QIS (Quadratic Intelligence Swarm) is a distributed intelligence architecture discovered by Christopher Thomas Trevethan, protected under 39 provisional patents. The architecture enables N agents to synthesize across N(N-1)/2 unique paths at O(log N) routing cost per agent — without centralizing raw threat data, proprietary indicators, or organizational intelligence.
You Already Had the Intelligence
The Verizon Data Breach Investigations Report 2024 documents something that should stop every SOC analyst in their tracks: the majority of breaches involve techniques that were already catalogued, documented, and known to the broader threat intelligence community before the attack landed.
The intelligence existed. It was not distributed in time.
IBM's Cost of a Data Breach 2024 puts the average breach cost at $4.88 million USD. The average time to identify a breach: 194 days. Six months of undetected compromise, using techniques that MITRE ATT&CK had already documented and that other organizations had already encountered and survived — or hadn't.
This is not a data problem. It is not a talent problem. Security teams are experienced, tools are sophisticated, threat intelligence feeds are numerous. The problem is architectural: the system that is supposed to distribute validated threat intelligence across organizational boundaries is a reporting layer, not a synthesis engine.
The competitor who got hit by the same APT lateral movement technique three weeks ago cannot tell you. Not because they don't want to, but because their legal team, their competitive posture, and the raw IOCs embedded in their incident report make sharing a non-starter. STIX/TAXII lets them package the report. An ISAC lets them upload it. None of that routes validated outcome intelligence to your threat model at 3 AM when the same actor is moving through your network.
QIS addresses this. Not by solving the legal problem of sharing raw indicators. By eliminating the need to share them.
The Architecture of Shared-Intel Failure
CISA supports 30+ sector-specific ISACs (Information Sharing and Analysis Centers) in the United States. These organizations were built on the right premise: threat intelligence improves when organizations share what they know. The problem is what they share and when.
A typical ISAC workflow looks like this:
- Organization gets breached or detects a threat
- Incident is documented internally over days or weeks
- A threat intelligence analyst strips proprietary data, produces a formatted report
- Report is uploaded to the ISAC portal in STIX format
- ISAC distributes the report to member organizations
- Members receive it, triage it, and — if they have time — update their models
At every step, latency accumulates. The validated outcome from the original detection event — the model that predicted the technique, the prediction that was right or wrong, the accuracy signal that other organizations need — is buried inside prose, legal boilerplate, and formatted XML.
By the time it reaches the next organization, it is a historical document, not an intelligence signal.
The deeper problem is synthesis. With 30+ ISACs in the US alone, and thousands of member organizations, the theoretical synthesis potential is enormous. The N(N-1)/2 formula quantifies this directly: 500 sector security organizations and ISACs could generate 500 × 499 / 2 = 124,750 unique synthesis paths. Every one of those paths represents a potential validated intelligence connection — one organization's threat model outcome informing another's calibration.
Current real-time synthesis paths: near zero.
The STIX report uploaded at 2 PM on a Tuesday does not dynamically update 124,750 connected models. It sits in a portal. The synthesis that could happen, does not.
What QIS Routes Instead
QIS does not route IOCs. It routes validated outcome intelligence — specifically, the outcome delta from a threat model's prediction against observed reality.
The unit is a ThreatOutcomePacket. It is approximately 512 bytes. It carries no raw indicators, no proprietary threat data, no organizational identity that could create competitive or legal exposure. What it carries is the calibration signal: did a given threat model, operating on a given attack technique, in a given sector context, predict correctly or not?
A threat model that correctly predicted APT lateral movement patterns 3 times in 4 weeks is more valuable for calibrating your next prediction than a model trained on 5 years of historical breach data that has never had its real-time accuracy validated. The validation score is the signal. QIS routes it.
The semantic fingerprint attached to each packet is drawn from the MITRE ATT&CK framework — 200+ adversary techniques catalogued across tactics, procedures, and actor groups. This is not proprietary. It is the industry's shared vocabulary for describing attack behavior. A packet that says "technique T1021.002 (SMB/Windows Admin Shares), financial sector, kill chain stage: lateral movement, validation score: 0.91" contains no organizational data, no raw IOC, nothing that could not be printed in a public threat brief. But it carries an exact calibration signal that any organization detecting similar SMB anomalies can use to weight their own model outputs.
Python: ThreatOutcomeRouter
from dataclasses import dataclass, field
from typing import Optional
import hashlib
import time
import math
# ─── Threat Outcome Packet ─────────────────────────────────────────────────
@dataclass
class ThreatFingerprint:
"""
Semantic context for a threat outcome, drawn from MITRE ATT&CK vocabulary.
