How the AI agents work.

Last updated 14 Jun 20262 min read

Liberty91 runs a set of specialised AI agents that work together on every Event. They fall into four categories: agents that extract entities from incoming reports, self-learning knowledge agents that build expertise on topics, tradecraft agents that supply analysis skills, and integration agents that work with external tools. Each agent does one job well, and the platform composes them to produce grounded, current intelligence.

Entity extraction agents

These agents are each dedicated and trained to pull one kind of entity out of an incoming report:

Indicators of Compromise.
MITRE ATT&CK techniques.
Threat Entities.
Sectors and regions, both target and origin.
Assets.
Suppliers.

Knowledge agents

These agents are self-learning. Each builds and maintains expertise on a topic over time:

Organizations.
Regions.
Sectors.
Threat Entities.
Intelligence Requirements.

Tradecraft agents

These supply the analysis skills that other agents draw on. They cover:

Analysis of Competing Hypotheses (ACH).
The NATO Admiralty scale.
The use of confidence and likelihood.
Writing standards.
IOCs.
SIGMA rules.
STIX bundles.

Integration agents

These agents are trained to work with external tools, so the platform can collect from and push to other systems. Examples include:

Google Threat Intelligence.
CrowdStrike.
AlienVault OTX.
MISP.
Slack.
Group-IB.

IOC enrichment

IOC enrichment follows the decaying-indicators research pioneered by the CIRCL team at MISP. That work sets the base scores and decay behaviour the platform applies to every indicator. See IOC enrichment and decay scoring for how scoring and expiry work.

← PreviousIntelligence Requirements Next →IOC enrichment and decay scoring

How the AI agents work.

Entity extraction agents

Knowledge agents

Tradecraft agents

Integration agents

IOC enrichment

Frequently asked questions

What are the four categories of agent?

Does IOC scoring follow an established method?