Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Status: roadmap — Stage 2+ of the ML Roadmap. The BI Service design + NATS consumer scaffolding exist; per-tenant deployment and the full rule-→-baseline-→-correction loop ship once Stage 1 exits shadow.

Behavioral Intelligence Service

The Behavioral Intelligence Service (BI Service) is the single Tier 2 scoring authority. It runs as a per-tenant Python service, consuming events from NATS, scoring them through the GraphReasoner rule pipeline, computing authoritative baselines, and pushing corrections back to proxies.

Architecture

Components

Consumer

NATS JetStream pull consumer with durable name "bi-service". Runs on the same NATS instance as the pipeline service with its own consumer group — messages are delivered to both consumers independently.
  • Batch fetch: 100 messages, 5s timeout
  • Explicit ack after successful processing
  • Dead letter on parse failures
  • Reconnect on NATS disconnect

Scorer

Wrapper around quint-graph’s GraphReasoner. Scores each event through the rule-based pipeline:
  • With GraphReasoner: intrinsic score, risk level, violations, compliance refs, confidence
  • Fallback (when GraphReasoner unavailable): maps proxy’s deviation_score to 0-100
Rule scores become GNN node features in P5 — the GNN sees both structural shape AND rule assessments as input.

Baseline Computer

Maintains per-agent running statistics:
  • Capability distribution (12 dimensions)
  • Flow matrix (12x12 transition counts)
  • Depth profile (12 capabilities x 8 depth levels)
Computes normalized baselines every 5 minutes for agents with sufficient data (50+ events). Stale agents (1hr+ idle) are evicted to prevent memory leaks.

Calibrator

Compares the proxy’s behavioral decision against the BI Service’s rule score:
Proxy BandRule ScoreGap TypeCorrection
KNOWN_SAFE>= 70False negativeUpgrade to ANOMALOUS
ANOMALOUS< 20False positiveDowngrade to KNOWN_SAFE
Any20-69AgreementNone
Corrections propagate to the proxy within 10-50ms via NATS, fast enough to catch the next action in an attack chain.

Publisher

Publishes two types of messages to NATS:
  • Baselines (quint.baselines.{org}): authoritative behavioral distributions that override the proxy’s local EWMA values
  • Corrections (quint.corrections.{org}): retroactive decision upgrades

Deployment

Per-tenant instance — one BI Service per customer. No multi-tenant data sharing. 
# docker-compose.yml
behavioral:
  build: ./services/behavioral
  environment:
    - BI_NATS_URL=nats://nats:4222
    - BI_HEALTH_PORT=8082
  depends_on:
    nats:
      condition: service_healthy
Health endpoints:
  • GET /health — uptime, consumer status
  • GET /ready — all components initialized
  • GET /metrics — events consumed/scored, corrections, baselines, latency

Performance

MetricResult
Throughput (batch)780K events/sec
Throughput (full pipeline)116K events/sec
Scoring latency p990.002ms
Memory growth1.0x (stable across 100K events)
Per-agent cost3,490 bytes
Baseline computation (10K agents)116ms
Thread safetyExact counts across 8 concurrent threads

Limitations (v1)

  1. GraphReasoner is synchronous — batch parallelism limited by Python GIL
  2. No Memgraph — RAG context retrieval deferred to P5
  3. Baselines are in-memory — restart loses accumulated stats (Redis persistence planned)
  4. Single consumer — horizontal scaling requires NATS consumer group partitioning
  5. No GNN — Stage 4 structural analysis is P5 scope

Connection to Proxy

The proxy’s CorrectionReceiver handles incoming baselines and corrections:
  • ApplyBaseline: overrides local fingerprint distributions with authoritative values
  • ApplyCorrection: fires callback for alerting (ALLOW → ALERT upgrade)
  • TightenFloors: incoming floors can only get stricter, never relaxed
The proxy continues scoring locally at <1μs regardless of BI Service availability. The BI Service enhances detection but is not a dependency for the hot path.