Threat Intelligence Procedure (A.5.7)
Document ID: threat-intelligence-procedure
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual
Purpose
Define how SigmaShake collects, analyses, and acts on threat intelligence relevant to its systems, dependencies, and operating environment.
Threat intelligence sources
| Source | Cadence | Collector | What we capture |
|---|---|---|---|
| GitHub Security Advisories | Weekly | threat-intel-digest | New advisories for npm, Rust, Python |
| CISA Known Exploited Vulnerabilities (KEV) | Weekly | threat-intel-digest | New KEV entries since last week |
| GitHub Dependabot | Daily | dep-vulns | Open CVEs in direct dependencies |
| Cloudflare Radar | Ad-hoc | Manual | Emerging threat patterns, DDoS campaigns |
| Security mailing lists | Ad-hoc | Manual | CVE announcements for core runtimes (Bun, Node, Rust) |
| Pen test results | Quarterly | pen-test-report | Application-layer vulnerabilities |
Analysis
The threat-intel-digest collector computes a weekly risk level (low / medium / high / critical) based on:
- Critical/high advisories affecting in-scope ecosystems published in the last 7 days
- Open critical/high Dependabot alerts across the monorepo
- New CISA KEV entries added in the period
Triage and response
| Risk level | Required action | Timeframe |
|---|---|---|
| Critical | Immediate patch or mitigating control; record in risk register | 72 hours |
| High | Patch or accept risk with justification; gap opened automatically | 7 days |
| Medium | Review in next weekly window; schedule patch | 30 days |
| Low | Note for awareness; no immediate action required | Next quarter |
Integration with vulnerability management
Threat intelligence feeds directly into the vulnerability management procedure. When a new CVE matches an in-scope dependency, dep-vulns opens a Dependabot alert. If the alert is critical/high and unresolved for > 72 hours, a gap row is opened in the compliance system.
Sector-specific feeds
As SigmaShake targets enterprise AI governance, threat intelligence relevant to:
- AI/ML supply chain attacks
- MCP (Model Context Protocol) security advisories
- Cloudflare Workers runtime CVEs
These are monitored manually via the Cloudflare changelog, Anthropic security bulletins, and relevant GitHub repos.
Evidence
| Collector | Cadence | Control |
|---|---|---|
threat-intel-digest | Weekly | A.5.7, A.8.7, A.8.8 |
dep-vulns | Daily | A.8.7, A.8.8, A.8.26, A.8.29 |