How agentic AI threat intelligence aids NGO cyber defense: Case study
NGOs often lack the resources and expertise to defend against modern threat actors. Learn how one nonprofit is harnessing agentic AI threat intelligence to flip the script.
Nonprofits serving vulnerable populations sit at the uncomfortable intersection of sensitive data, global exposure and limited security resources.
Geneva-based Protect.ngo, formerly the CyberPeace Institute, helps nonprofit and nongovernmental organizations (NGOs) navigate those challenges with free cybersecurity support. To fulfill its mission, Protect.ngo, itself a nonprofit, must continually identify and analyze the threats that target its nearly 700 member organizations -- far easier said than done.
The problem: When manual monitoring isn't enough
When Protect.ngo started in 2018, its cybersecurity analysts relied on open source intelligence skills to track publicly reported cyberattacks against the nonprofits in its network. The process involved manually checking news outlets, dark web forums, social media and other sources.
"Many [NGOs] have a smaller digital footprint," said Miles Collins, a cyberthreat analyst at Protect.ngo. "This can make it more difficult to detect whether they have been targeted and to gather enough evidence for technical attribution."
With no unified view of the threat landscape facing NGOs and other civil society organizations, the work was time-consuming, inconsistent and unwieldy. The results also failed to give Protect.ngo analysts the real-time insights they needed to properly analyze and prioritize emerging and ongoing security threats. The scale of Protect.ngo's monitoring activities compounded the challenge, with hundreds of member organizations spanning different regions, sectors and operating environments.
These challenges notwithstanding, it was critical that analysts detect attacks quickly and consistently, both for immediately affected organizations and their peers. A threat surfacing in one corner of the Protect.ngo network could have implications for countless other NGOs. Plus, any missed or delayed detections could create gaps in the public records upon which researchers and policymakers depend.
By March 2025, Protect.ngo analysts had manually documented more than 295,000 threats, 760 vulnerabilities and 1,100 distinct attacks on NGOs -- and the threat landscape was only worsening.
The fix: AI joins the cause
Around the same time, Protect.ngo turned to AI to support the efforts of its human analysts. The organization deployed Dataminr's AI-powered threat intelligence platform, which has the following capabilities.
Aggregates information from diverse sources across the public, deep and dark web, including government advisories, social media, cyber threat boards, dark web forums, news outlets, vulnerability disclosures, breach reports and threat intelligence feeds.
Ingests and analyzes text, code, image and video data.
Uses agentic AI and large language models to autonomously analyze, enrich and contextualize data. The AI agents summarize incidents; correlate adversarial activity; identify patterns; and map relationships between cyber incidents, threat actors and targeted organizations.
Presents deduped, structured and contextualized intelligence alerts and briefs to human analysts in real time. Alerts include detailed source attribution, screenshots and background on threat actors involved.
According to Collins, he and his fellow analysts at Protect.ngo review and verify all AI-driven alert and intelligence data, ensuring its accuracy and reliability before determining next steps.
"Human analysts are still required when it comes to judging whether those claims are credible or not," Collins added. "As part of our methodological process, we always have an analyst reviewing AI output."
Human analysts are still required when it comes to judging whether those claims are credible or not.
Miles CollinsCyber threat analyst, Protect.ngo
In addition to supercharging cyberattack and threat monitoring for Protect.ngo's client organizations, Dataminr's AI threat intelligence technology informs the nonprofit's Cyber Tracer. The public platform tracks vulnerabilities, threats and attacks relevant to civil society organizations and supports ongoing research on conflict-zone cyberactivity, including the Russia-Ukraine war. NGOs, policymakers and researchers can use Cyber Tracer -- which also includes structured, domain-specific data from third-party partners Cloudflare, Bitsight and Kaduu -- to better mitigate risk and boost cyber resilience.
The results: Consolidated and contextualized threat intelligence data
At Protect.ngo, Collins said the core operational benefit of agentic AI threat intelligence has been the consolidation of diverse and far-flung event, threat and risk data. A single, deduped and contextualized feed means analysts spend less time collecting and organizing information and more time analyzing and prioritizing it.
AI-driven monitoring also extends coverage into channels that analysts at resource-constrained organizations rarely have the capacity to watch consistently, such as dark web forums where ransomware groups publish claims against victims that might not appear in conventional news sources.
The first alert on an exfiltrated database
The agentic threat intelligence workflow was initially tested during an incident involving a nonprofit in Protect.ngo's The Builders program, a matchmaking initiative that connects corporate cybersecurity volunteers with NGOs that need support.
In this event, a threat actor claimed to have exfiltrated data from the organization's environment and published a sample of the database online. Dataminr surfaced the alert before Protect.ngo volunteer analysts identified it through any other channel, Collins said, enabling them to quickly contact the organization with remediation support.
To date, Protect.ngo has recorded more than 878,000 threats, detected 1,084 vulnerabilities across NGOs, identified more than 2,000 attacks, quarantined more than 560,000 phishing emails and detected more than 315,000 exposed credentials.
A caveat: AI won't make up for poor cybersecurity hygiene
Despite Protect.ngo's positive experience with the AI threat intelligence platform, Collins warned that smaller organizations without dedicated security functions often lack the baseline controls that make such monitoring tools useful in the first place.
Organizations without in-house security staff should focus first on the basics -- MFA, VPNs, strong password management and software updates. "Avoid getting any complex tools before the foundational operational security is in place," he said.
Once that foundation exists, AI tools become a practical option. For resource-constrained teams, however, the risk then becomes treating AI as a substitute for human reasoning, insight and judgment, and the discipline that makes such tools meaningful.
"It is always important to keep in mind that AI can make mistakes and again, basic security practices remain the most important to implement," Collins said.
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.
