Introduction

The name Prevyn derives from the concept of pre-vision — seeing what is coming before it happens. It represents the shift our industry needs to make: from reacting to threats to anticipating and preventing them. Yet security teams today remain stuck in reactive mode — not because they lack data, but because they lack the capacity to act on it. The real problem is an execution gap.

Threat intelligence feeds, underground monitoring, vulnerability disclosures, telemetry, and detection alerts are growing exponentially. At the same time, human analysts are expected to investigate threats, correlate signals, prepare responses, document incidents, and communicate outcomes to different stakeholders. All of this happens under constant time pressure.

Traditional AI assistants and chat-based tools do not solve this problem. They usually automate single steps, such as search or summarization, but they do not reduce the real operational burden of investigation and response across multiple domains.

What is needed is not another assistant but a foundational cognitive capability at the center of the platform — one that not only investigates threats, but begins to anticipate them. This is why we are introducing Group-IB Prevyn AI. This blog explains what Prevyn AI is, how it works today, and where it is going.

The Unified Risk Platform: one intelligence core

Prevyn AI is the cognitive core of the Group-IB Unified Risk Platform. It is not a standalone product or feature. It is a central intelligence capability that reasons over intelligence, coordinates specialist AI components, and prepares insights in Threat Intelligence and actions in Managed XDR.

The Group-IB Unified Risk Platform has always been founded on a shared intelligence core, uniting human expertise, machine intelligence, and operational products. With Prevyn AI we are now adding a second foundational component to this intelligence engine that acts as the platform’s cognitive core:

• Intelligence Data Lake: Provides the necessary memory and scale.
• Prevyn AI: The cognitive core — providing reasoning and anticipation over the Intelligence Data Lake.

What Prevyn AI actually is

Today, Prevyn AI is implemented through different AI architectures depending on the workflow. These implementations share a common vision and user experience, but differ in how intelligence processing is performed internally.

Over time, these implementations will converge toward a unified, orchestration-driven architecture composed of two layers:

1. Prevyn AI Command (the orchestrator)
Prevyn AI Command is the control plane of the cognitive core. It does not perform domain work itself. It reasons about how the work should be done.

2. Prevyn AI Specialist Agents (the execution layer)
Specialist Agents are task-specific AI components. Each agent is responsible for one domain of intelligence work. Each specialist agent is equipped with domain-specific tools and access to the Intelligence Data Lake. They execute concrete analytical tasks.

This orchestrated architecture is already fully implemented in Threat Intelligence and represents the long-term architectural direction for Prevyn AI across the entire platform.

Prevyn AI in Threat Intelligence

Last year we introduced our first AI Assistant into Group-IB Threat Intelligence to automate basic threat intelligence searches. You can read about that initial version and our security-first approach in an earlier blog post.

Usage data from our AI Assistant confirmed something important: simple AI-powered search was not enough. Analysts needed:

• Faster analysis
• Deeper context
• Cross-domain insights delivered in minutes instead of hours

Advanced requests required multi-step reasoning across multiple sources. Analysts were spending significant time researching vulnerabilities, comparing threat actors, reviewing dark web activity, and correlating indicators across domains. Single-query tools could not handle these workflows. The only way to meaningfully speed up intelligence work was not better search, but automating research itself.

Meet the Specialist Agents

Prevyn AI is now a part of Group-IB Threat Intelligence, operating as a sophisticated, orchestrated, multi-agent system. This system is currently comprised of the following agentic workforce:

• Intelligence Reporting Agent: Analyzes threat bulletins and threat intelligence feeds and generates structured intelligence reports.
• Threat Actor Analysis Agent: Investigates threat actor profiles, tactics, techniques, and campaign histories.
• Vulnerability Intelligence Agent: Tracks vulnerabilities and correlates threat data, exploits, and asset context to guide fast, risk-based remediation actions.
• Malware Analysis Agent: Analyzes malware behavior and profiles, determines malware capabilities and potential impact, and provides actionable detection and mitigation insights, including SIGMA and Suricata rules.
• Knowledge Base Assistant Agent: Advises on how to use the platform, APIs, and available data sources.
• Underground Monitoring Agent: Hunts across the dark web data lake to detect emerging threats, leaked data, and criminal activity relevant to the organization.
• Open-Source Intelligence Agent: Collects, correlates, and analyzes publicly available data to uncover threats, risks, indicators of compromise, and actionable insights in near real time.
• Threat Communication Monitoring Agent: Hunts across Telegram and Discord channels to detect emerging threats, leaked data, and criminal activity relevant to the organization.
• Compromise Detection Agent: Analyzes data breaches and leaked credentials from phishing campaigns and botnets to identify threat actors and anticipate how they are likely to attack the organization.
• Malicious Infrastructure Detection Agent: Identifies and tracks attacker-controlled infrastructure such as command-and-control servers, phishing domains, and botnets to anticipate, disrupt, and prevent attacks.
• Attack Activity Agent: Tracks and analyzes denial-of-service and website defacement campaigns to detect active threats, attribute attackers, and assess potential impact on the organization.

