The problem
Security signal volume in 2026 is overwhelming for solo operators and small teams. CVE feeds alone produce 50-200 daily entries. Most aren't relevant to your stack. Manual triage is exhausting; missing the relevant ones is dangerous.
Recommended setup
| Agent | Hermes Agent with custom feed-watching tools |
| Hardware | Raspberry Pi 5 (8 GB) — the workload is light, runs comfortably |
| LLM | Claude 4.5 Sonnet — accuracy matters more than cost on security workloads |
How it works
Hermes Agent runs on a cron schedule (every 30 min) with a 'fetch CVE feed', 'check GitHub advisories for tracked repos' and 'tail server logs' tool set. Each cycle: pulls new entries, filters by your stack inventory (declared in config), summarises critical findings, posts to Telegram or Slack. Routine entries are filed to an audit log; only critical+stack-relevant items page you.
Reality check
I run this on my own stack inventory (~40 repos tracked). Pages me roughly once every 8-10 days for genuine action items. False positives: ~1-2 per week (tolerable). False negatives: zero detected over 6 months (but I'm not sure I'd know if I missed one — that's the limit of this kind of monitoring).
What breaks
- Sophisticated supply-chain attacks below CVE radar
- Stack inventory drift if you don't update the agent's config
- Heavy log analysis — for that you want a real SIEM, not an AI agent
Alternative setups
ZeroClaw if your security feeds contain sensitive data you can't expose to cloud LLMs. Slower triage quality with local Llama, but air-gapped.