Behavioral modeling
Research into how to construct and maintain accurate per-entity behavioral baselines — users, devices, service accounts — so deviations carry meaningful signal rather than noise.
Our R&D team advances the science of autonomous security — from behavioral modeling to the 15-cluster ARES architecture that continuously probes and hardens enterprise environments.
The team works across four intersecting areas — each informing the platform's ability to investigate threats autonomously.
Research into how to construct and maintain accurate per-entity behavioral baselines — users, devices, service accounts — so deviations carry meaningful signal rather than noise.
Designing coordination protocols that let multiple AI agents divide investigation work, share discovered context, and converge on a verdict — without the bottlenecks of sequential processing.
Building the graph structures and reasoning methods that connect raw telemetry to known adversary infrastructure, tooling, and tradecraft — turning static feeds into live, contextual signal.
Studying how AI systems used in security can be attacked and hardened — including adversarial inputs designed to evade detection models and the domain-specific defenses that counter them.
Teaching agents to reason across multi-step attack paths — linking credential access to lateral movement to data exfiltration — so investigations follow the attacker's logic, not just individual alerts.
Research into how to transform machine-generated investigation traces into human-readable verdicts — structured evidence trails that analysts and auditors can review, challenge, and act on.
Building models that understand what normal looks like for every entity in an enterprise environment — and that adapt as behavior legitimately evolves. The research challenge is staying sensitive to subtle drift without generating noise from expected change.
A single alert rarely tells the whole story. Our research explores how collections of specialized agents can divide investigation tasks, hand off discovered context, and reach a shared verdict faster than any sequential approach.
Threat intelligence is only useful when it is contextually connected to what is happening on your network right now. We research graph-based architectures that link indicators, actor profiles, and TTPs to live telemetry in a way that is fast enough to influence active investigations.
Security AI is a high-value target. This research area studies how detection models can be manipulated by adversaries who know they are being observed — and what domain-specific hardening techniques make those manipulations impractical.
We publish what we measure. Where ARES exceeds expectations we say so. Where it falls short of best-in-class, we say that too.
Tested against Damn Vulnerable Web Application — a controlled, well-characterised environment used across the industry.
| Metric | Result |
|---|---|
| Detection rate (v10) | ~53% |
| Vulnerability classes (v12) | 9 |
| Cost per task | $1–3 |
| Total tests passing | 2,054 |
| Agent clusters / sub-agents | 15 / 76 |
A ~53% detection rate on DVWA v10 is a real starting point — not a finished product. Best-in-class commercial scanners reach 90–96% on the same benchmark. ARES is an autonomous, multi-agent system still in active development; the gap is real and the team is closing it systematically.
Security vendors routinely obscure benchmark methodology or cherry-pick favorable conditions. We think that is bad for the industry. Raw numbers, test environment, and version are published so customers and researchers can evaluate them independently.
All tests run against unmodified DVWA deployments at the stated version. No hint mode, no pre-seeded context, no human-in-the-loop during the scan. CRUCIBLE's ≥0.85 confidence gate applied to all reported findings.
Phalanxia is established by security researchers and AI engineers. Initial research into multi-agent architectures for autonomous alert investigation begins.
First working version of the per-entity behavioral modeling system. Validated in lab environments against benchmark insider-threat and compromised-account scenarios.
Platform deployed with initial enterprise customers. Operational feedback begins shaping multi-agent coordination and evidence-synthesis research priorities.
Live threat-intelligence correlation layer shipped — linking active investigations to CVE context, known adversary infrastructure, and TTP mappings in near real-time.
Autonomous AI penetration testing product launched, applying the multi-agent investigation architecture to offensive security assessment workflows.
What the team is working toward. Themes and directions — not committed delivery dates. Subject to change as research progresses and customer priorities evolve.
Extending autonomous assessment capabilities to REST and GraphQL API endpoints and mobile application targets — areas where existing scanners produce shallow coverage.
A redesigned inter-agent communication layer focused on reducing verdict latency, improving context fidelity across agent handoffs, and scaling to more concurrent investigation threads.
Deeper lateral movement simulation across network segments, privilege boundaries, and application layers — bringing agent reasoning closer to how real adversaries plan multi-stage campaigns.
Research into applying autonomous assessment to cloud infrastructure configurations, IaC templates, and Kubernetes environments — surface areas that are large, fast-changing, and difficult to assess manually.
When ARES discovers vulnerabilities during research or authorized assessments, we follow coordinated disclosure practices.
Vulnerabilities identified autonomously during ARES research runs. Each finding includes the CRUCIBLE evidence chain — schema validation, cross-agent deduplication, L1–L4 evidence grading, and LLM reflector veto.
CVE disclosures include reproduction steps, affected versions, and the ARES agent trace that surfaced the issue — so the security community can evaluate and replicate findings independently.
Get notified when ARES research produces new CVE disclosures, benchmark updates, or published findings. Contact the team to be added to the research mailing list.
Contact the teamReach out to discuss collaboration, share findings from the field, or explore how the platform fits your environment.