EdgeGuard: Where Explainable Cybersecurity Meets Edge Reality

In an era of noisy alerts, fragmented threat intelligence, and growing regulatory pressure, cybersecurity teams face a common frustration: knowing something is wrong is not the same as knowing why it matters or what to do next.

EdgeGuard is an advanced threat-intelligence capability currently under active research and development, created to address this gap by rethinking how security alerts are enriched, explained, and operationalized at the edge.

Developed jointly by IICT-BAS and Ratio1, EdgeGuard represents a new class of explainable, edge-native threat intelligence - one that aims to transform raw security signals into defensible, step-by-step incident narratives, exactly where the data is generated.

From Alerts to Evidence-Based Stories

Traditional security platforms are excellent at detection, but far less effective at explanation. Analysts are left to manually connect alerts to vulnerabilities, attack techniques, and real-world threat context - often under time pressure and with incomplete information.

EdgeGuard approaches the problem differently. Instead of producing opaque risk scores, it answers the questions analysts actually ask:

• Why does this alert matter?

• How does it connect to known attack techniques or exploited vulnerabilities?

• What evidence supports this conclusion?

• What should we check or fix next?

At its core, EdgeGuard builds verifiable incident stories, combining structured threat intelligence with plain-language explanations that can be trusted by both junior and senior analysts.

IICT-BAS: Research You Can Operationalize

A defining strength of EdgeGuard is its foundation in applied scientific research, led by IICT-BAS.

The Institute of Information and Communication Technologies at the Bulgarian Academy of Sciences (IICT-BAS) is a leading national research institute specializing in artificial intelligence, cybersecurity, knowledge engineering, and high-assurance systems. With decades of experience in EU-funded research, standard-aligned methodologies, and security-critical domains, IICT-BAS brings a level of rigor that is rarely embedded so deeply into operational cybersecurity products.

Within EdgeGuard, IICT-BAS is responsible for ensuring that the system is not only intelligent, but correct, explainable, and reproducible.

The institute leads the design of EdgeGuard’s Graph-Augmented Retrieval-Augmented Generation (GraphRAG) core - where symbolic knowledge graphs and carefully constrained language models work together to produce traceable reasoning. Every conclusion is backed by explicit evidence chains linking alerts to MITRE ATT&CK techniques, CVEs, known campaigns, and indicators of compromise.

This research-driven approach delivers something increasingly demanded by regulators and operators alike: security decisions that can be explained, justified, and audited.

Built for the Edge, Not Just the Cloud

While IICT-BAS anchors the scientific and explainability foundations, Ratio1 ensures that EdgeGuard works in the environments where security teams actually operate.

EdgeGuard is designed to run close to the data, on distributed edge infrastructure rather than relying solely on centralized cloud platforms. This matters for organizations facing bandwidth constraints, data-sovereignty requirements, or intermittent connectivity - such as healthcare networks, industrial sites, and critical infrastructure operators.

Through Ratio1’s edge orchestration, resilient synchronization, and secure distributed storage, EdgeGuard continues to enrich alerts locally, maintain provenance, and synchronize intelligence selectively - even during disruption.

A Partnership with a Clear Division of Strengths

The collaboration between IICT-BAS and Ratio1 is deliberate and complementary:

• IICT-BAS contributes the scientific backbone: explainable AI, knowledge-graph reasoning, reproducible evaluation, and standards-aligned threat-intelligence modeling.

• Ratio1 translates that research into a production-ready system: edge deployment, resilience, security hardening, and real-world SOC integration.

Together, they bridge the persistent gap between academic research and day-to-day cybersecurity operations.

What Success Looks Like

EdgeGuard succeeds when analysts move faster - not because they cut corners, but because the reasoning is already assembled. When teams can justify patching, containment, or escalation decisions with clear evidence. And when edge environments remain secure and operational, even under constrained conditions.

If a SIEM is a sensor and a threat intelligence platform is a library, then EdgeGuard is the investigator - reading the signals, pulling the relevant facts, and writing the case narrative, with receipts.

And through the ongoing collaboration between IICT-BAS and Ratio1, that investigator is being shaped to be both scientifically grounded and operationally ready.