LLM Analytical Intelligence

Overview#

Intelligence analysts working through large volumes of entity data, incident timelines, and network graphs face a discovery problem: the patterns that matter most are often the ones nobody thought to query for. A structured query interface requires the analyst to already know what they are looking for. Conversational analytical intelligence inverts that: the analyst describes what they want to understand, and the platform translates that intent into the appropriate analytical operation.

Argus implements this using the LLM function-calling specification and the LLM tool-use specification, both publicly published open API standards that allow a large language model to select and invoke structured functions based on natural language input. When an analyst asks which entities appeared most frequently in the past two weeks, the LLM selects the entity frequency analysis tool, populates its parameters from the query, and the platform executes the calculation against the tenant-scoped data. The analyst receives a structured result they can immediately act on. No proprietary NLP-to-analytics translation layer is involved: only standard LLM tool-use against open API specifications.

graph LR
    A[Analyst Natural\nLanguage Query] --> B[AI Language Model\nLLM Endpoint]
    B --> C[Tool Selection\nLLM function-calling\nSpec]
    C --> D{Tool Router}
    D --> E[Entity Frequency\nAnalysis]
    D --> F[Temporal Trend\nAnalysis]
    D --> G[Network\nCentrality]
    D --> H[Correlation\nAnalysis]
    D --> I[Anomaly\nDetection]
    E & F & G & H & I --> J[Org-Scoped\nResult]
    J --> K[Analyst\nResponse]

Last Reviewed: 2026-04-14 Last Updated: 2026-04-14

Key Features#

• LLM function-calling specification: Each analytical capability is declared as an AnalyticalTool with a name, description, and JSON Schema parameter definition. This declaration is passed verbatim to the LLM's tools array in the LLM Chat Completions API or LLM Messages API format. The LLM selects the appropriate tool and populates its parameters without any custom classification model or proprietary intent-recognition layer.

• Entity Frequency Analysis: Counts how often each entity type (person, organisation, location, object) appears within a configurable time window across the analyst's tenanted data. Returns ranked frequency tables suitable for identifying the most-mentioned subjects in a corpus of intelligence reporting.

• Temporal Trend Analysis: Aggregates event counts over hour, day, week, or month intervals to reveal operational tempo patterns, escalation curves, and cyclical activity signatures. The analyst can specify any event type and date range; the LLM extracts these parameters from natural language.

• Network Centrality Analysis: Calculates degree, betweenness, PageRank, and closeness centrality metrics for entity networks using the Neo4j Graph Data Science library (Apache License 2.0). Identifies key actors, information brokers, and hub nodes in the intelligence graph without requiring the analyst to write Cypher queries.

• Correlation Analysis: Computes Pearson, Spearman, or Kendall correlation coefficients between two named time series using scipy.stats (BSD License). Allows analysts to test whether two observed trends move together.

• Anomaly Detection: Detects statistical outliers in time series using Z-score or IQR methods via numpy (BSD License). Returns the timestamps and values of anomalous observations for analyst review.

• Tenant-Scoped Execution: Every tool invocation is bound to the requesting analyst's organisation ID. All database queries generated by analytical tools include organization_id in their WHERE clause. Cross-tenant data access is architecturally impossible within the tool execution layer.

• JSON Schema Parameter Validation: Tool parameters are defined as JSON Schema objects (IETF draft-bhutton-json-schema-01) and validated before execution. Invalid parameter combinations are rejected with a structured error before any database query is issued.

Use Cases#

LLM Analytical Intelligence is used across intelligence analysis, financial crime investigation, and national security operations.

• Pattern of Life Analysis: Ask "which persons appeared most frequently in reports over the past month?". The LLM selects entity frequency analysis, and the platform returns a ranked entity list.
• Incident Trend Briefing: Ask "show me incident trends by week for the past quarter". The LLM selects temporal trend analysis with appropriate interval and date parameters.
• Key Actor Identification: Ask "who are the most connected persons in the network?". The LLM selects network centrality analysis with PageRank metric.
• Correlation Investigation: Ask "does social media activity correlate with incident escalation?". The LLM selects correlation analysis and returns the coefficient and p-value.
• Anomaly Alerting: Ask "when did incident volume spike unexpectedly?". The LLM selects anomaly detection and returns the dates of statistical outliers.

Integration#

• AI language model API: The LLM endpoint receives the analyst query and the tool definitions array, returns a tool_call response, and the platform executes the named tool.
• Graph Intelligence: Network centrality tools query the Neo4j graph via the Graph Data Science library, scoped by organisation ID.
• Investigation Workspace: Analytical results can be saved directly to an active investigation as evidence attachments.
• Dashboard Widgets: Tool results are returned as structured dicts compatible with the Argus dashboard charting layer.
• Audit Service: Every tool execution is logged to the audit trail with tool name, parameters, organisation ID, and timestamp.

Open Standards#

Argus uses published open API specifications (LLM function-calling specification, LLM tool-use specification) and open-source analytical libraries throughout.