No raw IOCs. No proprietary data. No organizational identifiers.
"""
attack_vector_tier: str # "network", "endpoint", "identity", "supply_chain"
sector_code: str # ISAC sector codes: "fin", "hlth", "energy", "muni", "edu"
technique_cluster: str # MITRE ATT&CK technique ID, e.g. "T1021.002"
geo_provenance_tier: str # "tier1_nation_state", "tier2_criminal", "tier3_unknown"
kill_chain_stage: str # "recon", "initial_access", "execution", "persistence",
# "lateral_movement", "exfil", "impact"
def semantic_hash(self) -> str:
"""Fingerprint for routing similarity — not an IOC, not a signature."""
components = "|".join([
self.attack_vector_tier,
self.sector_code,
self.technique_cluster,
self.geo_provenance_tier,
self.kill_chain_stage
])
return hashlib.sha256(components.encode()).hexdigest()[:16]
@dataclass
class ThreatOutcomePacket:
"""
~512 bytes. Routes validated outcome intelligence, not raw threat data.
The innovation: a financial sector SOC can emit this packet after a confirmed
APT detection. A rural utility or small hospital can receive it — not the
proprietary incident data, not the IOCs, just the calibration signal.
"""
model_id: str # Opaque org identifier — no PII, no org name
predicted_technique: str # MITRE ATT&CK ID
attack_confirmed: bool # Ground truth from incident response
validation_score: float # Computed from threat_validation_score()
timestamp: float # Unix epoch
threat_fingerprint: ThreatFingerprint
def threat_validation_score(
self,
technique_match: bool,
stage_match: bool,
vector_match: bool
) -> float:
"""
Compute validation score from prediction accuracy components.
1.0 — technique, stage, and vector all confirmed
0.7 — technique confirmed, stage or vector off by one tier
0.4 — related technique cluster, partial stage alignment
0.0 — prediction miss (technique not observed)
Near-miss logic is critical for calibration: a model that predicts
T1021.002 when T1021.001 lands is more valuable than one that predicted
a completely unrelated technique cluster.
"""
if technique_match and stage_match and vector_match:
return 1.0
elif technique_match and (stage_match or vector_match):
return 0.7
elif technique_match:
return 0.55
elif stage_match and vector_match:
return 0.4
elif stage_match or vector_match:
return 0.2
else:
return 0.0
# ─── Threat Outcome Router ─────────────────────────────────────────────────
class ThreatOutcomeRouter:
"""
Routes validated threat outcome packets across organizational boundaries.
Key properties:
- Ingests ThreatOutcomePackets from any source (no org size floor)
- Routes by semantic fingerprint similarity, not raw IOC matching
- Validation scores decay for models that inject false outcomes
(Byzantine resistance: an actor claiming their malware failed
when it succeeded sees their score decay across the network)
- A 512-byte packet from a small hospital emergency dept can be routed
to a Fortune 500 SOC with full semantic fidelity
"""
def __init__(self):
self._packets: list[ThreatOutcomePacket] = []
self._model_trust: dict[str, float] = {} # model_id -> trust weight
def ingest(self, packet: ThreatOutcomePacket) -> None:
"""
Ingest a packet and update trust weight for the emitting model.
Byzantine resistance: if a model_id's running average validation score
falls below 0.3 over a rolling window, its packets are down-weighted
in routing. An attacker injecting false outcome reports (claiming misses
for successful attacks) degrades their own routing influence.
"""
self._packets.append(packet)
# Update running trust weight for this model
model_packets = [p for p in self._packets if p.model_id == packet.model_id]
avg_score = sum(p.validation_score for p in model_packets) / len(model_packets)
self._model_trust[packet.model_id] = avg_score
def _fingerprint_similarity(
self,
fp_a: ThreatFingerprint,
fp_b: ThreatFingerprint
) -> float:
"""
Semantic similarity between two threat fingerprints.
Exact match on technique_cluster weighted highest —
this is the MITRE ATT&CK anchor that security teams
already organize around.
