Building My Own Personal Cybersecurity Threat Intelligence System: A Journey with Grok
.jpg)
Hey everyone! Erich Horst here (@CISOGrit on X), a CISO who’s passionate about practical, no-nonsense security.
Like many of you, I was tired of commercial threat intelligence feeds that drown me in noise — thousands of alerts, most of which have zero relevance to my environment. I didn’t want to pay thousands for a platform that still required constant tuning.
So, with the help of Grok (xAI’s AI), I built my own fully automated, personalized daily cybersecurity threat intelligence system — running quietly on my laptop via WSL and Python scripts.
Every morning, I get one clean, beautiful, responsive HTML email that tells me exactly what I need to know — and nothing I don’t.
No irrelevant low-severity Linux kernel bugs if I’m a Windows/Microsoft/Cisco shop. No generic breach reports unless they matter to my industry or region. Just high-signal, actionable intel tailored to my stack.
Why I Built This (And Why You Might Want To)
Most commercial feeds give you everything. My system gives me only what I need:
- Critical and high-severity vulnerabilities (plus medium ones only if they affect my specific platforms)
- Actively exploited threats (CISA KEV + VirusTotal exploit samples)
- Relevant breaches and ransomware disclosures
- Vendor patch advisories from Microsoft, Cisco, Oracle, Red Hat, etc.
- Government alerts (U.S., UK, Australia, Canada)
- Threat actor and ransomware group activity
I control the filters. I control the relevance. I own the system.
How It Works
One core script (combined_daily_briefing.py) does it all:
- Pulls fresh CVEs from NVD API (with my key for speed)
- Cross-checks CISA Known Exploited Vulnerabilities and VirusTotal for real-world exploitation
- Aggregates trusted RSS feeds for breaches, vendor patches, gov alerts, and threat actors
- Uses simple JSON files for deduplication (only shows what’s new since yesterday)
- Builds and sends a responsive HTML email via Gmail — looks great on phone or desktop
The Result: Signal Over Noise
Here’s what my briefing caught in early January 2026:
- Critical RCE in n8n workflows (CVE-2025-68668, CVSS 9.9)
- MongoDB memory leak under active exploit (CVE-2025-14847, in CISA KEV)
- New ransomware victims in healthcare and government (via Ransomware.live PRO API)
- Microsoft and Cisco advisories relevant to my environment
- No irrelevant IoT or embedded device vulns — because they don’t match my keywords
It’s quiet when it should be quiet. Loud only when it matters.
Scalability Built In
This isn’t a rigid tool — it’s a framework:
- Add new vendors? Plug in their RSS or API
- Track new platforms? Update TARGET_KEYWORDS
- Want OTX pulses, MISP indicators, or international CERTs? Add a section
- Prefer Slack or Teams notifications? Easy swap
I’ve already expanded it with VirusTotal, Ransomware.live PRO API, and international gov sources (UK NCSC, Australia ACSC).
Outside of the daily Threat Intel Briefs, I also create some additional Python scripts that run through cron jobs for near real-time notifications
- threat_actor_tracking
- gov_alerts
- breach_notifier
- vendor_alerts
Final Thoughts
You don’t need a big budget, a SOC team to have elite threat intelligence, or receive duplicate notices from different sources that make you numb. With free APIs, public feeds, a little Python, and some smart filtering, anyone can build a system that delivers personalized, high-signal alerts every day.
Huge thanks to Grok for the patient, iterative collaboration — from a basic NVD script to a full, responsive briefing with a logo and exploitation intel.
This project has genuinely improved how I start my security day.
If you're a CISO, analyst, or just a defender who wants better intel, consider building your own. It’s empowering.
Would you build something like this? Let me know in the comments — I’m considering open-sourcing a starter template.
Stay gritty, stay vigilant.
Erich Horst
@CISOGrit
CISO | Builder | Threat Hunter
Comments
Post a Comment