Skip to content
CV
Back to projects

Security case study / 2026

ThreatRAG — Agentic Threat Intelligence RAG

A spec-first, security-hardened RAG platform that answers analyst questions with cited sources from MITRE ATT&CK, OWASP, and NVD — then runs autonomous multi-agent investigations on any IOC end-to-end.

ThreatRAG — Agentic Threat Intelligence RAG — title

<2s

cited answer (TTFT)

39/39

tests passing

3

agent pipeline

PythonFastAPILangChainLangGraphReactQdrantOllamaPostgreSQL

Product impact

Collapses hours of manual searching across MITRE ATT&CK, NVD, and OWASP into sub-two-second cited answers, and turns end-to-end IOC investigation into an autonomous Researcher→Critic→Reporter pipeline.

Challenge

The knowledge to understand a threat is fragmented across MITRE ATT&CK (STIX), the NVD CVE API, and OWASP PDFs — and generic LLM chat answers security questions without the provenance a SOC needs to trust them, forcing analysts to context-switch and manually investigate every IOC.

Approach

I built a spec-first FastAPI platform where LangChain LCEL powers cited RAG over locally-embedded knowledge bases, a LangGraph ReAct agent adds live NVD and web-search tools, and a Researcher→Critic→Reporter graph runs autonomous investigations. OWASP LLM Top 10 hardening (injection detection + output redaction) is a tested first-class module, and RAGAs makes answer quality measurable.

Results

  • Cited Q&A pipeline: every answer returns sources from MITRE ATT&CK, OWASP LLM Top 10, and custom PDFs, streamed token-by-token via SSE for sub-two-second time-to-first-token.
  • Autonomous multi-agent investigation on any IOC (IP, hash, CVE) via a bounded LangGraph loop, with reports persisted to PostgreSQL + pgvector for similarity search over past investigations.
  • 39/39 unit tests, Ruff-clean and Mypy-strict, OWASP-LLM-Top-10 hardened, and RAGAs-evaluated for faithfulness and relevancy — all running on a free-tier local stack (Qdrant + Ollama).
ThreatRAG — Agentic Threat Intelligence RAG — architecture