← Back to docs hub
Technical documentation

Agent architecture, behavior, and operating model

An in-depth look at how the platform’s agents are structured, how they analyze security signals, how they interact with the rest of the system, and how their performance is managed over time.

How the agents are organized

The agents are not a single monolithic analyzer. They are specialized actors that each focus on different classes of security concerns. In practice, this separation improves accuracy because each agent can be optimized for a narrower task: application logic, infrastructure risk, dependency weakness, network exposure, or blockchain-focused issues.

This architecture supports both breadth and precision. An agent can examine a problem space in depth, but the overall system remains modular. Each agent can be updated independently, monitored separately, and evaluated against different benchmark cases.

The system should treat each agent as a reasoning component within a broader pipeline. Its outputs are useful when they are grounded in evidence, linked to a specific code path or system surface, and routed to a decision layer that can interpret them in context.

  • Specialized agents reduce cognitive overlap
  • Modularity improves maintainability and tuning
  • Context-aware routing improves usefulness
  • Human review remains the decision layer

Agent operating model

1

Ingest repository, metadata, and program context

2

Route the task to the appropriate specialist agent

3

Analyze the relevant surface area

4

Generate evidence-backed findings and confidence notes

5

Hand off results to human review or downstream automation

How the agents work in practice

In practical use, the system begins by gathering context. That context may include repository structure, code paths, known attack surfaces, dependency manifests, wallet logic, access rules, or historical findings. Once the context is available, the agent evaluates the target with layered reasoning and produces a structured output.

The output should not be a vague suspicion. It should include the likely issue, the supporting evidence, the specific files or components involved, the expected impact, and the confidence level of the assessment. This allows the rest of the platform to grade the result instead of merely storing it.

This is what makes the agent useful: it turns raw code or operational context into a structured security signal that can be ranked, reviewed, and acted upon.

Quality, accuracy, and reliability

Accuracy is not achieved by making the agent more verbose. It is achieved by improving the relevance and precision of the evidence it produces. The strongest agents do not simply offer opinions; they locate concrete behaviors, identify likely weaknesses, and explain why a finding is plausible.

Reliability also depends on calibration. If an agent is highly confident in a weak signal, that is a failure mode. The system must preserve explicit confidence annotation, uncertainty handling, and follow-up review so that low-confidence results do not appear as final conclusions.

In other words, the agents should be treated as high-leverage analysis tools, not autonomous arbiters of truth. The best systems combine agent assistance with human judgment to increase coverage while preserving accuracy.