation from KEV

Files to Modify

  • New: `src/tengu/intelligence/init.py`, `kev.py`, `greynoise.py`
  • `src/tengu/server.py` — Register new resources
  • `src/tengu/tools/analysis/correlate.py` — Add KEV enrichment

Dependencies

None (standalone)

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:toolsPentesting tools wrapperseffort:LLarge effort (2-4 weeks)priority:P1High priority

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions