ARGUS - The All-Seeing Eye of Cyber Defense

GitHub: https://github.com/nihalnihalani/ARGUS

Inspiration

With CISA's workforce slashed by over 50% due to recent government restructuring, the United States faces an unprecedented gap in proactive cyber threat monitoring. Nation-state actors like Volt Typhoon, APT28, and Lazarus Group are actively exploiting this vacuum — and there simply aren't enough analysts left to watch the wire.

We asked ourselves: what if an autonomous system could fill that gap? What if AI scouts could monitor the global threat landscape 24/7, extract intelligence from dozens of sources in real time, and present it in a way that a single analyst could understand at a glance?

That's ARGUS — named after the all-seeing giant of Greek mythology. A platform where autonomous agents do the tireless work of monitoring, extracting, and correlating, so human defenders can focus on what matters: making decisions and taking action.

What it does

ARGUS is a fully autonomous cyber threat intelligence platform that deploys AI scouts to continuously monitor, analyze, and visualize the global threat landscape.

Autonomous Scout Network — Four specialized Yutori AI scouts run 24/7, monitoring NVD/CISA advisories, security researchers on Twitter/X, GitHub exploit PoC repositories, and major security news outlets (BleepingComputer, Krebs on Security, Dark Reading). They report back with structured threat intelligence automatically.

Multi-Model Extraction Pipeline — Every piece of raw intelligence passes through a 7-step pipeline. GLiNER (a specialized NER model) and GPT-4o run in parallel to extract threat actors, CVEs, malware, exploits, relationships, and IOCs. Results are merged using a union strategy — GPT-4o for semantic depth, GLiNER for specialized cyber entity recall.

Live Knowledge Graph — All extracted entities and relationships are persisted into a Neo4j graph database using idempotent MERGE operations. The graph grows continuously as scouts report new findings.

Three Visualization Modes:

A 2D force-directed graph (D3.js) with custom SVG shapes per entity type, attack path highlighting, and right-click context menus
A 3D force graph (Three.js + WebGL) with UnrealBloom post-processing glow effects and auto-rotation
A global attack map (MapLibre GL) rendering great-circle arcs between threat actor origins and target organizations, with real-time severity coloring

On-Demand Deep Investigation — Click any node in the graph to launch a Yutori research task that performs deep-dive intelligence gathering. Results flow back through the full pipeline, automatically expanding the knowledge graph with new entities.

AI Threat Briefs — GPT-4o generates executive-level threat summaries with overall threat level assessments, top threats ranked by severity, detected attack paths, CISA impact analysis, and actionable recommendations.

Screenshot Intelligence — Reka Flash analyzes screenshots from browsing agent trajectories, auto-classifying content as phishing pages, dark web forums, or malware C2 panels, and extracting structured indicators.

Architecture

ARGUS Architecture

How we use our sponsors

ARGUS is built on top of sponsor technologies that are deeply integrated into the core product — not bolted on as afterthoughts.

Yutori is the backbone of ARGUS. Four autonomous Yutori scouts form the persistent monitoring layer, continuously watching NVD, Twitter/X security researchers, GitHub exploit repos, and security news outlets. Yutori's browsing agent powers the Investigate tab — users enter an IP, domain, or CVE and a Yutori browser agent performs live WHOIS/DNS lookups with full trajectory visualization. Yutori's research agent handles deep investigation — click any node in the graph, and a research task retrieves comprehensive threat intelligence that flows back through the pipeline. All three Yutori API surfaces (scouting, browsing, research) use structured output schemas to return clean, pipeline-ready data.

Neo4j stores the entire threat intelligence knowledge graph. Eight entity types (threat actors, vulnerabilities, exploits, malware, campaigns, organizations, software, attack techniques) and eleven relationship types are persisted using idempotent MERGE operations. Neo4j's native shortestPath Cypher queries power the "Find Attack Path" feature, discovering multi-hop chains from threat actors through CVEs to target organizations. The graph is the single source of truth that feeds all three visualization modes.

Tavily enriches every piece of intelligence. When the pipeline extracts CVE entities, Tavily runs advanced web searches against NVD, CVE.org, and BleepingComputer for the latest news and context. Tavily's URL extraction pulls full content from source links found in scout updates. The Investigate tab uses Tavily search for CVE lookups, and a multi-step research synthesis mode is available for complex queries.

OpenAI GPT-4o handles three critical tasks: entity extraction using strict JSON schema mode to parse threat actors, CVEs, relationships, and IOCs from raw text; threat brief generation that produces executive summaries with CISA impact analysis and recommended actions; and threat classification via function calling that routes inputs to the appropriate investigation tool.

Reka Flash provides multimodal screenshot intelligence. When a Yutori browsing agent captures screenshots during investigation, Reka auto-classifies them (phishing page, dark web forum, malware C2 panel, or general) and runs the specialized analyzer for that content type. The Sponsors tab in the dashboard includes a dedicated Vision Analysis panel where users can submit any screenshot URL for Reka-powered threat assessment.

GLiNER (via Fastino/Pioneer) runs as the fast NER complement to GPT-4o. With 15 cyber-domain entity labels and a 0.3 confidence threshold, GLiNER catches specialized identifiers (MITRE ATT&CK IDs, CVE patterns, IP addresses, hashes) that GPT-4o sometimes misses. The Sponsors tab features a live Extraction Comparison panel showing GLiNER vs. GPT-4o side-by-side — entity counts, shared entities, unique finds per model, and an F1 overlap score.