Prevyn AI functions as a cognitive core in Threat Intelligence, executing sophisticated intelligence workflows — with analysts retaining oversight throughout.

When a human analyst provides a research goal, Prevyn AI transforms it into a comprehensive, multi-step investigative workflow, delivering a structured intelligence analysis. Analysts are provided with a cohesive output, complete with source-backed evidence and actionable conclusions, eliminating the need to manually compile context from vulnerabilities, threat actor profiles, underground activity, malware knowledge, and related incidents.

Crucially, human analysts retain oversight. They can monitor the active agents, examine the sources and evidence, and validate or further develop the findings.

Measurable impact

Internal testing shows that research output quality improved by more than 20%, measured through systematic evaluation of accuracy, completeness, and analytical depth.

Research outcomes became:

• More comprehensive.
• More structured.
• More analytical.
• Better distilled.

Prevyn AI in Managed XDR

In Group-IB Managed XDR, Prevyn AI is currently implemented as an assistive AI system. Here, the cognitive core supports human responders with analysis, context, and recommendations.

In Managed XDR, Prevyn AI analyzes alerts, related signatures, and malicious activity across the infrastructure combined with Group-IB Threat Intelligence data. Based on the analysis, the AI prepares remediation workflows that outline response actions for human analyst review.

Human analysts can check, modify, and approve what should be executed, ensuring that business-critical decisions remain under human control. After that, remediation can be launched in one click.

Now this expands further with Prevyn AI incident reports. With a single action, human analysts can generate a clear textual description of an incident based on alert data already available in the product. The feature reduces time spent on manual documentation and makes it easier to execute response actions across broader environments.In this implementation, Prevyn AI acts as a cognitive core in assistive mode: it owns the analysis and reasoning, while humans retain decision authority and execution control.

One cognitive core, two operational modes

Although Threat Intelligence and Managed XDR currently operate in different modes, they are both expressions of the same platform capability: Prevyn AI.

• In Threat Intelligence, Prevyn AI operates in agentic mode: an orchestrated, multi-agent system.
• In Managed XDR, Prevyn AI operates in assistive mode: focused on analysis, recommendations, and human-approved actions.

Over time, these implementations will converge. The agentic mode used in Threat Intelligence will become the unifying foundation for Prevyn AI across the Unified Risk Platform, enabling consistent reasoning, orchestration, and increasingly autonomous execution across all security domains.

Evolution of cognition and autonomy

The evolution of Prevyn AI happens along two independent dimensions.

• Cognitive horizon: From analytical reasoning about current threats to predictive threat modeling and anticipation of attacker behavior.
• Level of autonomy: From today’s human-in-the-loop execution to controlled autonomous response within defined policies.

The long-term vision is a cognitive core that not only investigates and explains threats, but also predicts them and executes preventive actions under human oversight.

What’s next

In the next phase, Prevyn AI will expand across the Unified Risk Platform:

• New specialist agents for fraud detection and credential abuse
• Deep research mode for large-scale intelligence analysis
• Cross-domain AI orchestration across cyber and fraud — expanding Prevyn AI beyond Threat Intelligence and Managed XDR
• Predictive threat modeling
• Controlled autonomous operations

The long-term vision is not automation for its own sake. The vision is a system where human expertise and machine intelligence continuously reinforce each other, and where Prevyn AI’s cognitive core helps organizations stay ahead of increasingly automated and AI-powered threats.

Try Group-IB Prevyn AI

Prevyn AI is now available to Group-IB customers:

• As orchestrated research in Threat Intelligence — via the Group-IB portal or the Group-IB mobile app for iOS and Android
• As AI-assisted remediation and reporting in Managed XDR

Prevyn AI is available at no additional cost. Request a demo to experience the cognitive core of the Group-IB Unified Risk Platform.