Defense & Intelligence
Vantage enables defense and intelligence organizations to fuse data from multiple sources, automate threat detection and classification, produce structured intelligence products, and maintain real-time readiness dashboards — with full audit trails and role-based access control. Every workflow step is logged for compliance and after-action review.
Fuse Multi-Source Intelligence and Detect Threats
Ingest data from open sources, structured databases, and signal feeds to detect and classify threats automatically.
Scenario: An operations watch floor processes hundreds of reports from OSINT, SIGINT metadata, and allied reporting. They need automated correlation, deduplication, and threat classification to reduce analyst workload and decrease detection-to-alert time.
Workflow Steps:
- Schedule Trigger — Run every 5 minutes
- Web Scraper — Monitor open-source feeds: international news wires, government bulletins, maritime AIS portals, social media aggregators, academic conflict tracking databases
- Database Query (PostgreSQL) — Pull structured reports and signal intercept metadata from internal databases: report ID, source, timestamp, location, entity mentions, classification level
- URL Reader — Parse threat advisory RSS feeds: CISA alerts, NATO StratCom updates, IAEA notifications, CDC biosurveillance bulletins
- GKG Search — Query the Global Knowledge Graph for relevant geopolitical events, conflict indicators, and economic disruption signals
- Union — Merge all sources into a single normalized event stream: source, timestamp, text, location, entities, source_reliability_rating
- AI Enrichment — Classify each event:
- Threat category: Cyber, Kinetic, CBRN, Influence Operations, Terrorism, Piracy, Natural Disaster
- Confidence level: HIGH, MEDIUM, LOW
- Geographic region and specificity (country, city, coordinates)
- Named entity extraction: persons, organizations, weapons systems, vessels
- Threat severity: CRITICAL, SIGNIFICANT, ROUTINE
- Data Classify — Apply sensitivity labels based on source provenance:
- Open source → UNCLASSIFIED
- Internal reporting → CUI
- Signal metadata → classification per originator marking
- Deduplicate — Remove duplicate reports covering the same underlying event (cross-reference by location + time window + entity overlap)
- Build Adjacency Maps — Map entity relationships:
- Actor → Organization → Financial network → Location → Event
- Vessel → Owner → Flag state → Port calls → Cargo manifests
- Threat network visualization with link strength based on co-occurrence frequency
- Multi-Conditional — Route by threat severity:
- CRITICAL → Send Email (encrypted) to watch floor lead + Dashboard Output (Event Monitor Tile — flash alert) + DB Write (priority analyst queue)
- SIGNIFICANT → Dashboard Output (Event Feed Tile for analyst triage) + Send Message (Teams) to regional desk
- ROUTINE → DB Write (archive for pattern analysis and longitudinal tracking)
- AI Summary — Generate an intelligence summary brief for CRITICAL and SIGNIFICANT events: "At 0342Z, three OSINT sources reported drone activity near [Location]. Correlated with a SIGINT CRITIC from [time] in the same AOR. Assessed HIGH confidence that this represents [threat type]. Recommend [immediate action]."
- Write PDF — Auto-generate formatted intelligence summary brief for distribution
- Dashboard Output — Populate:
- Map Tile — Threat event locations with severity color-coding and heat map overlay
- Event Monitor Tile — Real-time CRITICAL event tracker with countdown since detection
- Event Feed Tile — Chronological event log with classification labels
- Event Trends Tile — Activity spikes by region and category over time
- Pivot Tile — Threat type × Actor matrix showing activity patterns
- Timeline Tile — Event chronology with entity cross-references
Key Nodes: Schedule Trigger, Web Scraper, Database Query, URL Reader, GKG Search, Union, AI Enrichment, Data Classify, Deduplicate, Build Adjacency Maps, Multi-Conditional, AI Summary, Write PDF, DB Write, Send Email, Send Message, Dashboard Output
Assess Force Readiness and Generate Unit Status Reports
Aggregate readiness data across personnel, equipment, supply, and training to produce automated readiness reports.
Scenario: A brigade-level headquarters needs to consolidate readiness data from four functional areas across 12 subordinate units and produce a daily readiness snapshot for the commanding general.
