TALOS SERVICES GROUP
Global Reach · Intelligence · Response
Request Support
Guardian — Online · Build v2.1.4 · Feeds 247 · Cortex p50 217 ms · Intel Window 2026·04·22 / 14:02 UTC
04 / Technology — Guardian Platform · Cortex Decision Engine
Talos Guardian v2.1

The operations platform
behind every engagement.

Guardian ingests surveillance, access control, protective intelligence, and geopolitical feeds; correlates them through the Cortex decision engine; and hands the watch floor — human or client — a ranked action in a median of 217 milliseconds. Every engagement runs through it.

guardian.talos.ops / console / theater-07
Feeds 247 Ingest 42k/s Cortex p50 217ms LIVE
Event Stream · 12 last minute
P0 Perimeter Breach 14:02:47
Unauthorized vehicle — Gate 04, Kirkuk OFA
Access control + camera fusion · 94% conf.
P1 Crowd Anomaly 14:02:31
Dispersion pattern — Plaza, ZONE B
Video analytics · 81% conf.
P2 Geopolitical 14:01:58
Port closure rumored — Basra
OSINT · 2 source corroboration
P2 Protective Intel 14:01:12
Named subject sighted — social media
Geofence match · 2.4 km from principal
OK Check-in 14:00:03
Convoy 07 — waypoint 4 clear
GPS · on route
Theater 07 Personnel 18 Assets 34
LIVE
P0 · KIRKUK OFA PERIMETER · 14:02:47 HQ · MIAMI DESK · LIVE DETAIL · JAKARTA EP-04 · ON-ROUTE CONVOY · 07 WP-04 · CLEAR
Lat 35.4681 °N · Lon 44.3922 °E Coverage 94 countries
Cortex Decision Tracep50 · 217 ms
INC-20260422-0047 · P0
Perimeter breach, Kirkuk OFA, Gate 04
01Ingest
Badge read + camera event + radar hit
3 sources · 42 ms
02Correlate
Cross-source fusion · temporal + spatial align
confidence 94% · 68 ms
03Enrich
Vehicle not on manifest · unknown plate
matched 0 / 218 expected · 54 ms
04Score
Threat score 0.87 — exceeds P0 threshold
historical baseline 0.12 · 53 ms
Recommended Action
Lockdown Gate 04 · Dispatch QRF-02
Auto-notify watch commander · Stand up command channel · Hold alert until human ack.
01
Ingest
42 ms
02
Normalize
8 ms
03
Enrich
54 ms
04
Correlate
68 ms
05
Score
53 ms
06
Action
— ack.
217ms
Cortex Median Latency
247
Feed Sources
42k/s
Events Ingested · Peak
94
Countries Covered
01 / Overview — What Guardian Is

One operational picture across every discipline.

Guardian is not a dashboard bolted onto a security service. It is the spine of how we run engagements — the same platform that presents a P0 breach to a watch commander also presents a protective-intelligence daily brief to an EP detail lead, a compliance artifact to an investigator, and a theater map to a client executive. The data is shared; the views are role-specific.

02 / Decision Engine — Cortex

Six stages. Median 217 ms. One audit trail.

Cortex is the pipeline inside Guardian that turns raw feeds into a ranked action. Every stage is logged with its inputs, latency, and confidence — so a decision can be replayed, audited, or tuned against ground truth.

Stage 01 · Ingest

Every signal, one bus.

247 feed sources normalized into a single event bus — surveillance, access control, GPS, OSINT, government warnings, and client systems.

  • Streaming + batch connectors
  • 42k events/sec peak throughput
  • At-least-once with idempotent keys
Stage 02 · Normalize

One vocabulary across sources.

Events are projected onto a shared schema — time, actor, location, sensor, disposition — so downstream logic doesn't fight vendor formats.

  • Schema-on-read with versioned mappings
  • Source provenance preserved
  • Median normalize 8 ms
Stage 03 · Enrich

Context attached at the event.

Each event is joined against relevant context — manifests, watchlists, travel plans, geopolitical posture, and historical baselines.

  • Manifest + watchlist joins
  • Geopolitical overlay (country / region)
  • Per-principal baseline history
Stage 04 · Correlate

Related events fused into one incident.

Temporal and spatial fusion across sensors — so three signals describing the same event become one incident, not three alerts.

  • Time-window + geofence fusion
  • Cross-source confidence scoring
  • Median correlate 68 ms
Stage 05 · Score

Threat score with published thresholds.

Each incident receives a numeric score against client-specific thresholds — P0/P1/P2/OK — with explicit reason codes and historical comparison.

  • Per-client thresholding
  • Reason codes attached
  • Baseline comparison returned
Stage 06 · Action

Ranked action, held until ack.