How we built it

Frontend: Next.js 16 with React 19, Tailwind CSS 4, shadcn/ui components, and Framer Motion for animations. The landing page features a custom Canvas2D globe using Fibonacci sphere distribution for uniform dot placement, with quaternion-style rotation and perspective projection — no globe library needed.

Visualizations: D3.js powers the 2D graph with custom polygon shapes (hexagons for orgs, crosshairs for actors, diamonds for exploits). Three.js with UnrealBloom handles the 3D graph. MapLibre GL renders the attack map with mathematically correct great-circle arcs using spherical linear interpolation, including full antimeridian crossing support.

Backend: 18+ API routes handle everything from scout deployment to graph queries. The intelligence pipeline runs GLiNER and GPT-4o extraction in parallel via Promise.allSettled, enriches CVEs through Tavily web search, analyzes screenshots with Reka Flash, upserts to Neo4j, and generates threat briefs — all in a single request cycle.

Database: Neo4j Aura stores 8 entity types and 11 relationship types. BFS traversal on the client derives attack arcs by walking from threat actors through intermediate CVEs to target organizations, accumulating severity scores along the path.

AI Integration: Yutori handles autonomous scouting, browser-based investigation, and deep research. Tavily provides web search and content extraction. OpenAI GPT-4o does entity extraction (strict JSON schema mode), threat classification (function calling), and brief generation. Reka Flash handles multimodal screenshot analysis. GLiNER via Fastino provides fast specialized NER.

Challenges we ran into

Antimeridian rendering was a significant hurdle. Attack arcs crossing the International Date Line (e.g., Russia to the US) would render as straight lines spanning the entire map backwards. We solved this with longitude pre-adjustment (+/-360) and strict monotonicity enforcement during path interpolation, letting MapLibre's renderWorldCopies handle the rest.

Multi-model extraction merging required careful deduplication logic. GPT-4o and GLiNER extract entities with different naming conventions, confidence levels, and field coverage. We built a union-merge strategy with case-insensitive deduplication and source-based priority that maximizes recall without duplicating nodes in the graph.

Scout state management across page reloads was tricky. We needed scouts to persist without redeployment (to conserve API quota), so we implemented localStorage-based ID persistence with conditional creation — only deploying new scouts when no stored IDs exist.

Neo4j injection prevention with dynamic labels required building an allowlist validation layer, since Cypher doesn't support parameterized labels. Every node type and relationship type is checked against a Set before interpolation into queries.

Accomplishments that we're proud of

A fully autonomous pipeline that goes from raw web content to structured graph intelligence with zero human intervention — scouts find it, the pipeline extracts it, Neo4j stores it, and the visualizations render it
The great-circle attack map with mathematically correct geodesic arcs, antimeridian handling, and severity-based pulse animations — it looks and feels like a real SOC tool
Dual-model extraction that runs GLiNER and GPT-4o in parallel, combining specialized NER speed with LLM semantic understanding for better entity recall than either model alone
The custom Fibonacci sphere globe on the landing page — hand-rolled in Canvas2D with no dependencies, featuring 2,000 uniformly distributed dots, arc connections with traveling particles, and interactive drag rotation
Deep investigation with trajectory visualization — you can click a threat actor, watch an AI agent research it in real time, see its step-by-step browsing trajectory, and have screenshots analyzed by Reka for phishing/malware indicators
18 API endpoints forming a cohesive intelligence pipeline that ties together 5 different AI services

What we learned

Graph databases change how you think about threat intelligence. Modeling threats as nodes and relationships in Neo4j made attack path discovery trivial — a single Cypher shortestPath query replaces what would be complex recursive logic in a relational database.
Multi-model ensembles beat single models for extraction. Running GLiNER and GPT-4o in parallel consistently surfaced entities that either model missed alone, especially for specialized cyber identifiers like MITRE ATT&CK IDs and CVE references.
Spherical math is harder than it looks. Great circle interpolation, antimeridian handling, and Fibonacci sphere distribution each required diving deep into computational geometry — but the visual payoff is worth every radian.
Autonomous agents need guardrails. Yutori scouts are powerful but need structured output schemas to return usable data. Without strict JSON schemas, AI outputs drift in format over time. additionalProperties: false everywhere was essential.
The gap CISA left is real and urgent. Researching the threat landscape for this project showed us how much work those analysts were doing. Autonomous systems aren't a replacement for human judgment, but they can handle the volume that no remaining team can cover alone.

What's next for ARGUS

Modulate voice analysis integration — The architecture is built and ready for vishing detection, deepfake audio analysis, and voice-based threat assessment once API access is available
Real-time WebSocket feeds — Replace the 30-second polling loop with push-based updates for instant threat alerting
deck.gl heatmap overlays — The dependency is installed; adding geographic density heatmaps for CVE exploitation and threat actor activity hotspots
Alert routing and escalation — Integrate with Slack, PagerDuty, and email for automated critical-severity notifications to SOC teams
STIX/TAXII export — Allow ARGUS intelligence to be shared with other threat intel platforms in standard formats
Multi-tenant deployment — Add organization-scoped graphs and role-based access so multiple teams can run independent ARGUS instances
Historical trend analysis — Time-series tracking of threat landscape evolution, campaign activity patterns, and vulnerability exploitation timelines