Workflow Steps:
- Schedule Trigger — Run daily at 0600
- Database Query (PostgreSQL) — Pull personnel readiness: assigned strength, available strength, qualified in MOS, deployable %, medical readiness status
- Database Query (MSSQL) — Pull equipment readiness: equipment on-hand vs. authorized, operational %, deadline (non-operational) count, parts on order
- Database Query (PostgreSQL) — Pull supply readiness: basic load fill rates, Class I/III/V on-hand days, critical shortage items
- Database Query (MSSQL) — Pull training readiness: collective training event completion, individual qualification rates, required certification currency
- Join — Merge all four domains by unit identification code (UIC)
- Aggregation — Roll up readiness scores by unit and by domain
- Computed Column — Calculate composite readiness:
- Personnel: % deployable × qualification rate
- Equipment: % operational × % authorized on-hand
- Supply: weighted fill rate across critical classes of supply
- Training: % of required events completed × certification currency rate
- Overall: lowest of the four domains (weakest link determines rating)
- Sort — Units by overall readiness (lowest first — focus attention on weakest units)
- Multi-Conditional — Route by readiness level:
- Any domain below threshold → Send Email to assistant chief of staff (G-3/G-4) + Dashboard Output
- All domains above threshold → Dashboard Output only
- Dashboard Output — Populate:
- Stat Tile — Overall brigade readiness rating
- Pyramid Tile — Readiness distribution by echelon (top = brigade, middle = battalions, base = companies)
- Waterfall Tile — Supply burn-down: starting stock → consumption → replenishment → current
- Comparison Tile — Current readiness vs. required readiness standard for each domain
- Table Tile — Unit readiness matrix with color-coded domain scores
- Bar Tile — Equipment operational rates by type (vehicles, communications, weapons systems)
- Metric Tile — Key indicators: deployable %, equip OR%, supply fill rate
- Write PDF — Generate the daily readiness brief for the commanding general
- Send Email — Distribute the brief to key staff
Key Nodes: Schedule Trigger, Database Query (PostgreSQL, MSSQL), Join, Aggregation, Computed Column, Sort, Multi-Conditional, Write PDF, Send Email, Dashboard Output
Monitor Cyber Threats and Automate Incident Response
Monitor network indicators, detect potential intrusions, and automate initial incident response.
Scenario: A network operations security center (NOSC) processes millions of log events daily. They need automated correlation and classification to surface actionable threats from the noise.
Workflow Steps:
- Schedule Trigger — Run every 2 minutes
- Database Query (PostgreSQL) — Pull security event logs: firewall blocks, IDS/IPS alerts, authentication failures, DNS queries to suspicious domains
- Aggregation — Correlate events by source IP, destination IP, and time window
- AI Enrichment — Classify each event cluster:
- Attack type: Reconnaissance, Brute Force, Exploitation, Lateral Movement, Exfiltration, DDoS
- Kill chain stage: Recon → Weaponize → Deliver → Exploit → Install → C2 → Actions
- Confidence and severity (based on indicator freshness, source reliability, and target criticality)
- Build Adjacency Maps — Map attack paths: source IP → exploited vulnerability → compromised host → lateral movement → target data
- Multi-Conditional — Route by severity:
- CRITICAL (active exploitation or exfiltration) → Send Email to CISO + Send Message (Slack #soc-critical) + Create Issue (Jira, Priority: Blocker) for incident response + Dashboard Output (Event Monitor Tile)
- HIGH (probable attack in progress) → Send Message (Slack #soc-alerts) + Create Issue (Jira) + Dashboard Output
- MEDIUM → Dashboard Output (Event Feed Tile for analyst review)
- LOW → DB Write (log for trend analysis)
- Dashboard Output — Populate:
- Event Monitor Tile — Active threat tracker with kill chain stage indicator
- Map Tile — Attack source geolocation
- Event Trends Tile — Alert volume by attack type over time
- Metric Tile — Open incidents, MTTD (detection), MTTR (response), blocked attacks today
- Table Tile — Top IOCs (Indicators of Compromise) with last seen and confidence
Key Nodes: Schedule Trigger, Database Query, Aggregation, AI Enrichment, Build Adjacency Maps, Multi-Conditional, Create Issue (Jira), DB Write, Send Email, Send Message, Dashboard Output
Track Military Logistics and Supply Chain Readiness
Track military supply chain movements, equipment in transit, and maintenance depot status.
Scenario: A theater logistics command needs visibility into supply requisitions, in-transit cargo, and depot maintenance backlogs to ensure units receive critical supplies on time.
