Set Requirements
Define watchlist terms, protected locations, people of interest, event calendars, and collection priorities.
Protective Intelligence Assistant
Analyst workflow for protective intelligence, cross-domain triage, and casepack generation.
A fixture-driven decision-support system for ingesting public signals, extracting entities, linking related activity into investigation threads, scoring risk with reason codes, and producing reviewable outputs.
The project translates protective-intelligence tradecraft into a working workflow: requirements-driven collection, source evaluation, entity extraction, correlation, risk scoring, uncertainty handling, and analyst-ready dissemination.
The public repo intentionally uses synthetic fixtures and environment-gated collectors. That keeps the workflow inspectable without exposing sensitive data or implying live protective operations.
- Data
- Synthetic fixtures, public-source examples, optional gated collectors.
- Techniques
- Entity extraction, source weighting, graph-style threading, scoring, uncertainty intervals.
- Outputs
- Daily reports, travel briefs, SITREPs, casepacks, and JSON review queues.
- Posture
- Decision support for human review, not autonomous enforcement or production protection.
0.875
Correlation fixture F1
1.000
Insider fixture F1
0.889
Supply-chain fixture F1
341
Automated tests
6
Vendor fixture profiles
5
Generated report types
Workflow
Collect And Normalize
Ingest public-source and fixture signals, deduplicate records, extract entities, and preserve source context.
Correlate Threads
Link related activity with pair evidence, reason codes, shared entities, and temporal proximity.
Score Risk
Apply transparent scoring for operational risk, behavioral threat indicators, insider risk, and vendor exposure.
Produce Outputs
Generate casepacks, SITREPs, travel briefs, daily reports, and review queues for human assessment.
Implemented Components
analytics/soi_threads.py
Investigation Threading
Weighted pair-link model with explicit evidence for why alerts belong in the same subject thread.
analytics/risk_scoring.py
Operational Risk
Explainable scoring using source credibility, keyword weights, recency, frequency, and context.
analytics/behavioral_assessment.py
Behavioral Assessment
TRAP-18-informed and pathway-to-violence indicators adapted for triage, not clinical judgment.
analytics/insider_risk.py
Insider Risk Fixtures
Fixture telemetry for access deviation, data movement, physical/logical mismatch, and temporal anomalies.
analytics/supply_chain_risk.py
Vendor Exposure
Risk decomposition across geography, concentration, privilege scope, data sensitivity, and compliance posture.
analytics/intelligence_report.py
Analyst Reporting
Markdown outputs for daily reporting, travel briefs, SITREPs, and investigation casepacks.
What To Inspect
docs/sample_casepack.md
Detection To Casepack
Shows how alerts become a thread, what evidence links them, and how disposition and controls are documented.
docs/incident_thread_casepack.md
Cross-Domain Thread
Demonstrates convergence across insider, vendor, cyber, physical, and public-source style signals.
outputs/review_queue.csv
Review Queue
Priority-ranked records with confidence, next action, source context, and human-review posture.
docs/public_companion_casepack.md
Public Companion Case
Public-source-only casepack showing how the workflow can be reviewed without sensitive collection.
docs/correlation_eval.md
Correlation Evaluation
Hand-labeled convergence scenarios used to sanity-check the thread-linking logic and reason codes.
docs/screenshots/
UI And API Evidence
Dashboard screenshots plus endpoint snapshots for insider, supply-chain, and investigation-queue outputs.
Outputs
Casepack
Thread summary, reason codes, evidence, timeline, disposition, and recommended controls.
Travel Brief
Location-aware risk summary for a protected movement or trip scenario.
SITREP
Short operational update designed for decision-makers who need the current picture quickly.
Daily Report
Recurring summary of priority items, source health, notable changes, and triage posture.
Review Queue
Prioritized alerts with reason-coded scoring and fields suitable for analyst review.
Endpoint Evidence
FastAPI routes expose insider, supply-chain, and investigation queue outputs for inspection.
Scope And Limitations
Fixture-Driven
Public artifacts use synthetic scenarios and fixture telemetry. Benchmark scores show reproducibility on controlled test cases, not field performance.
Public-Safe
No private protectee data, live sensitive collection, confidential source reporting, or real insider telemetry is included in the public repo.
Human Review
Scores and threads prioritize review. They do not establish threat, intent, culpability, or a required operational response.
Validation Boundary
Public artifacts keep sensitive collection synthetic. Any real-world validation would require approved, non-sensitive event data and careful source caveats.