Coordinated Defense Agents
CDA is a multi-agent architecture that extends Autonomous Defense Transformers to operate as distributed, collaborative defensive systems. It defines formal protocols for inter-agent communication, shared state construction, collective reasoning, and consensus-based action coordination.
Why single-model defense fails at scale
Modern digital infrastructure spans heterogeneous domains: cloud control planes, identity systems, network fabrics, endpoint fleets, and application layers. A compromised identity may lead to cloud privilege escalation, network lateral movement, endpoint persistence, and data exfiltration, all within minutes.
Single-model defensive systems excel at reasoning within bounded contexts but face structural limitations when operating at scale. A single model cannot maintain deep expertise across all domains simultaneously, nor can it coordinate simultaneous actions across distributed environments while maintaining causal consistency and rollback guarantees.
Effective defense requires interpreting signals across the entire attack trajectory and coordinating containment actions that address all persistence mechanisms simultaneously. Partial containment that addresses only one domain while missing others leaves the attacker with continued access.
Design principles
Specialization with coordination
Each CDA agent maintains deep expertise in a specific infrastructure domain. Agents coordinate through explicit protocols that enable collective reasoning without requiring each agent to maintain full cross-domain knowledge. Specialization enables depth; coordination enables breadth.
Shared state construction
Agents construct shared threat models through structured knowledge exchange. Rather than sharing raw signals, agents exchange interpreted hypotheses, confidence assessments, and expected evidence. Shared state represents collective understanding while preserving domain-specific detail.
Consensus-based collective reasoning
Collective threat assessment emerges through consensus protocols. Agents propose hypotheses, evaluate evidence, aggregate confidence, and form shared conclusions. Dissent is preserved and escalated rather than overridden, maintaining safety through explicit uncertainty.
Coordinated distributed actuation
Response actions are coordinated through delegation protocols that ensure temporal ordering, causal consistency, and rollback capability. Action plans are validated collectively before execution, with domain-specific agents responsible for local actuation.
Bounded collective autonomy
The collective operates within bounds defined by organizational policy. Consensus requirements, quorum thresholds, and escalation protocols ensure that collective autonomy remains constrained and accountable.
System architecture
Agent specialization layer
Each CDA agent is an ADT instance with domain-specific training, local signal ingestion, domain hypothesis formation, and local actuation capabilities. Agent types include Identity, Cloud, Network, Endpoint, and Application agents.
Coordination infrastructure
Provides communication primitives including agent registry for discovery and capability advertisement, a structured message bus, protocol enforcement with message validation and sequencing guarantees, and failure detection with health monitoring and partition handling.
Shared memory layer
Maintains collective state: an entity graph of cross-domain relationships, collective threat hypotheses with agent contributions, coordinated action plans with agent assignments, and evidence bundles linking observations to collective decisions.
Collective reasoning layer
Implements consensus protocols for hypothesis proposal, evidence sharing, confidence aggregation, consensus formation, and dissent handling. Shared threat models emerge from agreement protocols while preserving minority assessments.
Distributed actuation layer
Coordinates response execution through collective action planning, delegation to domain-specific agents, temporal sequencing for causal consistency, execution monitoring with progress tracking, and rollback coordination when needed.
Governance layer
Maintains system integrity through agent lifecycle management, consistent policy distribution, accountability mapping that attributes decisions to contributing agents, and override protocols for human intervention and emergency controls.
Agent specialization
Identity Agent
User and service account behavior, authentication patterns, and privilege usage.
Cloud Agent
IAM policies, resource configurations, and control plane activity.
Network Agent
Flow patterns, connection anomalies, and lateral movement indicators.
Endpoint Agent
Process behavior, file system activity, and execution patterns.
Application Agent
API usage, data access patterns, and business logic anomalies.
Multi-agent threat model
Agent compromise
Attackers may compromise individual agents through supply chain attacks, runtime exploitation, credential compromise, or signal source manipulation. Compromised agents may emit false hypotheses, suppress legitimate threats, or manipulate consensus.
Consensus manipulation
Attackers may attempt to manipulate collective decisions by flooding false hypotheses, exploiting confidence aggregation, targeting dissent suppression mechanisms, or manipulating quorum requirements.
Coordination interference
Attackers may interfere with agent coordination through network partitioning, message delay or reordering, protocol exploitation, or resource exhaustion designed to degrade coordination performance.
Cascade failures
Attackers may trigger cascades by exploiting action dependencies to cause rollback cascades, triggering false positives that consume collective attention, creating conflicting hypotheses that prevent consensus, or exploiting recovery procedures.
CDA mitigates these threats through agent heterogeneity with diverse implementations and failure modes, quorum requirements that prevent unilateral decisions, dissent preservation that escalates rather than overrides disagreement, and maintained human oversight with intervention and override capability.
Consensus and safety boundaries
Collective confidence in threat hypotheses emerges through weighted aggregation of agent assessments, with each agent contributing confidence weighted by domain relevance. Aggregate confidence includes uncertainty bounds reflecting variance in agent assessments, limited participation, and conflicting evidence.
Valid consensus requires minimum participation through absolute quorum, domain quorum ensuring relevant agents are represented, and health quorum requiring participating agents to pass health checks. Quorum failures result in explicit uncertainty and escalation.
Distributed actions maintain causal consistency through dependency graphs, effect verification, and rollback coordination that respects causal dependencies. Blast radius is contained through domain limits, collective impact assessment, and emergency stop mechanisms.
Evaluation framework
Coordination correctness
Detection accuracy, consensus alignment with ground truth, and effectiveness of coordinated responses.
Consensus latency
Duration from initial detection to collective assessment, scaling characteristics with agent count, and failure recovery time.
Response scalability
Action coordination latency, execution parallelism while maintaining consistency, and communication overhead.
Adversarial resilience
Ability to detect compromised agents, robustness against consensus manipulation, and performance under network attacks.
Explore the research
Read the full CDA research paper for a complete treatment of the multi-agent architecture, coordination protocols, consensus mechanisms, and safety boundaries.