b01-gbrain-security provides a self-wiring knowledge graph focused on threats, vulnerabilities, and security incidents. Hosted at PulverizeDirector/b01-gbrain-security, the project has 44 GitHub stars and carries an MIT license. It adapts concepts from the original gbrain project—a broader self-wiring AI knowledge graph with 29 skills, hybrid search, and entity enrichment—tailoring them specifically for security and compliance tasks.
The project targets areas like security audits, vulnerability management, and frameworks such as GDPR or SOC2. It includes 8 domain-specific skills and 3 end-to-end workflows, all with structured outputs and live progress tracking. Users interact via skills that build and query a graph of interconnected security data, pulling in elements like CVEs, threat actors, TTPs, IOCs, and MITRE ATT&CK mappings.
Core Skills
The skills form the foundation, each handling a discrete task in security intelligence. They ingest data, build relationships, and generate actionable insights.
| Skill | Description |
|---|---|
/threat-ingest |
Ingest threat intel feeds — extract CVEs, threat actors, TTPs and link entities |
/vuln-graph |
Build vulnerability relationship graph: CVEs, affected systems, patch status |
/incident-security |
Store security incidents with IOCs, timeline, MITRE ATT&CK mapping and backlinks |
/compliance-brain |
Track compliance controls, evidence links and gap analysis across frameworks |
/asset-ingest |
Ingest asset inventory with risk scores, owner links and exposure backlinks |
/pentest-ingest |
Store pentest findings with CVSS scores, remediation links and retest backlinks |
/threat-query |
Query brain for threat landscape, attack patterns and defensive recommendations |
/cve-monitor |
Detect new CVEs affecting your asset graph and surface to security team |
For example, /threat-ingest processes feeds to extract and link CVEs with threat actors and tactics, techniques, and procedures (TTPs). /vuln-graph constructs graphs showing how CVEs connect to systems and their patch states. Skills like /incident-security and /pentest-ingest store historical data with metrics such as CVSS scores, timelines, and remediation paths.
Workflows
Three workflows chain skills for complete processes:
| Workflow | Description |
|---|---|
security-brain-init |
Bootstrap: ingest asset inventory → past incidents → CVE feeds → crons |
threat-brief |
Weekly threat briefing: new CVEs + active threats + compliance status |
incident-brain |
During incident: query IOC graph → ingest findings → update playbook |
The security-brain-init workflow starts by loading asset inventories, historical incidents, and CVE feeds, then sets up cron jobs for ongoing updates. threat-brief compiles weekly reports on emerging CVEs, active threats, and compliance gaps. incident-brain activates during live events, querying indicators of compromise (IOCs), ingesting new findings, and refining playbooks.
Interaction Pattern
Each skill uses a consistent 5-step process:
- Scope Confirmation: Verify target and options.
- Live Progress: Bar like
[██████] 100%with counts (e.g., 34 CVEs). - Structured Findings: Tables sorted by impact (🔴🟠🟡🟢).
- Action Plan: Quick wins, medium-term fixes, strategic steps.
- Next Steps: Suggested follow-up skills.
A UI preview shows this in action for a query like "sql injection campaign":
╔══════════════════════════════════════════════════╗
║ Threat Brain — "sql injection campaign" ║
╠══════════════════════════════════════════════════╣
║ CVE graph … [██████] 100% 34 CVEs ║
║ Incident history … [████░░] 80% 12 incidents║
║ ATT&CK mapping … [██████] 100% ║
╚══════════════════════════════════════════════════╝
Related threat activity:
T1190 Exploit Public-Facing App — 3 past incidents 🔴
T1505 Server-Side Backdoor — linked to CVE-2024-1234
Recommended: WAF rule update + patch nginx 1.24→1.26
This format delivers progress visibility and prioritized outputs, such as linking MITRE ATT&CK tactics (T1190) to past incidents or specific CVEs.
Getting It Running
Installation targets Claude AI environments, specifically the Claude Code session and skills directory. No Docker, npm, or pip steps appear in the README—it's a direct file copy.
Run these commands:
# Copy to Claude skills directory
cp -r . ~/.claude/skills/b01-gbrain--security/
# Load in Claude Code session
/read ~/.claude/skills/b01-gbrain--security/SKILL.md
After copying, load the SKILL.md file in a Claude session to activate. The project assumes access to Claude's skill system, where commands like /threat-ingest become invocable. Data persists in the knowledge graph as skills wire entities together over time.
Who This Fits
Security teams handling audits, vulnerability tracking, or compliance will find direct value. Small to mid-sized ops teams can bootstrap with security-brain-init to ingest assets and incidents, then run threat-brief for routine updates. Incident responders use incident-brain to query IOCs and build playbooks mid-event.
If your workflow involves CVEs, pentests, or MITRE mappings, skills like /cve-monitor or /threat-query provide graph-based queries that reveal connections feeds alone miss. Compliance roles benefit from /compliance-brain, which links controls to evidence and gaps across frameworks.
It's less suited for teams without Claude access, as the setup ties directly to that platform. Purely offline or non-AI security tools won't integrate.
Ties to gbrain
This project derives from gbrain, narrowing its 29 general-purpose skills to 8 security-focused ones and adding 3 workflows. gbrain offers hybrid search and entity enrichment across domains; b01-gbrain-security specializes those for threats and compliance. Users familiar with gbrain can drop this in as a domain extension.
Alternatives include open-source threat intel platforms like MISP (for sharing IOCs) or OpenCTI (for knowledge graphs), but those lack the AI-driven self-wiring and Claude integration. For graph-based vuln management, something like BloodHound focuses on AD attacks specifically, while this covers broader CVEs and assets.
The 44 stars reflect its niche status within the gbrain ecosystem. Source code and badges (Domain: Security & Compliance, Skills: 8, Workflows: 3) sit on GitHub for inspection. If Claude skills don't align with your stack, check the original gbrain first.
Comments