AI-Augmented Security Newsletter

Ever come across an automation workflow online and thought, “This is cool, but what if it can get better?”

That was my reaction to Niranjan G’s security digest workflow. His three-category approach was solid, but it opened up opportunities for deeper insights and more tailored recommendations.

The Original: Already Pretty Good

Let’s give credit where it’s due: Niranjan’s original workflow was pretty solid. The workflow handled three tracks (Security, Privacy, Compliance), filtered content to the last 24 hours, and delivered clean HTML digests via email.

My Enhancement Philosophy: Intelligence Over Volume

The core problem I wanted to solve? Not all security news is created equal. Getting 47 articles about the same vulnerability doesn’t make me more secure. It makes me want to close my laptop and go for a walk. What security teams need isn’t more information; it’s better information, intelligently prioritized and contextually relevant.

I rebuilt the workflow around three key principles:

1. Quality: Extra sources, but with reliability scoring.
2. Context-Aware Prioritization: Threats affecting our actual tech stack take precedence.
3. Actionable Intelligence: Summaries are helpful, but actionable insights are essential.

Enhancement #1: Intelligence-Grade Source Management

Niranjan’s original used basic RSS feeds across three categories. In my version, each source carries detailed intelligence metadata:

{
  "name": "CISA Advisory Alerts",
  "rss_url": "https://www.cisa.gov/cybersecurity-advisories/alerts.xml",
  "priority": "critical",
  "weight": 10,
  "reliability": 0.95,
  "category": "government"
}

This isn’t just organisational. It’s operational intelligence. When CISA publishes an alert, it automatically gets higher priority than a vendor blog post. The system understands source credibility, not just content recency.

I also consolidated from three separate category workflows into one unified intelligence pipeline. Instead of separate Security/Privacy/Compliance emails, you get one comprehensive briefing organised by threat priority.

Enhancement #2: The Threat Scoring Engine

Here’s where things get technical. The original workflow treated all articles equally: a critical zero-day got the same treatment as a vendor blog about password hygiene. In my version, I’ve implemented dynamic threat scoring.

// Calculate threat severity and relevance scores
const scoredArticles = items.map(article => {
  const title = (article.title || '').toLowerCase();
  const content = (article.content || '').toLowerCase();
  const summary = (article.contentSnippet || content).toLowerCase();

  let threatScore = 0;
  let relevanceScore = 0;
  let severityLevel = 'low';
  let techRelevance = [];

  // Calculate threat severity
  Object.entries(threatKeywords).forEach(([level, keywords]) => {
    Object.entries(keywords).forEach(([keyword, score]) => {
      if (content.includes(keyword) || title.includes(keyword)) {
        threatScore += score;
        if (score >= 7) severityLevel = 'critical';
        else if (score >= 4) severityLevel = 'high';
        else if (score >= 2) severityLevel = 'medium';
      }
    });
  });

  // Calculate tech stack relevance (whole word, in title or summary)
  Object.entries(techStack).forEach(([tech, score]) => {
    if (containsWholeWord(title, tech) || containsWholeWord(summary, tech)) {
      relevanceScore += score;
      techRelevance.push(tech);
    }
  });

The automation uses weighted keyword analysis to score threats, with terms like “zero-day exploits” and “ransomware” receiving higher priority than general advisories. The system maintains awareness of our specific environment and applies priority multipliers, ensuring that threats affecting our actual infrastructure matter more than theoretical attacks.

The final calculation:

  // Apply source reliability weighting
  const finalScore = (threatScore + relevanceScore) * article.source_reliability;

  // Only include if at least one tech stack keyword is in the title or summary
  const isRelevant = techRelevance.length > 0;

  return {
    ...article,
    threat_score: threatScore,
    relevance_score: relevanceScore,
    final_score: Math.round(finalScore * 100) / 100,
    severity_level: severityLevel,
    is_critical: severityLevel === 'critical' || finalScore >= 15,
    tech_relevance: techRelevance,
    is_relevant: isRelevant
  };
});

// Filter for relevance and sort by final score descending
const relevantArticles = scoredArticles.filter(article => article.is_relevant);
const sortedArticles = relevantArticles.sort((a, b) => b.final_score - a.final_score);

return sortedArticles.map(article => ({ json: article }));

This ensures that only the most pressing threats are analysed, prioritising immediate relevance over historical context.

Enhancement #3: AI Analysis

The AI node has detailed instructions to analyse threats through a structured intelligence framework, focusing on:

• Attack technique identification using industry-standard methodologies (e.g., MITRE ATT&CK)
• Business impact assessment beyond technical severity
• Actionable mitigation recommendations tailored to threat types
• Executive-ready summaries for leadership communication

Instead of generic summaries, we get structured threat intelligence analysis.

Enhancement #4: Multi-Format Intelligence Distribution

The original delivered HTML emails. My version adds:

• PDF Archive Generation: Formatted reports for documentation and offline access.
• Google Drive Node: Organised storage and team sharing.

The workflow automatically generates a PDF version of each briefing and archives it to Google Drive with proper naming conventions for easy retrieval.

Real-World Intelligence Operations

Here’s how these enhancements change daily security operations.

Original approach: Three separate emails with categorised security news summaries. Useful, but you still manually assess priority and relevance.

Enhanced version: One prioritised intelligence briefing that immediately identifies:

• Critical vulnerabilities affecting your specific infrastructure
• Threat campaigns targeting your industry with relevant defensive measures
• Which “critical” advisories actually don’t affect your systems

The difference is consuming information versus receiving actionable intelligence.

Example of in-scope intelligence output from the workflow.

Implementation Notes

The complete workflow includes:

• 12 intelligence-grade sources with reliability scoring
• Dynamic threat assessment based on 50+ security keywords
• Technology stack awareness for 15+ platforms and tools
• Automated archival and distribution

The Bottom Line

Effective security automation doesn’t just save time. It enhances decision-making. By integrating threat intelligence principles into the content curation process, we’ve elevated a traditional newsletter into a comprehensive intelligence briefing.