Intelligence Overview
Understand BlockSecOps's ML-powered security intelligence features. The Intelligence Layer is a machine learning system that enhances scan results through: -...
Intelligence Overview
Understand BlockSecOps's ML-powered security intelligence features.
What Is the Intelligence Layer?
The Intelligence Layer is a machine learning system that enhances scan results through:
- Deduplication - Consolidating identical findings from multiple scanners
- Risk Scoring - Prioritizing findings by actual risk
- Enrichment - Adding context and recommendations
- Pattern Matching - Linking to known vulnerability patterns
Why Intelligence Matters
The Problem
Running 17+ scanners generates a lot of findings:
- Many duplicates across scanners
- All marked as "High" by different scanners
- No guidance on what to fix first
- Raw findings need interpretation
The Solution
The Intelligence Layer:
- Reduces noise by 60-80%
- Provides actionable prioritization
- Adds expert context
- Saves hours of triage time
Key Features
Cross-Scanner Deduplication
When multiple scanners find the same issue, you see one finding with all sources listed.
Before (without deduplication):
- Finding from Slither: Reentrancy
- Finding from Aderyn: Reentrancy
- Finding from SolidityDefend: Reentrancy
After (with deduplication):
- Reentrancy vulnerability (found by Slither, Aderyn, SolidityDefend)
ML Risk Scoring
Each finding gets a 0-100 risk score based on:
- Exploitability
- Impact
- Confidence
- Context
Higher scores = higher priority.
Vulnerability Enrichment
Findings are enriched with:
- Detailed explanations
- Real-world examples
- Code fix templates
- Reference links
Pattern Database
397+ vulnerability patterns cataloged:
- Standardized classifications
- SWCR/CWE mappings
- Historical data
- Remediation guidance
Availability
| Plan | Intelligence Features |
|---|---|
| Free | None |
| Developer | Basic deduplication, basic scoring |
| Startup | Full deduplication, ML scoring, enrichment |
| Professional | All features + false positive detection |
| Enterprise | All features + custom patterns |
How It Works
Processing Flow
Scanners Complete → Collect Findings →
Intelligence Engine → Deduplicate →
Enrich → Score → Present Results
Processing Time
Intelligence processing adds ~5-10 seconds after scanners complete.
Behind the Scenes
The Intelligence Engine:
- Normalizes scanner outputs
- Computes fingerprints for each finding
- Matches across scanners
- Queries pattern database
- Applies ML models
- Generates scores and enrichments
Model Training & Continuous Learning
The Intelligence Layer improves over time through continuous learning.
How Training Works
The false positive classifier learns from labeled findings:
- Label Findings - Mark vulnerabilities as "True Positive" or "False Positive"
- Model Learns - Patterns extracted from labeled data
- Accuracy Improves - Better predictions with more labels
Training Requirements
| Samples | Result |
|---|---|
| < 50 | Cannot train |
| 50-199 | Basic model (may have lower accuracy) |
| 200+ | Full training with cross-validation |
Continuous Improvement
The system automatically:
- Tracks new labels since last training
- Triggers retraining when threshold reached (default: 100 labels)
- Updates model version with improved accuracy
What Gets Learned
The model learns from 30 features including:
- Scanner signals - Which scanners found it, confidence levels
- Code context - Test files, access modifiers, function visibility
- Pattern history - Known false positive patterns for this vulnerability type
Enterprise Custom Training
Enterprise plans can:
- Train on organization-specific patterns
- Adjust retraining thresholds
- Access model performance metrics
Tip: The more findings you label, the more accurate the false positive detection becomes for your specific codebase patterns.
Benefits
For Developers
- Less noise to wade through
- Clear priorities
- Actionable recommendations
For Security Teams
- Faster triage
- Consistent scoring
- Pattern recognition
For Enterprises
- Reduced false positive rates
- Custom pattern integration
- Audit-ready reports
Feature Deep Dives
| Feature | Description | Guide |
|---|---|---|
| Deduplication | Consolidates duplicate findings | Deduplication |
| Risk Scoring | ML-powered prioritization | Risk Scoring |
| Prioritization | Smart fix ordering | Prioritization |
| False Positives | ML-assisted FP detection | False Positives |
FAQ
Q: Does intelligence slow down scans?
A: Adds only 5-10 seconds after scanners complete.
Q: Can I disable intelligence features?
A: Yes. Toggle in scan settings.
Q: How accurate is the risk scoring?
A: Our ML models are trained on millions of findings with ~85% accuracy.
Q: Are custom patterns available?
A: Yes, on Enterprise plans.
Next Steps
- Deduplication - Cross-scanner consolidation
- Risk Scoring - Understanding scores
- Prioritization - Fix ordering