From Idea to Open-Source: Building CNA-GURU, a Generative AI Assistant for Security Advisories
CVE/FIRST VulnCon 2025 · Main Stage
In the dynamic and ever-expanding landscape of cybersecurity, the process of scoring vulnerabilities and drafting security advisories is a critical yet often challenging and time-consuming endeavor. Ryan, a Tech Lead for AWS Security Outreach, presented CNA-GURU (also known as Chat CVE), an innovative open-source generative AI assistant designed to streamline and democratize this complex task. Driven by a personal desire to improve efficiency and address the heightened demands of the 2024 CNA directives, Ryan embarked on a journey to build a tool that could effectively scale vulnerability assessment capabilities.
AI review
A competent, well-structured talk about a genuinely useful open-source tool for vulnerability analysts. CNA-GURU solves a real operational problem — scaling CVE/CVSS/CWE work across teams with mixed experience levels — and the speaker clearly built the thing himself and iterated on it honestly. The 90% accuracy claim on 300 NVD CVEs is a concrete, verifiable result, and the architectural evolution story (Bedrock agents → local RAG → Jupyter notebook) shows real engineering judgment rather than 'we used AI and it worked.' This is squarely in practitioner-tool territory, not research…