Protective Intelligence Assistant

Analyst workflow for protective intelligence, cross-domain triage, and casepack generation.

A public-safe workflow for ingesting public signals, extracting entities, linking related activity into investigation threads, scoring risk with reason codes, and producing reviewable outputs.

The project translates protective-intelligence workflow concepts into inspectable analyst artifacts: requirements-driven collection, source evaluation, entity extraction, correlation, risk scoring, uncertainty handling, and analyst-ready dissemination.

The public repo uses synthetic fixtures for sensitive domains and an official public RSS companion case study for travel-risk review. That keeps the workflow inspectable without exposing private data or implying live protective operations.

Data: Synthetic fixtures plus 240 official public RSS rows from State Department and CDC feeds.
Techniques: Entity extraction, source weighting, graph-style threading, scoring, uncertainty intervals.
Outputs: Daily reports, travel briefs, SITREPs, casepacks, and JSON review queues.
Posture: Analyst review support, not autonomous enforcement or production protection.

240 Public RSS rows

149 Queued public items

0.875 Correlation fixture eval F1

1.000 Insider fixture eval F1

0.889 Supply-chain fixture eval F1

341 Automated tests

Workflow

Set Requirements

Define watchlist terms, protected locations, people of interest, event calendars, and collection priorities.

Collect And Normalize

Ingest public-source and fixture signals, deduplicate records, extract entities, and preserve source context.

Correlate Threads

Link related activity with pair evidence, reason codes, shared entities, and temporal proximity.

Score Risk

Apply transparent scoring for operational risk, behavioral threat indicators, insider risk, and vendor exposure.

Produce Outputs

Generate casepacks, SITREPs, travel briefs, daily reports, and review queues for human assessment.

Implemented Components

analytics/soi_threads.py

Investigation Threading

Weighted pair-link model with explicit evidence for why alerts belong in the same subject thread.

analytics/risk_scoring.py

Operational Risk

Explainable scoring using source credibility, keyword weights, recency, frequency, and context.

analytics/behavioral_assessment.py

Behavioral Assessment

TRAP-18-informed and pathway-to-violence indicators adapted for triage, not clinical judgment.

analytics/insider_risk.py

Insider Risk Fixtures

Fixture telemetry for access deviation, data movement, physical/logical mismatch, and temporal anomalies.

analytics/supply_chain_risk.py

Vendor Exposure

Risk decomposition across geography, concentration, privilege scope, data sensitivity, and compliance posture.

analytics/intelligence_report.py

Analyst Reporting

Markdown outputs for daily reporting, travel briefs, SITREPs, and investigation casepacks.

What To Inspect

docs/sample_casepack.md

Detection To Casepack

Shows how alerts become a thread, what evidence links them, and how disposition and controls are documented.

docs/incident_thread_casepack.md

Cross-Domain Thread

Demonstrates convergence across insider, vendor, cyber, physical, and public-source style signals.

outputs/review_queue.csv

Review Queue

Priority-ranked records with confidence, next action, source context, and human-review posture.

docs/public_travel_advisory_case_study.md

Public Data Case Study

Official State Department and CDC RSS rows turned into a travel-risk review queue and rollup.

outputs/public_travel_advisory_review_queue.csv

Public Review Queue

Critical, high, and medium travel-risk items with source, level, score, reason terms, and next action.

docs/correlation_eval.md

Correlation Evaluation

Hand-labeled convergence scenarios used to sanity-check the thread-linking logic and reason codes.

docs/screenshots/

Screenshots And Endpoint Evidence

Screenshots plus endpoint snapshots for insider, supply-chain, and investigation-queue outputs.

Outputs

Casepack

Thread summary, reason codes, evidence, timeline, disposition, and recommended controls.

Travel Brief

Location-aware risk summary for a protected movement or trip scenario.

SITREP

Short operational update designed for decision-makers who need the current picture quickly.

Daily Report

Recurring summary of priority items, source health, notable changes, and triage posture.

Review Queue

Prioritized alerts with reason-coded scoring and fields suitable for analyst review.

Structured Outputs

Endpoint snapshots make insider, supply-chain, and investigation queue outputs inspectable.

Scope And Limitations

Data Boundary

Public artifacts combine official public RSS rows for travel-risk triage with synthetic fixtures for sensitive insider, vendor, and threat-correlation domains.

Public-Safe

No private protectee data, live sensitive collection, confidential source reporting, or real insider telemetry is included in the public repo.

Human Review

Scores and threads prioritize review. They do not establish threat, intent, culpability, or a required operational response.

Validation Boundary

Public-data scores are triage aids for review priority. They do not establish a specific threat to a person, organization, route, or event.

GitHub