"""
score = 0.0
weights = {
"technique_cluster": 0.40,
"kill_chain_stage": 0.25,
"attack_vector_tier": 0.20,
"sector_code": 0.10,
"geo_provenance_tier": 0.05,
}
if fp_a.technique_cluster == fp_b.technique_cluster:
score += weights["technique_cluster"]
if fp_a.kill_chain_stage == fp_b.kill_chain_stage:
score += weights["kill_chain_stage"]
if fp_a.attack_vector_tier == fp_b.attack_vector_tier:
score += weights["attack_vector_tier"]
if fp_a.sector_code == fp_b.sector_code:
score += weights["sector_code"]
if fp_a.geo_provenance_tier == fp_b.geo_provenance_tier:
score += weights["geo_provenance_tier"]
return score
def route(
self,
query_fingerprint: ThreatFingerprint,
top_k: int = 5
) -> list[dict]:
"""
Given a threat fingerprint from an org detecting anomalies right now,
return the top_k most relevant validated outcome packets —
weighted by fingerprint similarity AND model trust score.
A small hospital querying for "identity vector, hlth sector,
T1078 (Valid Accounts), lateral_movement" gets back the highest-
validated predictions from every org that encountered the same
technique cluster, regardless of their size or ISAC membership.
"""
scored = []
for packet in self._packets:
sim = self._fingerprint_similarity(
query_fingerprint,
packet.threat_fingerprint
)
trust = self._model_trust.get(packet.model_id, 0.5)
# Combined routing score: semantic relevance × model credibility
routing_score = sim * trust * packet.validation_score
scored.append({
"model_id": packet.model_id,
"predicted_technique": packet.predicted_technique,
"attack_confirmed": packet.attack_confirmed,
"validation_score": packet.validation_score,
"routing_score": round(routing_score, 4),
"fingerprint_similarity": round(sim, 4),
"model_trust": round(trust, 4),
"kill_chain_stage": packet.threat_fingerprint.kill_chain_stage,
})
scored.sort(key=lambda x: x["routing_score"], reverse=True)
return scored[:top_k]
def synthesis_paths(self) -> int:
"""
N(N-1)/2 — unique synthesis paths across all models in the network.
With 500 orgs: 124,750 paths. With 5,000: 12,497,500 paths.
STIX/TAXII achieves near-zero real-time synthesis across these paths.
QIS routes O(log N) per query.
"""
n = len(self._model_trust)
return n * (n - 1) // 2
def network_summary(self) -> dict:
"""
High-level view of network health. The key signal:
average trust score across models. Networks that route
validated intel maintain high avg trust. Networks that
tolerate stale or false signals see trust decay.
"""
if not self._model_trust:
return {"models": 0, "synthesis_paths": 0, "avg_trust": 0.0}
avg_trust = sum(self._model_trust.values()) / len(self._model_trust)
return {
"models": len(self._model_trust),
"synthesis_paths": self.synthesis_paths(),
"avg_trust": round(avg_trust, 4),
"packets_ingested": len(self._packets),
}
# ─── Simulation ────────────────────────────────────────────────────────────
if __name__ == "__main__":
router = ThreatOutcomeRouter()
# ── Organization 1: Financial sector SOC
# Encountered APT lateral movement via SMB — confirmed hit, high validation
fin_fp = ThreatFingerprint(
attack_vector_tier="network",
sector_code="fin",
technique_cluster="T1021.002", # SMB/Windows Admin Shares
geo_provenance_tier="tier1_nation_state",
kill_chain_stage="lateral_movement"
)
fin_packet = ThreatOutcomePacket(
model_id="financial_sector_soc",
predicted_technique="T1021.002",
attack_confirmed=True,
validation_score=0.91,
timestamp=time.time() - 86400 * 3, # 3 days ago
threat_fingerprint=fin_fp
)
router.ingest(fin_packet)
# ── Organization 2: Healthcare CISO
# Predicted valid account abuse in lateral movement phase — confirmed
hlth_fp = ThreatFingerprint(
attack_vector_tier="identity",
sector_code="hlth",
technique_cluster="T1078", # Valid Accounts
geo_provenance_tier="tier2_criminal",
kill_chain_stage="lateral_movement"
)
hlth_packet = ThreatOutcomePacket(
model_id="healthcare_ciso_v2",
predicted_technique="T1078",
attack_confirmed=True,
validation_score=0.85,
timestamp=time.time() - 86400 * 7, # 7 days ago
threat_fingerprint=hlth_fp
)
router.ingest(hlth_packet)
# ── Organization 3: Energy sector ops
# Predicted SMB lateral movement — partial miss (wrong kill chain stage)
energy_fp = ThreatFingerprint(
attack_vector_tier="network",
sector_code="energy",
technique_cluster="T1021.002",
geo_provenance_tier="tier1_nation_state",
kill_chain_stage="persistence" # Predicted persistence, saw lateral_movement
)
energy_packet = ThreatOutcomePacket(
model_id="energy_sector_ops",
predicted_technique="T1021.002",
attack_confirmed=True,
validation_score=0.55, # Near-miss: technique right, stage off
timestamp=time.time() - 86400 * 14,
threat_fingerprint=energy_fp
)
router.ingest(energy_packet)
print("=== Network Summary ===")
print(router.network_summary())
