The Security Bot Scenario

The Setup

You run a platform with a dozen services. Some are on Kubernetes, some on AWS. You depend on OpenSSL, Linux kernel, and a handful of open-source libraries. When a critical CVE drops, your team needs to know fast.

The sources you need to watch:

CISA Known Exploited Vulnerabilities — the US government's "these are being actively exploited right now" list
NIST NVD — every published CVE with severity scores
GitHub Security Advisories — vulnerabilities in open-source packages you use
Kubernetes CVEs — if you run containers, you care about these
Linux Kernel CVEs — the operating system under everything
Ubuntu / Debian Security Notices — when your distro patches
OpenSSL Releases — the crypto library the internet depends on
AWS Service Health — is your infra even up?

That's 8 different sources, each with different formats, update frequencies, and access methods. Today, most teams handle this one of two ways — both painful.

The Old Way: Humans in the Loop

❌ What it looks like today

Subscribe to 6 email lists (CISA, Ubuntu, Debian, Kubernetes, etc.)
Check the NVD website manually every morning
Skim GitHub's advisory feed when you remember
Get 300+ emails/day, 95% of which don't affect your stack
Your security engineer spends 1–2 hours/day triaging — reading, correlating, deciding what matters
Critical CVEs occasionally slip through because someone was on PTO

❌ What it looks like with DIY bots

Build 4–6 custom scrapers (one per source)
Parse HTML, RSS, JSON, and CSV — every source is different
Handle rate limits, pagination, and format changes
Your LLM processes 43MB of raw data to find what changed
Scrapers break every few weeks when upstream sites update
Maintaining this is a 200–400 line codebase per source

Both approaches work, sort of. But they're expensive, fragile, and don't scale. Every new source is another scraper to build, another email to parse, another thing that breaks.

The DiffDelta Way: Agent-Ready Intelligence

With DiffDelta, all 8 of those sources are already being monitored. Every 15 minutes, our pipeline checks upstream, computes what changed, scores it for risk, and serves it as structured JSON on a global CDN.

Your bot's job becomes trivial:

✅ What it looks like with DiffDelta

Poll one endpoint every 15 minutes: /diff/head.json (400 bytes)
If nothing changed, stop. You burned 400 bytes, not 43MB.
If something changed, fetch /diff/latest.json — pre-diffed, pre-normalized JSON
Every item has a headline, excerpt, risk score, and provenance chain
Filter by source (cisa_kev, github_advisories, etc.) or tag (security)
Your agent reads 49K tokens instead of 43M — and knows exactly what's new

The Code: 15 Lines

Here's a complete security monitoring bot. No SDK, no dependencies beyond requests.

security_bot.py

import requests, json

# Your stored cursor (start with None on first run)
stored_cursor = load_cursor()  # e.g. from a file or database

# Step 1: Check for changes (400 bytes, ~10ms)
head = requests.get("https://diffdelta.io/diff/head.json").json()

if head["cursor"] == stored_cursor:
    print("No changes. Done.")
    exit()

# Step 2: Fetch the full delta
feed = requests.get("https://diffdelta.io/diff/latest.json").json()

# Step 3: Filter for security items and act on them
for item in feed["buckets"].get("new", []):
    if item["source"] in ["cisa_kev", "nist_nvd", "github_advisories",
                           "kubernetes_cve", "linux_kernel_cve"]:
        print(f"\U0001f6a8 {item['source']}: {item['headline']}")
        # → Create a Jira ticket, send a Slack alert, trigger a patch pipeline

# Step 4: Save cursor for next poll
save_cursor(feed["cursor"])

That's it. No HTML parsing. No rate-limit handling. No format normalization. The pipeline runs every 15 minutes, and your agent only processes what's actually new.

What the Data Looks Like

Here's what your bot actually receives — real data from DiffDelta's live CISA KEV feed:

Sample feed items (from /diff/source/cisa_kev/latest.json)

Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability

CVE-2020-29583 ⚠ Actively exploited Source: cisa_kev

Zyxel firewalls (ATP, USG, VM) and AP Controllers contain a hard-coded credential in an undocumented account with an unchangeable password.

Zoho ManageEngine ServiceDesk Plus File Upload Vulnerability

CVE-2019-8394 ⚠ Actively exploited Source: cisa_kev

Allows remote users to upload arbitrary files via login page customization. No authentication required.

Every item comes with a headline your agent can read, a structured excerpt with the details, evidence URLs linking to the original source, and a content hash so you can verify nothing was tampered with. No scraping, no guessing, no LLM required just to understand what happened.

The Math

Let's compare the cost of monitoring these 8 security sources:

833×

Less bandwidth

400 bytes vs. 330KB per check

876×

Fewer tokens

Pre-diffed & pre-summarized

Lines of code

vs. 200–400 per scraper

Most of those 15-minute polls return nothing new. Your agent checks head.json (400 bytes), sees the cursor hasn't changed, and moves on. When something does change, you get exactly what's different — not the entire database.

This is what we call compute arbitrage: DiffDelta does the expensive work once (fetching, parsing, normalizing, scoring) and serves the result cheaply to every agent that needs it. You pay for one API call instead of rebuilding the pipeline yourself.

DiffDelta is free. All 35+ sources, all data, zero cost. Start polling in under 10 lines.

Get Started → View All Sources ↓

More Scenarios

Coming soon

The Incident Response Bot — Auto-detect when AWS, GCP, or Azure go down and trigger your runbooks

Coming soon

The Supply Chain Monitor — Watch for package ownership transfers, license changes, and deprecated dependencies