Introduction

As discussed in our previous blogs, NACE™ is an implementation of the Intent-based Threat Prevention detection™ detection category which was designed to solve the AI generated attacks from first principles. AI generated attacks continuously mutate evasion techniques, generate dynamic phishing pages, produce variations of exploit code, and craft endless BEC conversation variants that bypass traditional binary classifiers.

Intent-based prevention™ detection category addresses these AI-generated attacks from first principles by not relying on exploitation-stage features to detect malware, landing pages to detect phishing, or human-behavior analytics to detect BEC.

Patented NACE™, an implementation of Intent-Based Threat Prevention™ detection category leverages generative and predictive AI to determine the intent behind every communication, then applying deep contextual reasoning with features from attachments, call-to-action URLs, and SMTP headers within a cognitive engine to deliver precise, explainable verdicts. 

The blog provides a deep dive into the NACE core technology, describing how AI models derive intent and use contextual reasoning to drive threat detection.

Contextual Reasoning 

To build such a system, as a part of the first step, we designed a framework to extract semantic and thematic meanings from historical emails used by the threat actors to deliver malicious attachments and URLs.

 Architecture which was used to extract the semantics and thematic meaning from emails

The texts from historic emails which were being used by the threat actor, were extracted, processed, and represented using a pre-trained embedding model, BGE-M3, to obtain dense vector representations of the content. To optimize clustering performance, the dimensionality of these embeddings was reduced, facilitating more efficient processing. Among several clustering algorithms tested, OPTICS (Ordering Points to Identify the Clustering Structure) was chosen to group the reduced embeddings based on their semantic similarity. Representative keywords for each cluster were derived using class-based Term Frequency-Inverse Document Frequency (c-TF-IDF), a modification of standard TF-IDF that treats each cluster as a single document. This method effectively captures the most relevant terms for each topic. Lastly, the semantic meanings of the clusters were extracted using Phi-3-Mini-4K-Instruct, a model designed for generating and refining semantic representations.

Once semantic and thematic meaning was extracted from historical email data, we generated knowledge from SMTP headers, inferred intent, attachment characteristics, and embedded URLs—capturing the relationships between them that indicate whether an attachment or URL is malicious or benign. This knowledge was then used to develop a contextual reasoning engine, whose inferential knowledge can be represented as a contextual graph (Figure 2.0). The graph enables the system to reason over relationships across four email dimensions rather than evaluating attachments or URLs in isolation:

• Sender and SMTP header context
• Intent, derived from semantic and thematic analysis of the subject and body
• Attachment characteristics, including API calls, obfuscations, and formats spanning documents, archives, images, scripts, markup/web formats, and executables
• Embedded call-to-action (CTA) URLs, such as suspicious TLDs, Whois records, and other indicators

By representing the engine’s inferential knowledge as a contextual graph, NACE™ can derive precise malicious or benign verdicts for attachments and URLs, with nodes capturing distinct semantic or structural entities and edges encoding their contextual and causal relationships.

  An example of Contextual Reasoning Graph between Header, Intent, SVG attachment and URLs

By modeling relationships derived from SMTP headers, inferred intent, attachment characteristics, and embedded URLs as a contextual graph, a unified and explicit representation of email communication artifacts is created. In this graph, nodes capture distinct semantic or structural entities (e.g., sender identity, intent class, attachment characteristics, URL characteristics), while edges encode their contextual and causal relationships. Representing knowledge in this way decouples feature extraction from decision logic, enabling multiple inference strategies to operate over the same underlying graph structure.

Decision making approaches in NACE™

This design enables several complementary patented and patent pending decision-making approaches in NACE which are discussed below. 

• Policy-based reasoning
  Deterministic rules can be applied directly to patterns in the contextual graph—for example, specific combinations of intent, attachment type, and URL behavior to derive malicious verdict. 
• Graph Neural Networks (GNNs)
  The contextual graph serves as a natural substrate for GNNs, which learn higher-order dependencies and non-obvious relational patterns across email dimensions. By propagating information across nodes and edges, GNNs can detect coordinated attacks, multi-stage campaigns, or weak-signal threats that traditional feature-based classifiers may miss.
• LoRA-trained Small Language Models (SLMs)
  LoRA enables efficient fine-tuning of small language models on domain-specific data. SLMs  process the contextual graph—or a serialized/embedded representation of it—to generate contextual embeddings that capture nuanced semantic relationships between email artifacts. These embeddings enhance intent analysis, threat classification, and the detection of previously unseen malicious patterns.
• Agent-based decision frameworks
  Intelligent agents can reason dynamically over the evolving contextual graph, incorporating historical interactions, feedback loops, and environmental signals. By maintaining state and updating decisions iteratively, agents enable adaptive decision-making for new semantics or intent which have not been used previously. 

By treating the contextual graph as a first-class abstraction, NACE™ supports deterministic, probabilistic, and adaptive reasoning within a single architecture—without rebuilding the detection pipeline for each analytical approach.

Overall, this approach allows NACE™ to integrate symbolic, statistical, and agent-based reasoning in a flexible and extensible manner.

Conclusion

NACE™, an implementation of the Intent-Based Threat Prevention™ detection category, illustrates how contextual reasoning can transform email security. By moving beyond isolated feature analysis of attachments and URLs, NACE™’s inference engine captures the intent behind each communication, linking it with SMTP headers, attachment structures, and URL behavior to generate precise malicious or benign verdicts, which are represented in a unified contextual graph. This representation enables multiple reasoning strategies—policy-based, GNN-driven, small language model embeddings, and agent-based decision-making—to detect AI-generated attacks, sophisticated phishing campaigns, and evolving BEC threats with both precision and explainability.

Ultimately, contextual reasoning positions NACE™ not just as a reactive defense, but as a proactive platform capable of understanding and anticipating threats from first principles. By integrating symbolic, statistical, and adaptive reasoning in a single architecture, NACE™ sets a new standard for intelligent, scalable, and resilient threat prevention in the modern email landscape.