# {'models': 3, 'synthesis_paths': 3, 'avg_trust': 0.77, 'packets_ingested': 3}
# ── New org query: Rural municipal government
# Seeing SMB anomalies in their network right now.
# No ISAC membership. No threat intel team.
# Queries the router for relevant validated outcomes.
query_fp = ThreatFingerprint(
attack_vector_tier="network",
sector_code="muni",
technique_cluster="T1021.002",
geo_provenance_tier="tier1_nation_state",
kill_chain_stage="lateral_movement"
)
print("\n=== Routed Intel for Municipal Querier ===")
results = router.route(query_fp, top_k=3)
for r in results:
print(r)
# financial_sector_soc surfaces first:
# routing_score=0.8281, fingerprint_similarity=0.9, model_trust=0.91
# energy_sector_ops surfaces second despite lower validation:
# same technique cluster, different kill chain stage
Simulation Output
When the municipal government queries for SMB lateral movement (T1021.002, tier-1 nation-state provenance), the router surfaces:
- financial_sector_soc — routing score 0.8281 — exact technique, exact kill chain stage, matching vector tier. Highest trust. This model has seen this exact attack profile confirmed.
- energy_sector_ops — routing score 0.2723 — same technique cluster, different kill chain stage prediction, lower trust. Still relevant: confirms T1021.002 is active in the tier-1 nation-state category.
- healthcare_ciso_v2 — routing score near zero — different technique (T1078) and different sector, fingerprint similarity low.
The municipal government's SOC team — which may consist of one contractor and a shared firewall — just received calibration signals derived from financial sector and energy sector incident response. No proprietary data was transmitted. The packet is 512 bytes. The signal is real.
The Three Elections: How the Network Selects for Truth
QIS defines three natural selection forces — called the Three Elections — that operate on distributed intelligence networks. In the threat intelligence context:
CURATE — The best threat model for a given attack technique rises. A model that has correctly predicted T1021.002 lateral movement 8 times in 12 weeks has a high validation score and high trust weight. Its packets get routed preferentially. A model calibrated on 2019 breach data that has never had a real-time prediction confirmed sits at low trust. CURATE is not editorial — it is the accumulated weight of validated outcomes.
VOTE — Reality adjudicates predictions. Not an analyst, not a vendor, not a committee. The attack either happened as predicted or it did not. A validation score of 0.91 means the technique, stage, and vector were confirmed. A validation score of 0.0 means the prediction missed. The VOTE is the hit-or-miss record, accumulated across every packet the model has ever emitted.
COMPETE — Networks that route validated intel attract more organizations. Networks that distribute stale STIX reports lose members to better-calibrated alternatives. An ISAC that integrates QIS outcome routing will retain members who see their threat models improving. An ISAC that continues to distribute PDF summaries 6 weeks after incidents will not. COMPETE is not adversarial — it is the selection pressure that eliminates architectures that do not close the feedback loop.
These are not governance mechanisms. They are the natural selection forces that operate on any distributed prediction system once outcome validation is connected to routing weight.
Byzantine Resistance: The Adversarial Case
The obvious attack vector: a threat actor injects false outcome packets. They claim their own malware failed when it succeeded. They want defenders to underestimate the technique's prevalence, or to incorrectly calibrate their models against a technique that is not actually active.
QIS has structural Byzantine resistance via trust score decay.
If malicious_actor_model repeatedly emits packets claiming attack_confirmed=False for techniques that other high-trust models are confirming as active, the network observes the divergence. The malicious model's running average validation score — computed against the ground truth being reported by corroborating models — falls. Its trust weight drops. Its packets are down-weighted in routing.
The attacker cannot simply claim "my malware missed every time." Other organizations emitting honest outcome packets provide the ground truth check. The more organizations emit honest packets, the harder false injection becomes. The network's Byzantine resistance scales with participation.
This is not a theoretical property. It is the same mechanism that makes prediction markets resistant to individual manipulation: the aggregate of validated outcomes is harder to fake than any single signal.
