AI‑Driven Threat Intelligence: OSINT, XDR Integration, and Local LLM Processing

This project at Leargas has been a six-year journey that evolved to match a rapidly shifting threat landscape. Here is an overview of our progression from standalone intelligence to local vLLM processing.

Phase 1: Standalone CIRCL AIL — Discovery at Scale

Six years ago, we deployed CIRCL AIL as a standalone engine to address a lack of visibility into external leaks. Our focus was on:

– Discovery: Identifying credentials, PII, API keys, and documents across the clear and dark web.

– Monitoring: Tracking paste sites, forums, and onion services.

– Early Warning: Alerting organizations when sensitive data surfaced.

While a significant step forward, standalone AIL remained siloed, requiring manual correlation and lacking automated actionability.

Phase 2: Full Leargas XDR Integration — Context and Correlation

We subsequently embedded AIL directly into the Leargas XDR platform. This transformed findings into high-fidelity signals that are:

– Scoped: Isolated by customer via CLI.

– Correlated: Integrated with identity, endpoint, cloud, email, and network telemetry.

– Prioritized: Tracked over time and weighted against real-time attack activity.

By shifting from simple discovery to organizational relevance, we moved beyond reporting leaked credentials to identifying active, high-risk security events.

Phase 3: Local vLLM Processing — Private Intelligence

To ensure customer data never leaves our environment, we built local vLLM inference infrastructure. This allows for:

– Local Processing: Findings are cleaned, normalized, and scored entirely offline.

– Privacy: No third-party AI or public APIs interact with customer content.

– Explainable Intelligence: Raw data is converted into actionable narratives for both executives and operators.

Conceptual Evolution

Over the last six years, our focus shifted from tools to outcomes:

– Standalone AIL: Discovery

– Integrated AIL: Relevance

– vLLM Processing: Understanding

We built a robust intelligence pipeline first, applying AI only where it provides genuine value. The result is a system that respects privacy, reduces noise, and supports informed decision-making.

Six years in, this is no longer an experiment—it is how Leargas operates.

Patrick Kelley

Patrick Kelley is a seasoned cybersecurity expert with over 25 years of experience in the Information Technology and Information Security industries. As the co-founder of several successful startups, including Léargas Security and Critical Path Security, Patrick has consistently been at the forefront of innovation in cybersecurity. Throughout his career, Patrick has been a trusted voice in the cybersecurity community, frequently sought after for his insights and expertise by major media outlets such as CBC, Bloomberg, FOX, NBC, ABC, MacWorld, and The Motley Fool. His unique approach to network forensics and offensive security has also made him a regular guest lecturer at universities and a keynote speaker at industry conferences around the world.

Recommended Posts

Fortinet Authentication Bypass Vulnerabilities Exploited
Critical Dell RecoverPoint Vulnerability (CVE‑2026‑22769): Active Exploitation and Patch Guidance
FortiOS SSL VPN Improper Authentication Vulnerability (CVE-2020-12812): Active Exploitation and Immediate Mitigation Guidance
Critical WatchGuard Fireware OS Vulnerability (CVE‑2025‑14733): Active Exploitation and Emergency Patch Guidance