Most security tooling is built to report events: a login from a new location, a file moved, a device enrolled. Events are facts about the past. By the time a tool reports one, the action has already happened — and for the threats that matter most to a protective mission, the action is rarely the beginning of the story.
The action is the end of the story. The intent is the beginning — and it is visible, if you are looking across domains at the same entity, before the event.
Foreign intelligence services, insiders acting deliberately, and organized actors do not start with the breach. They start with reconnaissance: studying a program, its people, and its suppliers; testing access; building a picture over weeks or months. That preparation is intent. It is visible — but only if you are looking across domains at the same entity, and only if you are looking before the event.
A single reconnaissance signal almost never clears a threshold on its own. A benign-looking records request, a routine-seeming travel booking, a small credential probe, a new social connection — each is unremarkable in isolation. Point tools evaluate each in isolation, so each passes. The pattern only becomes obvious in hindsight, in the after-action review.
Detecting intent means scoring a signal against everything else known about the entity it concerns, across every domain, as it arrives — not weeks later when an analyst happens to connect the dots by hand.
What intent looks like operationally
OBSIDIAN — Counterintelligence approaches this through behavioral baselines and cross-domain anomaly correlation. It maps what an organization protects to who would want it, and watches for the early indicators of targeting during the reconnaissance phase:
- Access, travel, cyber, and open-source signals correlated to the same person, program, or facility rather than evaluated in separate tools.
- A minor anomaly escalating in confidence when it completes a pattern another domain started.
- Targeting of a program mapped to foreign dependencies and supply-chain exposure, not just to individual accounts.
The point is not to raise more alerts. It is to raise the right one earlier — with enough corroboration that a human analyst can act on it while there is still time to matter.
The human role is the point, not an afterthought
Automation surfaces patterns; it does not adjudicate them. A determination that someone is being targeted, or that an insider is a genuine risk, is a human judgment with real consequences. The platform is designed to make that judgment earlier and better-evidenced — and to leave the decision, and the authority for it, with people.
Governance
AI assistants operate within APEX, using governed, auditable data. They do not bypass authority, workflows, or oversight.
Event-based tools will always have a place — you still need to know what happened. But protecting a mission means seeing the preparation, not just the incident. That is the shift from detecting events to detecting intent.