Agentic Architecture Deep Dive

The 5 Core Intelligence Systems

1. Evolutionary Brain

The learning core. Processes signals, makes decisions, and evolves strategies based on outcomes. Uses multi-LLM reasoning with Claude as the primary reasoning engine.

2. Signal Processor

The nervous system. Ingests signals from 30 sentinels, edge agents, and connectors. Classifies, enriches, and routes signals to the appropriate agents.

3. Control Graph

The knowledge backbone. Maps relationships between assets, controls, evidence, and compliance frameworks. Powers the compliance engine and gap analysis.

4. Evidence Chain

The audit layer. Creates cryptographic provenance for every decision, action, and outcome. Satisfies SOC 2, CIS, and insurance attestation requirements.

5. Fleet Learning

The edge intelligence. Aggregates patterns from across the edge agent fleet to improve predictions, anomaly detection, and preventive actions.

Agent Categories

Observation Agents

• Endpoint Observer, Network Intelligence, Asset Intelligence

Security Agents

• Security Responder, Compliance Agent, Insurance Agent

Operations Agents

• Patch Orchestrator, Data Protection, Remote Troubleshooter

Intelligence Agents

• Insight Engine, Predictive Analytics, Fleet Learning, Signal Processor

Orchestration Agents

• Automation Orchestrator, Connector Orchestrator, Edge Orchestrator, Triage Coordinator, Vendor Bridge

Core Agents

• Control Graph, Remediation Engine

How Agents Coordinate

Agents communicate through the Signal Processor:

1. One agent emits a signal (e.g., "backup failure detected")

2. Signal Processor routes to relevant agents (e.g., Data Protection, Triage Coordinator)

3. Each agent evaluates and may emit follow-up signals

4. The Brain coordinates final actions

Risk-Based Approval

Not all actions execute automatically. The approval system uses tiered risk levels:

Auto-Execute (No Approval)

• READ_ONLY actions (queries, reports, evidence collection)

• LOW risk actions (notifications, ticket updates)

• MEDIUM risk with confidence > 85%

Approval Required

• MEDIUM risk with confidence < 85%

• HIGH risk actions (service restarts, configuration changes)

• CRITICAL actions (data deletion, access revocation)

Approval Workflow

1. Agent requests approval through the Approval Gates system

2. Notification sent to appropriate role (admin, owner)

3. Approver reviews evidence chain and reasoning

4. Approve, deny, or modify the action

5. Outcome recorded in evidence chain

Risk Classification

Every action is classified by risk level:

|------------|----------|----------|

Confidence Scoring

The brain assigns a confidence score (0-100) to every decision:

• **85+**: High confidence — auto-execute for MEDIUM risk

• **70-84**: Moderate — notify but may still require approval

• **Below 70**: Low — always require approval regardless of risk

From Signal to Outcome

Every action creates a complete evidence chain:

1. **Trigger**: The signal or event that initiated the action

2. **Context**: Tenant state, asset history, risk profile

3. **Reasoning**: AI reasoning trace with cited evidence

4. **Decision**: The chosen action and alternatives considered

5. **Execution**: Timestamp, executor, and action details

6. **Outcome**: Result, follow-up signals, and learning update

Evidence for Compliance

Evidence chains map to compliance requirements:

• **CIS 8.1**: Control evaluation evidence

• **SOC 2**: Access control and change management audit trail

• **Insurance**: Attestation evidence packs

Querying Evidence

Access evidence chains at **Brain > Decisions** or via the API:

• Filter by date range, agent, risk level, or outcome

• Export as PDF for auditor review

• Evidence retention: 12 months by default