Cyber Agentic Architecture & Workflows
Cyber Agentic Architecture
Agent Nautilus & ICG Dataflows: A Closer Look
1
Data Sources & Initial Collection
2
Compatibility Framework
3
Data Pipelines & Trend Analysis
4
AI Workflow & Behavioral Context Engine
5
Agentic Workflow Orchestrator
6
Communication & Publishing Layer
7
Continuous Feedback & Enhancement
8
Storage & Long-Term Archives
Can live in the customer-ICG private cloud
ICG private network
1. Data Sources & Initial Collection
Sensor Observations
Network traffic logs, security events, endpoint activity, and other sensor data.
Raw Security Logs / SIEM
Logs from firewalls, intrusion detection systems (IDS), endpoint protection (EDR), and other security devices.
Any Time Series Data Source
Agent Nautilus can disambiguate and de-noise any time series dataset. The contextual analysis capabilities enable the rapid identification and correlation of actors via the ICG Genome, quickly and efficiently cutting through data that provides no value to the targeted outcome.
2. Compatibility Framework: Normalization & Disambiguation
1
Schema Alignment
Maps varying fields into a consistent format for seamless processing by downstream modules.
2
Disambiguation
Resolves conflicting identifiers, ensuring that all events refer to the same entities.
3
Metadata Tagging
Assigns standardized labels to events, providing clear context for downstream analytics.
3. Data Pipelines & Trend Analysis: Heuristic Models & Threat Intel
Heuristic Models
Leverage heuristic models and analyze historical data to establish baselines and identify suspicious patterns using threat intel and market CTI.
Threat Intel Integration
Cross-references ingested data with known IoCs and threat intelligence feeds to identify potential threats.
4. AI Workflow & Behavioral Context Engine (Agent Nautilus)
Behavioral Context Engine
Continuously learns from data, identifying normal behavior and flagging anomalies.
Workflow & Inference
Interprets anomaly signals in real-time, deciding whether to escalate, log, or correlate further.
5. Agentic Workflow Orchestrator: Central Coordination & C2 Channels
1
Receiving Alerts
Monitors the system for suspicious activity, receiving alerts from the behavioral context engine and heuristic models.
2
Task Routing
Dispatches tasks to specialized agents based on the nature of the alert and the required response actions.
3
Feedback Loop
Receives status updates from agents, enabling continuous learning and adaptation to new threats.
6. Communication & Publishing Layer: Transparent Visibility for All Stakeholders
1
Security Posture Report
Provides up-to-date insights on an organization's security posture, enabling informed decision-making.
2
Incident Response Playbook
Auto-updates with recommended remediation steps, guided by active incidents identified by the orchestrator.
3
Real-Time Threat Scoreboard
Displays ongoing threats, newly detected anomalies, and their current status in real-time dashboards.
7. Continuous Feedback & Enhancement: Learning from Experience
Incident Outcomes
Learns from confirmed alerts and false positives, enhancing future anomaly detection.
Model Refresh
Periodically retrains AI models with new data, ensuring they stay current with evolving threats.
Self-attention enables the model to capture context and extract meaningful features, enabling better understanding of data and more accurate threat detection.
8. Storage & Long-Term Archives: Data Retention and Compliance
1
Model Repository
Stores all active ML models and past versions for rollback or compliance checks.
2
Compliance Logs & Records
Logs every action taken for regulatory audits, ensuring compliance with relevant standards.
3
Forensic Data Archives
Retains high-detail event traces for in-depth investigations and legal evidence.