A method comprises receiving, by a threat level engine (TLE) in the network, security data from a plurality of different sources, wherein the security data comprises data regarding traffic related to a security threat occurring in the network, determining, by the TLE, a security related event indicating a security threat occurring at network elements in the network based on security key performance indicators and the security data, when a threat impact level of the security related event exceeds a threshold, determining, by the TLE, a remediation action for the security related event based on the threat impact level, transmitting, by the TLE to a policy decision point, an instruction to generate and store a rule based on the remediation action for the security related event, and transmitting, to a policy enforcement point, an authorization to create the secure tunnel between the one or more network elements and another endpoint.