Comparison: STIX/TAXII + ISAC vs. QIS Threat Outcome Routing
| Dimension | STIX/TAXII + ISAC | QIS Threat Outcome Routing |
|---|---|---|
| Feedback loop | None. Reports are published; no mechanism connects distribution back to model accuracy | Closed. Every validated outcome updates emitting model's trust weight; routing adapts |
| Cross-org synthesis | Near-zero real-time paths. 500 orgs = 124,750 possible synthesis paths; actual real-time synthesis: ~0 | O(log N) routing per query. 500 orgs = 124,750 addressable paths, all queryable in milliseconds |
| Cold start (new org) | No historical context. New member receives backlog of formatted reports with no calibration signal | Queries immediately against all validated outcomes in network by semantic fingerprint similarity |
| Stale intel detection | None. A 2021 STIX report and a 2024 STIX report are the same format; no recency weighting | Timestamps and trust scores weight recent, confirmed predictions over old, unvalidated ones automatically |
| Small org inclusion | Practically excluded. Requires analyst capacity to consume and process formatted reports | Packet is 512 bytes. A hospital with one contractor emits and receives on equal technical footing |
| Data shared | Formatted threat reports, stripped IOCs, STIX XML — still carries residual competitive/legal risk | Validation score, semantic fingerprint (ATT&CK vocabulary), outcome boolean — zero proprietary content |
The LMIC and Small Org Case
The comparison table's small org row deserves elaboration. A rural utility, a small regional hospital, a municipal water authority — these organizations are consistently among the most targeted in nation-state and ransomware campaigns precisely because their threat intelligence posture is weakest.
ISAC membership has a floor. A small hospital emergency department does not have a threat intelligence analyst to consume STIX reports, evaluate them against their environment, and update their controls. They receive the feeds, if they receive them at all, and they lack the operational capacity to act on them before the next rotation.
QIS does not ask them to consume a report. It asks them to emit a packet when their endpoint detection fires. attack_confirmed=True, technique_cluster="T1486" (Data Encrypted for Impact — ransomware), sector_code="hlth", kill_chain_stage="impact". That's it. Twelve fields, 512 bytes.
In return, their model's queries against the router surface calibration signals from healthcare CISO teams at major hospital systems, from energy sector operations that have seen the same ransomware variant, from financial sector SOCs that detected the same initial access vector three weeks earlier.
The asymmetry is not charity. The small hospital's outcome packet — even with a lower trust weight than a Fortune 500 SOC — contributes a data point to the network's sector-specific calibration. The fact that a municipal hospital in a rural area confirmed T1486 via their basic EDR is a validation signal that a nation-state actor is targeting rural health infrastructure. That signal, routed, is worth something to every healthcare CISO in the network.
The Synthesis Gap Is the Vulnerability
The core argument in this article is architectural, not operational. Security teams are not failing because they lack expertise. They are failing because the system that is supposed to route validated threat intelligence operates as a reporting layer and never closes the feedback loop.
MITRE ATT&CK gives the community a shared semantic vocabulary of 200+ adversary techniques. STIX/TAXII gives a packaging standard. ISACs give distribution channels. The missing component is the routing logic that connects a model's real-time prediction accuracy to the weight assigned to its packets in other organizations' decision-making.
The N(N-1)/2 synthesis potential that exists across sector security organizations is almost entirely unrealized. Each organization's threat model is calibrated in isolation. Each detection event that should update 124,750 connected models instead generates a report that 12 analysts read over the next six weeks.
QIS closes this gap by treating threat intelligence as it actually is: a distributed prediction problem where validated outcomes are the signal, formatted reports are a side effect, and the architecture that routes outcome deltas in real time is the breakthrough.
Related Articles in This Series
The distributed outcome routing architecture described here appears across domains wherever the same structural problem exists: prediction systems that cannot share raw data but whose validated outcomes carry the calibration signal that other systems need.
- Article #001 — Introduction to QIS — The complete loop: why validated outcome routing is the architecture
- Article #003 — The N(N-1)/2 Problem — Why synthesis paths matter and why current systems achieve near-zero
- Article #005 — The Three Elections — CURATE, VOTE, COMPETE as natural selection forces on distributed intelligence
- Article #019 — QIS and Byzantine Fault Tolerance — How trust score decay provides structural resistance to adversarial injection
- Article #024 — QIS for Financial Systems — Cross-institution risk model synthesis without sharing proprietary position data
- Article #025 — QIS for Public Health — Cross-jurisdiction outbreak detection without routing individual patient records
QIS was discovered by Christopher Thomas Trevethan. The architecture is protected under 39 provisional patents. The core discovery: a complete loop connecting prediction, outcome validation, and routing weight adjustment enables distributed intelligence systems to synthesize across N(N-1)/2 paths without centralizing the underlying data. This is a discovery about how intelligence naturally scales — not an invention of a new mechanism, but a description of the mechanism that was always there.
Top comments (0)