Introduction
Earlier this month, the security world caught a fascinating glimpse into the future of AI-driven code vulnerability analysis. Daniel Stenberg, the creator of curl, published a detailed breakdown of how Anthropic’s Mythos and other AI code analysis tools have successfully identified hundreds of bugs, including several confirmed vulnerabilities, in curl's C codebase.
Stenberg highlighted that what made the discovery compelling wasn’t just that it was AI tools which found these bugs, but how they found them. Mythos, AISLE, OpenAI Codex Security, Zeropath, and other AI-native tools analyze code in fundamentally different ways than previous approaches: they understand and can explain – in natural language – the context, function, and intent across integrated code, libraries, and APIs.
In the enterprise security space, we face a remarkably parallel problem. Legacy tools flood security teams with alerts, because they lack context. They cannot easily spot the intent behind users’ online activities and journeys that don’t perfectly fit into rigid signature definitions, and they are unable to organically connect the dots in the abstracted relationships between clusters of online user journeys and the core business processes behind them. Thus, legacy tools aren’t good at spotting anomalies that span user journeys across multiple apps in a complex workflow, or contextualizing and explaining the associated business risk in plain language.
Loom built CINQUE on the foundation of user personas to drive its AI-native core. Instead of just analyzing security logs against a backdrop of static directories and job titles, or rigid signature definitions, CINQUE's continuously tuned, private language models map the authentic user journeys of your workforce to understand how the business truly operates.
Building From the Ground Up: A Persona-First Architecture
We considered multiple approaches to solve our target problem of improving visibility of security and risk posture through correlation and business contextualization, and we always came back to the same conclusion: a persona-first, AI-native approach was the best, if certainly not the easiest, path forward.
CINQUE works by observing real-world user activities across all five security domains first:
- Analyze Raw Log Data: The AI engine ingests data from connected identity and cross-domain Security Posture Management (xSPM) sources.
- Map and Correlate User Journeys: The engine maps out the complete set of end-to-end user interactions across systems, apps, data flows, and time to construct comprehensive "day in the life" pictures of statistically "similar" user clusters.
- Derive Personas: The continually-tuned private LLM derives functional personas within an enterprise based on a natural language understanding of what work is being done by these groups of users, and how.
- Correlate with IdP Data: Only after establishing these behavioral baselines does CINQUE connect individual user identities (and static directory titles) back to their matching personas.
By refusing to take data shortcuts, the system validates its own accuracy. It learns the organic rhythms of the business rather than relying on corporate directory trees, which let’s face it, are often at least somewhat stale, or fail to capture in job titles the reality of what, and how, work gets done in agile, highly-matrixed organizations.
Grounded in Real-World Design
This behavioral-first approach mirrors how great products—and great careers—are actually built.
In product management, one quickly learns that great apps aren’t successfully designed and engineered to fit ideal workflows. A great PM spends time discovering how people actually work in the real world to build an intuitive, frictionless tool. Similarly, think of a classic 90-day onboarding plan for a new executive. The most effective way to establish impact isn't just memorizing the org chart; it’s spending those precious first weeks orienting to how the company’s teams get things done.
CINQUE automates this exact orientation phase continuously. By deeply analyzing raw behavior to understand how the business functions, the system achieves a state of true business contextualization:
- CINQUE “knows” the actual, tactile work that comprises the daily activity of users within an enterprise persona.
- CINQUE “knows” how those workflows map to normal data activity patterns, allowing it to instantly flag true anomalies.
- CINQUE contextualizes those anomalies within the broader business framework, seamlessly separating critical risks from benign edge cases—like power users who naturally "wear multiple hats" across the organization.
And CINQUE can start delivering this visibility and value not in 90 days, or even 30 days, but in as little as 90 minutes. Yes, really.
Securing the Present, Automating the Future
While the core security benefit of this architecture is cutting through security noise to gain a complete understanding of unified security posture and risk, having a native understanding of user personas yields massive operational dividends across IT operations. Foundationally grounding your organization in these persona-based models unlocks value across everything from seamless automation of birthright access and entitlement management, to ensuring that the core tenets of Zero Trust and least privilege are maintained dynamically as roles and matrixed teams evolve and restructure to get the business's work done.
Security shouldn't be a game of guessing intent, or wading through noise to surface risks across matrixed teams and complex workflows. By using CINQUE's private, tailored AI to understand the authentic narrative of your data journeys, organizations shift the security paradigm from reactive alert triage, to proactive, contextual business risk awareness.