Cortex recommends; humans decide. The watch floor gets a ranked action with its reasoning and triggers for escalation — nothing automated without acknowledgment.

  • Human-in-the-loop by default
  • Escalation paths pre-bound
  • Full replay + audit trail
03 / Validation — Shadow Mode Results

Validated against live operations before it ships.

New Cortex logic runs in Shadow Mode — scoring the same events a human analyst is already working, producing the same decision artifacts, but never firing actions. Ground truth is collected on both sides. Logic only promotes to production when Shadow Mode clears a fixed bar.

Shadow Mode · 12-week window · 1 theater

Measured uplift, against a human-analyst baseline.

In the most recent validation window, Shadow Mode processed the same incident stream as the human watch floor in parallel. All three metrics below are ratios against that baseline — not vendor benchmarks.

Baseline · live human analyst watch · redacted theater
+93%
Detection Uplift
Incidents caught that the human-analyst baseline missed or flagged late
96%
Faster MTTD
Mean time-to-detect reduced vs. the human-only baseline
−71%
False Positives
Alert volume reduction — fewer interruptions for higher-confidence events
04 / Integration Surface — Feeds & Connectors

Built to meet client systems, not replace them.

Guardian integrates rather than displaces. Clients keep their access control vendors, camera manufacturers, and travel tools. Guardian reads the signals, writes to a shared operational picture, and pushes actions back into the system that needs to execute them.

Surveillance

Video & Analytics

Milestone · Avigilon · Genetec · Axis · ONVIF · Hanwha · custom RTSP
Access Control

Identity at the edge

Lenel S2 · Genetec Synergis · Brivo · Johnson Controls · HID · custom Wiegand
Personnel Tracking

Where your people are

Garmin inReach · Iridium Edge · Zello · Traccar · client MDM · duress devices
Travel & TRM

Movements & itineraries

Concur · Sabre feeds · International SOS · Riskline · Dataminr Travel
OSINT & Social

Open-source signal

GDELT · ACLED · Dataminr · Social42 · Telegram monitoring · regional wires
Government & Regulatory

Alerts with authority

State Dept OSAC · FBI InfraGard · DHS NTAS · EU FRONTEX · country MFAs
Identity

SSO for Guardian itself

SAML 2.0 · OIDC · SCIM · Okta · Azure AD · Google Workspace · ADFS
Outbound

Push to action

PagerDuty · Opsgenie · Slack · Teams · SMS · voice · ServiceNow · Jira
05 / Security Posture — How Guardian Protects Its Own

Built like we protect client data.

Guardian holds some of the most sensitive operational data a client trusts us with — principal movements, facility maps, investigation findings. Platform security isn't an afterthought; it is the product.

Encryption at rest and in motion

AES-256 at rest with per-tenant KMS-scoped keys; TLS 1.3 in motion with mutual auth between services. Client data never crosses tenant boundary.

Zero-trust identity & least privilege

Every action is attributable — personnel, time, source IP, device posture. SCIM-provisioned roles; MFA required on every administrative path.

Immutable audit trail

Every event, every decision, every access — written to append-only storage with cryptographic integrity. Audit export for client compliance teams on request.

Data residency & tenancy

Single-tenant deployment option for clients with residency requirements. Multi-tenant default runs strict logical isolation with per-tenant crypto.

06 / Deployment — How Clients Consume Guardian

Three ways to run the platform.

Clients engage Guardian through one of three models depending on whether they want Talos operating the watch, their team operating with our tooling, or a fully self-hosted deployment in a regulated environment.

Tier A

Talos-Operated GSOC

Our watch floor runs Guardian on your behalf — 24·7 coverage, full analyst bench, escalation directly to client command.

  • Talos personnel on the console
  • Standard SLAs · 14-hr surge deploy
  • Monthly operational review
  • Standard integration set included
Tier B

Co-Operated

Client watch team operates Guardian with Talos on-call for escalation, tuning, and surge. Training and SOPs included.

  • Client personnel on the console
  • Talos 24·7 escalation backstop
  • Quarterly tune-up & certification
  • Annual audit & program review
Tier C

Self-Hosted / Regulated

Single-tenant deployment in client environment — government cloud, on-prem, or sovereign region. Fullest control; heaviest setup.

  • Single-tenant infrastructure
  • Client-controlled KMS
  • FedRAMP / FIPS alignment path
  • Onboarding 8–14 weeks

Walk the console. Get a scoped brief.

We'll run a live Guardian walkthrough against a scenario that looks like your environment — feeds, a theater, an incident — and return a scoped deployment brief inside one week.

Schedule a Walkthrough Download Platform Brief