Nonprofits serving susceptible populations sit on the uncomfortable intersection of delicate information, world publicity and restricted safety assets.
Geneva-based Defend.ngo, previously the CyberPeace Institute, helps nonprofit and nongovernmental organizations (NGOs) navigate these challenges with free cybersecurity help. To satisfy its mission, Defend.ngo, itself a nonprofit, should regularly determine and analyze the threats that focus on its almost 700 member organizations — far simpler stated than performed.
The issue: When handbook monitoring is not sufficient
When Defend.ngo began in 2018, its cybersecurity analysts relied on open supply intelligence expertise to trace publicly reported cyberattacks in opposition to the nonprofits in its community. The method concerned manually checking information retailers, darkish net boards, social media and different sources.
“Many [NGOs] have a smaller digital footprint,” stated Miles Collins, a cyberthreat analyst at Defend.ngo. “This could make it harder to detect whether or not they have been focused and to collect sufficient proof for technical attribution.”
With no unified view of the menace panorama dealing with NGOs and different civil society organizations, the work was time-consuming, inconsistent and unwieldy. The outcomes additionally failed to provide Defend.ngo analysts the real-time insights they wanted to correctly analyze and prioritize rising and ongoing safety threats. The size of Defend.ngo’s monitoring actions compounded the problem, with a whole lot of member organizations spanning completely different areas, sectors and working environments.
These challenges however, it was vital that analysts detect assaults rapidly and persistently, each for instantly affected organizations and their friends. A menace surfacing in a single nook of the Defend.ngo community might have implications for numerous different NGOs. Plus, any missed or delayed detections might create gaps within the public information upon which researchers and policymakers rely.
By March 2025, Defend.ngo analysts had manually documented greater than 295,000 threats, 760 vulnerabilities and 1,100 distinct assaults on NGOs — and the menace panorama was solely worsening.
The repair: AI joins the trigger
Across the identical time, Defend.ngo turned to AI to help the efforts of its human analysts. The group deployed Dataminr’s AI-powered menace intelligence platform, which has the next capabilities.
Aggregates info from numerous sources throughout the general public, deep and darkish net, together with authorities advisories, social media, cyber menace boards, darkish net boards, information retailers, vulnerability disclosures, breach stories and menace intelligence feeds.
Ingests and analyzes textual content, code, picture and video information.
Makes use of agentic AI and enormous language fashions to autonomously analyze, enrich and contextualize information. The AI brokers summarize incidents; correlate adversarial exercise; determine patterns; and map relationships between cyber incidents, menace actors and focused organizations.
Presents deduped, structured and contextualized intelligence alerts and briefs to human analysts in actual time. Alerts embrace detailed supply attribution, screenshots and background on menace actors concerned.
In response to Collins, he and his fellow analysts at Defend.ngo evaluate and confirm all AI-driven alert and intelligence information, guaranteeing its accuracy and reliability earlier than figuring out subsequent steps.
“Human analysts are nonetheless required with regards to judging whether or not these claims are credible or not,” Collins added. “As a part of our methodological course of, we all the time have an analyst reviewing AI output.”
Human analysts are nonetheless required with regards to judging whether or not these claims are credible or not. Miles CollinsCyber menace analyst, Defend.ngo
Along with supercharging cyberattack and menace monitoring for Defend.ngo’s consumer organizations, Dataminr’s AI menace intelligence expertise informs the nonprofit’s Cyber Tracer. The general public platform tracks vulnerabilities, threats and assaults related to civil society organizations and helps ongoing analysis on conflict-zone cyberactivity, together with the Russia-Ukraine struggle. NGOs, policymakers and researchers can use Cyber Tracer — which additionally consists of structured, domain-specific information from third-party companions Cloudflare, Bitsight and Kaduu — to higher mitigate danger and enhance cyber resilience.
The outcomes: Consolidated and contextualized menace intelligence information
At Defend.ngo, Collins stated the core operational advantage of agentic AI menace intelligence has been the consolidation of numerous and far-flung occasion, menace and danger information. A single, deduped and contextualized feed means analysts spend much less time gathering and organizing info and extra time analyzing and prioritizing it.
AI-driven monitoring additionally extends protection into channels that analysts at resource-constrained organizations hardly ever have the capability to look at persistently, reminiscent of darkish net boards the place ransomware teams publish claims in opposition to victims which may not seem in typical information sources.
The primary alert on an exfiltrated database
The agentic menace intelligence workflow was initially examined throughout an incident involving a nonprofit in Defend.ngo’s The Builders program, a matchmaking initiative that connects company cybersecurity volunteers with NGOs that want help.
On this occasion, a menace actor claimed to have exfiltrated information from the group’s surroundings and revealed a pattern of the database on-line. Dataminr surfaced the alert earlier than Defend.ngo volunteer analysts recognized it by every other channel, Collins stated, enabling them to rapidly contact the group with remediation help.
To this point, Defend.ngo has recorded greater than 878,000 threats, detected 1,084 vulnerabilities throughout NGOs, recognized greater than 2,000 assaults, quarantined greater than 560,000 phishing emails and detected greater than 315,000 uncovered credentials.
A caveat: AI will not make up for poor cybersecurity hygiene
Regardless of Defend.ngo’s optimistic expertise with the AI menace intelligence platform, Collins warned that smaller organizations with out devoted safety features typically lack the baseline controls that make such monitoring instruments helpful within the first place.
Organizations with out in-house safety workers ought to focus first on the fundamentals — MFA, VPNs, robust password administration and software program updates. “Keep away from getting any complicated instruments earlier than the foundational operational safety is in place,” he stated.
As soon as that basis exists, AI instruments turn out to be a sensible possibility. For resource-constrained groups, nevertheless, the danger then turns into treating AI as an alternative choice to human reasoning, perception and judgment, and the self-discipline that makes such instruments significant.
“It’s all the time vital to needless to say AI could make errors and once more, primary safety practices stay a very powerful to implement,” Collins stated.
Sean Michael Kerner is an IT guide, expertise fanatic and tinkerer. He has pulled Token Ring, configured NetWare and been identified to compile his personal Linux kernel. He consults with trade and media organizations on expertise points.
