Back to home
Documentation

How CrisisShieldAI works

An architectural reference for the intelligence pipeline — from raw collection through correlation, scoring and dissemination — plus the open standards the platform speaks: STIX/TAXII, CVSS and MITRE ATT&CK.

Overview

CrisisShieldAI turns scattered security signal into prioritized, actionable intelligence. It ingests from threat feeds, vulnerability databases and your own telemetry, then correlates, scores and disseminates what matters to the people and tools that can act on it.

The platform is organized as a three-layer pipeline. Each layer is independent and observable, so you can connect a single feed or your entire stack and still get value on day one.

This documentation describes a sample/demonstration platform. Product names referenced (Splunk, Sentinel, CrowdStrike, etc.) are trademarks of their respective owners and are listed only to illustrate typical integrations.

Architecture

The intelligence pipeline moves data left-to-right through three layers, with a feedback loop from response back into collection and tuning.

  • Layer 01 — Collection

    Ingest from CVE/NVD databases, commercial and open threat-intel feeds, SIEM/EDR telemetry, vulnerability scanners and OSINT. Sources are normalized into a common internal schema.

  • Layer 02 — AI Intelligence Engine

    Deduplicate, enrich and correlate indicators; score risk by combining severity, exploitability and asset exposure; recognize patterns and cluster related activity into incidents.

  • Layer 03 — Response & Dissemination

    Surface prioritized findings to the dashboard, push IOCs to enforcement points, generate reports and notify the right responders. Outcomes feed back to tune collection and scoring.

Design principles

  • Standards-first — speak STIX/TAXII, CVSS and ATT&CK so intel is portable.
  • Context over volume — a handful of prioritized leads beats a million raw IOCs.
  • Human-in-the-loop — AI recommends; analysts decide on high-impact actions.

Data Collection

Collection is the foundation. CrisisShieldAI pulls from five broad source classes and normalizes everything into structured indicators before any analysis happens.

  • Vulnerability data — CVE records and enrichment from the National Vulnerability Database (NVD) and the CVE Program.
  • Threat-intel feeds — commercial and open feeds delivered as STIX over TAXII, or via vendor APIs.
  • Security telemetry — alerts and logs from SIEM and EDR platforms.
  • Vulnerability scanners — asset and exposure data from network and host scanners.
  • OSINT — open-source indicators, paste sites, and actor disclosures.

Each indicator is stamped with a source, a confidence score and a TLP marking, and tactical indicators are auto-expired as they decay.

STIX / TAXII Ingestion

STIX (Structured Threat Information Expression) is the data model for cyber threat intelligence; TAXII (Trusted Automated Exchange of Intelligence Information) is the transport protocol used to pull it. CrisisShieldAI consumes STIX 2.1 objects from TAXII 2.1 collections.

A STIX indicator object looks like this:

indicator.json · STIX 2.1
{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--a1b2c3d4-...",
  "created": "2026-01-14T09:00:00Z",
  "name": "Malicious C2 domain",
  "pattern": "[domain-name:value = 'bad.example']",
  "pattern_type": "stix",
  "valid_from": "2026-01-14T09:00:00Z",
  "labels": ["malicious-activity"]
}

Indicators, malware, threat-actor and relationship objects are mapped into the internal schema, enriched, and pushed to enforcement points (SIEM, EDR, firewalls) as blocklists or detections.

Risk & CVSS Scoring

Severity alone is a poor prioritization signal. CrisisShieldAI combines three inputs: CVSS base severity, exploit likelihood, and asset exposure in your environment.

The Common Vulnerability Scoring System (CVSS) produces a 0.0–10.0 score from base metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope and the Confidentiality/Integrity/Availability impacts). CVSS v4.0 adds Threat and Supplemental metric groups.

CVSS ScoreSeverityTypical action
9.0 – 10.0CriticalPatch / mitigate immediately
7.0 – 8.9HighPrioritize within SLA
4.0 – 6.9MediumSchedule remediation
0.1 – 3.9LowTrack and review
Don't prioritize on CVSS alone. Combine it with EPSS (exploit-prediction probability) and the CISA KEV catalog — a vuln that is actively exploited outranks a higher-CVSS one that isn't.

MITRE ATT&CK Mapping

Every indicator, detection and incident is tagged to MITRE ATT&CK tactics (the why) and techniques (the how). This gives a common language for coverage analysis and detection-gap reporting.

TechniqueNameReference
T1486Data Encrypted for Impactattack.mitre.org →
T1190Exploit Public-Facing Applicationattack.mitre.org →
T1558.003Kerberoastingattack.mitre.org →
T1071.001Application Layer Protocol: Web (C2)attack.mitre.org →
T1566.002Phishing: Spearphishing Linkattack.mitre.org →

Integrations

CrisisShieldAI is built to sit inside your existing stack rather than replace it. Typical connectors span four categories:

SIEM

Splunk, Microsoft Sentinel, Elastic Security, IBM QRadar, Google SecOps.

SOAR

Splunk SOAR, Cortex XSOAR, Sentinel playbooks, Tines, Torq.

EDR / XDR

CrowdStrike Falcon, Microsoft Defender, SentinelOne, Cortex XDR.

Vuln & Intel

Qualys, Tenable, Rapid7, MISP, OpenCTI, AlienVault OTX, VirusTotal.

API Quickstart

Tactical IOCs and findings are available over a REST API. Authenticate with a bearer token and pull the latest scored indicators:

bash · sample request
# Fetch high-confidence indicators from the last 24h
curl https://api.crisisshieldai.com/v1/indicators \
  -H "Authorization: Bearer $CSAI_TOKEN" \
  -G --data-urlencode "min_confidence=80" \
     --data-urlencode "since=24h"
The endpoints above are illustrative — this is a sample site and the API host is not live.

Standards & References

The open standards and authoritative sources CrisisShieldAI builds on. All links open the official upstream documentation.

MITRE ATT&CK

Globally-accessible knowledge base of adversary tactics and techniques.

attack.mitre.org → CVE Program

The authoritative catalog of publicly-known security vulnerabilities.

cve.org → NIST NVD

U.S. National Vulnerability Database with CVSS enrichment.

nvd.nist.gov → STIX / TAXII

OASIS standards for structured threat-intel exchange.

oasis-open.github.io → CISA KEV

Catalog of vulnerabilities known to be exploited in the wild.

cisa.gov → FIRST CVSS

The Common Vulnerability Scoring System specification.

first.org → OWASP Top 10

The most critical web application security risks.

owasp.org → NIST SP 800-61

Computer Security Incident Handling Guide.

csrc.nist.gov →

FAQ

Does CrisisShieldAI replace my SIEM?

No. It sits alongside your SIEM/SOAR/EDR, enriching and prioritizing what they produce and pushing curated indicators back to them.

What intel formats are supported?

STIX 2.1 over TAXII 2.1 is the primary path, plus vendor APIs and common feed formats. Indicators are normalized to one internal schema.

How is risk prioritized?

By combining CVSS severity, exploit likelihood (EPSS/KEV) and your real asset exposure — so actively-exploited, widely-deployed issues rise to the top.

Is this a real product?

This site is a sample/demonstration. The dashboard shows fictional data and the API hosts are not live.