intelmq.ai - adding ML model support to intelmq
2025-10-21 , Europe

IntelMQ is a great tool for automating structured IT security data feeds for CERTs: need to process all of shadowserver for a country? IntelMQ can easily do it. Need to alert on all vulnerable devices that shodan knows about? Sure!

But what about unstructured text? Many reports (CTI reports) contain lots of relevant information (IoCs, TTPs, etc.), but often in prose or only in semi-structured formats (hidden in a table, etc.).
For information extraction, LLMs and other AI models (BERT, etc.) proved their merit already.

The presents will show how they extended intelmq to support
these AI models and how the combination lends itself (semi-) automating a CTI analyst.

IntelMQ to MISP output included ;-)


Integrating "AI" into deterministic data-flow frameworks such as IntelMQ has its challenges. For example, AI tends to give stochastic answers, which might be correct or - sometimes - might not be.
How to deal with these challenges will be also discussed.

Aaron Kaplan worked at cert.at for 12 years before reactivating his sole-proprietorship in 2020.
Since 2018 he has been fascinated by the possibilities, problems and pitfalls of AI for cybersecurity. He co-chairs the AI SIG at FIRST.org. Co-maintainer of IntelMQ.

Sebastian Wagner is a Free Software enthusiast, full-stack software developer, and project manager currently working for a small software firm, and is active in NGOs for the common good. He co-maintains IntelMQ for 11 years and previously worked at CERT.at for six years.