DEV Community

Cover image for Scaling the Adversarial Mindset: How We're Using AI and Knowledge Graphs for Pre-emptive Security
Extropy.IO profile image Erick Fernandez
Erick Fernandez for Extropy.IO

Posted on • Originally published at security.extropy.io

Scaling the Adversarial Mindset: How We're Using AI and Knowledge Graphs for Pre-emptive Security

#ai #security #web3

(This is the third and final article in our series on protocol security. In Article 1: The 3 Subtle Bugs We Found, we showed you real-world, subtle bugs we've found. In Article 2: Beyond the Code, we explained the human-led, systems-thinking methodology we use to find them. Now, we'll show you how we're scaling that expertise for the future.)

The "Scaling Problem" of Human Expertise

In our last article, "Beyond the Code," we argued that the most critical protocol vulnerabilities lie not in simple code errors, but in flawed business logic, broken economic assumptions, and unsafe composability.

We also explained that finding these bugs requires a creative, human-led, adversarial mindset.

This presents a challenge. This kind of deep, systems-level analysis is bespoke, time-consuming, and difficult to scale. A protocol's security shouldn't just be a "snapshot in time" from a 3-week audit; it should be continuous.

The market's default answer to this is "AI auditors." This is, in our view, the wrong solution. Most "AI auditors" are just faster static-analysis tools—they are great at verification (checking for known bugs) but fail at validation (understanding a protocol's unique intent).

The true challenge is not to replace the human auditor, but to scale their intuition. We believe the future lies in combining the human expert's adversarial mindset with the power of AI and Knowledge Graphs (KGs). At Extropy, we are actively building this future.

An Exploit Isn't a Line of Code, It's a Narrative

To find novel exploits, you must stop thinking about code and start thinking about narratives.

An exploit is a story. A user-level phishing attack follows a narrative:

  1. A new wallet is funded from a mixer.
  2. It deploys a new phishing contract.
  3. It sends tokens to 1,000 users in a "dusting attack."
  4. A user interacts with the contract, which drains their funds.

A protocol-level exploit follows a similar narrative:

  1. An attacker's wallet is funded.
  2. It deploys a new, unaudited 'Exploit' contract.
  3. The Exploit contract takes out a flash loan from Protocol A.
  4. It manipulates an oracle on Protocol B.
  5. It borrows funds from your protocol (Protocol C) using bad collateral.
  6. It repays the flash loan and sends the profit to a new address.

Automated tools only see step 5. Our methodology sees the entire chain of events as a single, interconnected attack pattern.

Our R&D: An "Adversarial Behaviour" Knowledge Graph

To map these "exploit narratives" at scale, our team is developing a proprietary tool that uses AI agents to build a real-time security Knowledge Graph.

The first, public-facing application of this tool is focused on user security: it identifies and warns users of sophisticated phishing attempts as they happen.

But this application is just the "sensor" for a much larger system. Every phishing scam, every malicious contract, and every suspicious wallet interaction is mapped into our KG. This engine is building one of the richest, real-time datasets of adversarial behaviour on-chain.

The Future: Using the KG for Pre-emptive Protocol Security

This brings us back to protocol auditing. How does our KG, built from user-level security data, protect your protocol before an audit even begins?

It allows us to move from "post-mortem" analysis to pre-emptive, continuous security.

By applying our human-led "systems thinking" from Article 2 to this new data asset, we can ask questions that no one else can:

  1. Pre-emptive Composability Risk: Your protocol integrates with a new, unaudited ERC-4626 vault. Our KG can cross-reference this. It can tell us: "Warning: This vault also has an admin wallet that has previously interacted with three known phishing scams." This isn't a "bug"; it's a critical, high-risk red flag.
  2. Threat-Actor Monitoring: An unknown address deploys a new, unverified contract that begins interacting with your protocol. Our KG can immediately flag this: "Warning: This new contract was funded by a wallet that also funded a protocol exploit on Fantom two months ago." We can identify the attacker before they find the bug.
  3. Pre-emptive Fork Analysis: A new protocol launches that is a fork of a project you integrate with. Our KG, which maps code relationships, can tell us: "This new fork has removed the re-entrancy guards that were present in the original."

Conclusion: From Snapshot Audits to Continuous Intelligence

An audit is a snapshot in time. The future of security is continuous, pre-emptive intelligence.

Our research into AI and Knowledge Graphs is not a separate product; it is the natural, scalable extension of the human-first, adversarial mindset we've championed for years.

When you hire Extropy for an audit, you aren't just getting a PDF report. You are getting a partner at the forefront of this research—a team that is actively building the tools to find the next generation of exploits.

Request an Audit Consultation
or visit
Extropy Audits

--
Originally published on: security.extropy.io

Top comments (0)