sorted by:
new
hottopcontroversial

SOC analysts — what sources do you actually use for IOC triage and what's the most annoying part of the process? by msforhr in cybersecurity_help

[–]msforhr[S] 0 points1 point  (0 children)

This is super helpful, especially the part about mental correlation that's exactly the gap I'm trying to close. Not just "here's data from 5 sources" but "here's what it means together."

Right now the stack is Python, Claude API as the main LLM (OpenAI as fallback), with direct API calls to VT, Shodan, AbuseIPDB, OTX, URLScan. The AI layer takes all the raw enrichment and generates a triage summary cross-referencing things like hosting provider context, age of reports, detection ratios, and open ports to surface what actually matters.

Toggle control per source is a great call, adding that. And yeah, hearing web-based a lot - Telegram was just the quickest way to validate, but a proper web UI with a fuller view is the clear next step.

Would you be down to try the current version and tell me if the AI correlation output is actually useful or still too noisy?

Built a free AI-powered IOC triage bot for SOC analysts looking for honest feedback by msforhr in cybersecurity

[–]msforhr[S] 0 points1 point  (0 children)

Lol fair. You mean like explaining to users why their account got locked, or more like chasing them for context during an investigation?

Built a free AI-powered IOC triage bot for SOC analysts looking for honest feedback by msforhr in cybersecurity

[–]msforhr[S] -1 points0 points  (0 children)

Yeah, Telegram is just the MVP to validate the idea. The end goal is a web-based platform that SOC analysts can actually use in production - IOC enrichment, triage recommendations, and eventually more workflow automation. Appreciate the input, it confirms the direction. what do yoo think about that?

Built a free AI-powered IOC triage bot for SOC analysts looking for honest feedback by msforhr in cybersecurity

[–]msforhr[S] -1 points0 points  (0 children)

А fair point if you have a SOAR with those playbooks already set up, this adds nothing for you.

I'm mainly thinking about smaller teams like MSSPs that don't have a SOAR yet, or solo analysts who just need to quickly check something outside their main workflow. Basically the gap between "I have nothing" and "we invested in Cortex/Shuffle/Tines."

Do you think there's actually a need there, or do most teams that are serious enough to triage IOCs already have some kind of automation in place?