Google has launched a new dark web intelligence service to tackle the grueling task of monitoring underground criminal forums.

It is deploying Gemini-powered artificial intelligence (AI) agents to sift through upwards of 10 million posts daily, the tech giant said, to replace clunky, keyword-based legacy systems with a platform that understands the context of a threat.

The service, currently in public preview as part of Google Threat Intelligence, marks a shift from reactive monitoring to proactive profiling. According to Google threat hunters, internal testing indicates the AI can analyze millions of external events with an impressive 98% accuracy rate.

As cybercriminals increasingly adopt AI to craft more sophisticated attacks, Google is betting that its own generative models are the only way for defenders to keep pace with the sheer volume of modern digital threats.

Traditional dark web monitoring has long been a headache for security teams. These older tools typically rely on regex (regular expressions) and simple keyword scraping, which Brandon Wood, Google Threat Intelligence product manager, says results in an 80% to 90% false-positive rate.

“It mostly just creates noise,” Wood told The Register. “We are now processing every post from the dark web using Gemini, and from there distilling down what threats actually matter.”

The process begins with Gemini building a comprehensive profile of a client organization — such as a bank or healthcare provider — by analyzing its business operations, VIPs, brands, and technology stack. The profile is built using cited, publicly available information to maintain transparency. Once established, Gemini compares this profile against real-time dark web data, including initial access broker activity and leaked credentials.

The true power of the system lies in its ability to handle ambiguity. For example, if a cybercriminal advertises access to a large North American bank with $50 billion in assets without naming the victim, Gemini can cross-reference those specific metrics against its client profiles. If the data matches a user like Acme Bank, the system triggers a high-severity alert.

To refine its judgment, Gemini integrates insights from Google’s human analysts, who currently track 627 distinct threat groups. This hybrid intelligence allows the AI to weigh the reputation of the threat actor against the sensitivity of the leaked data.

Beyond dark web monitoring, Google is expanding AI agents into its Security Operations (SecOps) suite to automate incident response. These agents can autonomously investigate alerts, gather evidence, and provide a verdict on whether a breach has occurred, complete with a written explanation of their reasoning.

However, the move toward autonomous security agents is not without its critics. Security experts warn that giving AI agents deep access to corporate environments could inadvertently create a new attack vector for hackers to exploit.

Wood addressed these concerns by emphasizing that Google is focusing on “publicly available information and context that the user chooses to provide.” He noted that transparency and user control remain central to the platform’s integration.