Skip to main content
The external API follows the same core model as the internal Intrace events investigation stack.

End-to-end flow

1. Assets

Each asset carries coordinates and monitoring configuration. The platform uses those inputs to decide which candidate events are relevant enough to evaluate.

2. Radius and category matching

Category-specific threat radii are applied per asset. This mirrors the internal case_threat_radius configuration and the default per-category distance model used by the EP threat engine. Example categories include:
  • armed conflict
  • crime or violence
  • transport
  • infrastructure
  • fire hazard
  • weather
  • geological
  • cyber attack

3. Threat evaluation

Candidate events are filtered, deduplicated, scored, and evaluated into canonical threats. Each resulting threat may include:
  • severity
  • status
  • risk level
  • likelihood and impact dimensions
  • source attribution
  • affected assets by proximity

4. Alerts

Alert rules evaluate new or updated threats and emit alert rows when thresholds match. Rules can filter by:
  • severity
  • asset IDs
  • threat types
  • max distance from asset

5. Incidents

Incidents group related threats into a higher-level narrative. They are useful when multiple threats describe one evolving situation.

6. Reports

Reports are generated from:
  • a single threat
  • a single incident
  • a time-bounded landscape over all or some assets

7. Event intelligence layer

Not every client only wants asset-linked threats. The event-intelligence endpoints expose the broader event corpus for search, map layers, and aggregate analytics.