Workflow Steps:
- Schedule Trigger — Run every 4 hours
- Database Query (PostgreSQL) — Pull supply requisitions: document number, NSN (National Stock Number), priority, quantity, requesting unit, status, date submitted
- Database Query (MSSQL) — Pull transportation data: shipment ID, origin, destination, carrier, estimated delivery, current location, mode (air/sea/ground)
- Database Query (PostgreSQL) — Pull depot maintenance: work order number, equipment type, induction date, estimated completion, current status
- Join — Link requisitions to shipments to delivery confirmation
- Computed Column — Calculate:
- Requisition age: days since submission
- Transit time vs. standard for priority designation
- Depot turn-around time vs. standard
- Filter — Flag exceptions:
- Priority 01/02 requisitions > 24 hours without shipment
- Shipments > 48 hours past estimated delivery
- Depot items > 30 days past estimated completion
- Geocode — Resolve shipment current locations
- Multi-Conditional — Route by priority:
- Priority 01 (deadlined equipment) → Send Email to theater logistics officer + Send Message (Teams) to movement control + Dashboard Output (Event Monitor Tile)
- Overdue shipments → Send Message (Slack) to transportation coordinator
- Dashboard Output — Populate:
- Map Tile — In-transit shipments, depot locations, requesting unit locations
- Gantt Tile — Requisition lifecycle: requested → sourced → shipped → delivered
- Table Tile — Requisition status detail with aging and priority
- Metric Tile — Fill rate %, average requisition-to-delivery days, overdue count
- Bar Tile — Requisitions by priority and status
Key Nodes: Schedule Trigger, Database Query (PostgreSQL, MSSQL), Join, Computed Column, Filter, Geocode, Multi-Conditional, Send Email, Send Message, Dashboard Output
Example Dashboard: Watch Floor Situational Awareness
Build this dashboard for a 24/7 operations watch floor to provide real-time situational awareness, threat tracking, and readiness visibility.
Row 1 — Situation Status
| Tile | Name | What It Shows |
|---|---|---|
| Stat | Threat Level | Current operational threat level (NORMAL / ELEVATED / HIGH / CRITICAL) with time since last change |
| Metric | Events Today | Count of intelligence events processed with breakdown by significance (CRITICAL, SIGNIFICANT, ROUTINE) |
| Metric | Force Readiness | Overall composite readiness percentage with domain breakdown on hover |
| Metric | Active Cyber Incidents | Open cyber incidents with kill chain stage breakdown |
Row 2 — Geographic & Live Feed
| Tile | Name | What It Shows |
|---|---|---|
| Map | Global Threat Map | World map with threat event locations plotted by severity (red = CRITICAL, yellow = SIGNIFICANT, blue = ROUTINE). Force positions and assets shown as distinct markers. Heatmap overlay for activity density |
| Event Monitor | Flash Traffic | CRITICAL event alerts with detection time, source, location, threat type, and recommended immediate action. Auto-escalation countdown timer |
Row 3 — Intelligence Stream & Network
| Tile | Name | What It Shows |
|---|---|---|
| Event Feed | Intelligence Stream | Chronological feed of all SIGNIFICANT+ events with source, classification, category, and AI-generated summary. Click to expand full report |
| Scatter | Entity Network Visualization | Key actors and organizations plotted by activity frequency (X) and threat score (Y). Clusters reveal coordinated activity patterns |
Row 4 — Readiness & Cyber
| Tile | Name | What It Shows |
|---|---|---|
| Pivot | Unit Readiness Matrix | Units (rows) × Readiness Domains (columns: Personnel, Equipment, Supply, Training). Cell color = green/amber/red based on domain score. Hovering shows the specific metric driving each rating |
| Event Trends | Cyber Attack Trends | Attack volume by type (Reconnaissance, Brute Force, Exploitation, C2) over 30 days. Highlights emerging attack patterns |
Row 5 — Logistics & Timeline
| Tile | Name | What It Shows |
|---|---|---|
| Gantt | Supply Chain Status | Priority requisition lifecycle from request through delivery with status tracking and delay highlighting |
| Timeline | Decision Log | Chronological record of key decisions, orders, and actions taken with timestamp and authorizing authority |
Data Sources: Database Query to intelligence databases (PostgreSQL), readiness systems (MSSQL), and security event logs (PostgreSQL). Web Scraper and GKG Search for OSINT. Schedule Trigger refreshes every 5 minutes for threat data, daily for readiness metrics.
Getting Started
To build defense and intelligence workflows:
- Connect your data stores — Add databases for reporting, readiness, and logistics under Integrations
- Start with OSINT fusion — Build a Web Scraper + GKG Search + URL Reader workflow to aggregate open sources
- Add AI classification — AI Enrichment for threat categorization, Data Classify for sensitivity labeling
- Build entity networks — Build Adjacency Maps to visualize relationships between actors, events, and locations
- Create the watch floor dashboard — Map, Event Monitor, and Timeline tiles for real-time situational awareness