Black Swarm — System Architecture

Minas / Core / Trust Zone 1

Maximum Trust / Orchestration, API, Processing

mandos

Orchestrator

LangGraph · FastAPI · Intel processing

tirith

Analyst Console

React app · NL query interface

annun

Source Discovery

4-tier engine · HITL approval

fea

Redis HA

Investigation state & checkpoints

ladris

Neo4j

Relationship graph of actors & campaigns

PostgreSQL

Primary Database

Evidence, threats, customer profiles · PGVector

Object Storage

Evidence Vault

Immutable · content-addressed

Trusted core where investigations are orchestrated and evidence is stored

Ithil / Enrichment / Trust Zone 2

Mediated Trust / External Tool Execution

telchar

Tool Gateway

MCP · external execution

ithildin

OSINT Collectors

Shodan · VirusTotal · WhoisXML

Controlled zone for external tool execution and OSINT collection

Mordor / Hostile / Trust Zone 3

Untrusted / Dark Web Collection

shelob

Dark Web Collector

Ephemeral Tor containers · no persistent state

Containers created per-crawl, destroyed afterward

Istar / Inference / GPU Isolated

Core Trust / Dedicated GPU Inference

halbarad

Qwen 2.5-14B

Triage & extraction

lorin

Llama 3.1 70B

Synthesis & escalation

Anthropic

Claude Opus 4.7

Reasoning & investigations

Hybrid 60/40 local-to-frontier routing with continuous quality monitoring and auto-failover to Claude on drift

Amon / Observability

Core Trust / Monitoring & Audit

sul

Observability Stack

Langfuse · Grafana · Prometheus

Full-system tracing, metrics, and quality monitoring across the platform

Five-Tier Storage Model

Tier 1 / Redis HA

Active investigation state
LangGraph checkpoints
Social deduplication

Tier 2 / PostgreSQL

Evidence / Threat intelligence
Customer profiles / Config
PGVector semantic search

Tier 3 / Neo4j

Relationship graph
Actors, campaigns, TTPs
Infrastructure linkage

Tier 4 / Object Storage

Immutable evidence vault
Content-addressed
Long-term retention

Tier 5 / Langfuse

Audit & observability
LLM traces / Cost tracking
Routing quality metrics

Architecture Principles

01Investigations are long-lived objects
02Evidence is immutable & content-addressed
03Tiered autonomy with HITL gates

04Hostile content assumed on all inputs
05Three trust zones enforced at network level
0660/40 hybrid LLM routing (local-first)

07Full HA from day one
08Customer digital twin model
09Quality governance & evidence grounding

Source Categories

Category 01 / Authorized OSINT Shodan / VirusTotal / WhoisXML
CISA KEV / NVD

Enrichment Zone Collectors

Category 02 / Social & Open Web Telegram / Mastodon / Bluesky
Publication RSS/Atom feeds
Researcher credibility tiers

Core Zone Collectors

Category 03 / Dark Web Approved .onion sites
Ransomware leak sites & forums
Ephemeral Tor containers

Hostile Zone Collectors