Research & development

Where security meets
artificial intelligence.

Our R&D team advances the science of autonomous security — from behavioral modeling to the 15-cluster ARES architecture that continuously probes and hardens enterprise environments.

Technology

Core research domains.

The team works across four intersecting areas — each informing the platform's ability to investigate threats autonomously.

Behavioral modeling

Research into how to construct and maintain accurate per-entity behavioral baselines — users, devices, service accounts — so deviations carry meaningful signal rather than noise.

Multi-agent investigation

Designing coordination protocols that let multiple AI agents divide investigation work, share discovered context, and converge on a verdict — without the bottlenecks of sequential processing.

Threat-intelligence correlation

Building the graph structures and reasoning methods that connect raw telemetry to known adversary infrastructure, tooling, and tradecraft — turning static feeds into live, contextual signal.

Adversarial robustness

Studying how AI systems used in security can be attacked and hardened — including adversarial inputs designed to evade detection models and the domain-specific defenses that counter them.

Attack chain reasoning

Teaching agents to reason across multi-step attack paths — linking credential access to lateral movement to data exfiltration — so investigations follow the attacker's logic, not just individual alerts.

Evidence synthesis

Research into how to transform machine-generated investigation traces into human-readable verdicts — structured evidence trails that analysts and auditors can review, challenge, and act on.

Focus areas

How we approach the hard problems.

Behavioral analytics

Building models that understand what normal looks like for every entity in an enterprise environment — and that adapt as behavior legitimately evolves. The research challenge is staying sensitive to subtle drift without generating noise from expected change.

  • Per-entity and peer-group baselining
  • Temporal pattern modeling across days, weeks, and seasons
  • Insider-threat and compromised-account signal design
Multi-agent investigation architecture

A single alert rarely tells the whole story. Our research explores how collections of specialized agents can divide investigation tasks, hand off discovered context, and reach a shared verdict faster than any sequential approach.

  • Agent coordination and context-sharing protocols
  • Dynamic task allocation based on emerging evidence
  • Parallel investigation without verdict conflicts
Threat-intelligence graph

Threat intelligence is only useful when it is contextually connected to what is happening on your network right now. We research graph-based architectures that link indicators, actor profiles, and TTPs to live telemetry in a way that is fast enough to influence active investigations.

  • CVE and exploit-context enrichment
  • Adversary TTP and infrastructure mapping
  • Cross-feed indicator correlation and deduplication
Adversarial robustness

Security AI is a high-value target. This research area studies how detection models can be manipulated by adversaries who know they are being observed — and what domain-specific hardening techniques make those manipulations impractical.

  • Adversarial input detection in security telemetry
  • Model hardening specific to the cybersecurity domain
  • Monitoring for model drift and targeted evasion patterns
Transparency

ARES benchmark data.

We publish what we measure. Where ARES exceeds expectations we say so. Where it falls short of best-in-class, we say that too.

DVWA test environment results

Tested against Damn Vulnerable Web Application — a controlled, well-characterised environment used across the industry.

Metric Result
Detection rate (v10) ~53%
Vulnerability classes (v12) 9
Cost per task $1–3
Total tests passing 2,054
Agent clusters / sub-agents 15 / 76

What these numbers mean

A ~53% detection rate on DVWA v10 is a real starting point — not a finished product. Best-in-class commercial scanners reach 90–96% on the same benchmark. ARES is an autonomous, multi-agent system still in active development; the gap is real and the team is closing it systematically.

Why we publish this

Security vendors routinely obscure benchmark methodology or cherry-pick favorable conditions. We think that is bad for the industry. Raw numbers, test environment, and version are published so customers and researchers can evaluate them independently.

Methodology

All tests run against unmodified DVWA deployments at the stated version. No hint mode, no pre-seeded context, no human-in-the-loop during the scan. CRUCIBLE's ≥0.85 confidence gate applied to all reported findings.

Our journey

How we got here.

2024 Q1

Founded

Phalanxia is established by security researchers and AI engineers. Initial research into multi-agent architectures for autonomous alert investigation begins.

2024 Q3

Behavioral analytics engine

First working version of the per-entity behavioral modeling system. Validated in lab environments against benchmark insider-threat and compromised-account scenarios.

2025 Q1

First enterprise deployments

Platform deployed with initial enterprise customers. Operational feedback begins shaping multi-agent coordination and evidence-synthesis research priorities.

2025 Q3

Threat-intelligence graph

Live threat-intelligence correlation layer shipped — linking active investigations to CVE context, known adversary infrastructure, and TTP mappings in near real-time.

2026 Q1

AI Pentest launch

Autonomous AI penetration testing product launched, applying the multi-agent investigation architecture to offensive security assessment workflows.

Forward-looking

Roadmap.

What the team is working toward. Themes and directions — not committed delivery dates. Subject to change as research progresses and customer priorities evolve.

Near term

API and mobile attack surface coverage

Extending autonomous assessment capabilities to REST and GraphQL API endpoints and mobile application targets — areas where existing scanners produce shallow coverage.

Mid term

Next-generation agent coordination

A redesigned inter-agent communication layer focused on reducing verdict latency, improving context fidelity across agent handoffs, and scaling to more concurrent investigation threads.

Mid term

Enhanced attack chain reasoning

Deeper lateral movement simulation across network segments, privilege boundaries, and application layers — bringing agent reasoning closer to how real adversaries plan multi-stage campaigns.

Longer term

Cloud and infrastructure-as-code security

Research into applying autonomous assessment to cloud infrastructure configurations, IaC templates, and Kubernetes environments — surface areas that are large, fast-changing, and difficult to assess manually.

Responsible disclosure

CVE findings from ARES.

When ARES discovers vulnerabilities during research or authorized assessments, we follow coordinated disclosure practices.

Discovered by ARES

Vulnerabilities identified autonomously during ARES research runs. Each finding includes the CRUCIBLE evidence chain — schema validation, cross-agent deduplication, L1–L4 evidence grading, and LLM reflector veto.

Published with methodology

CVE disclosures include reproduction steps, affected versions, and the ARES agent trace that surfaced the issue — so the security community can evaluate and replicate findings independently.

Subscribe for updates

Get notified when ARES research produces new CVE disclosures, benchmark updates, or published findings. Contact the team to be added to the research mailing list.

Contact the team
Engage

Interested in the research?

Reach out to discuss collaboration, share findings from the field, or explore how the platform fits your environment.