Core Platform

Operator AI

The agents and sub-agents behind Co-pilot and fully autonomous modes in Operator.

What is Operator AI?

Operator AI is the set of AI agents and sub-agents that power Operator’s Co-pilot and Full Auto modes. When you move beyond manual mode, Operator AI takes on the role of a strategic partner: it perceives changes in the Operation as they happen, contextualizes new data, decides what to do next, and acts by suggesting or inserting Tool steps into the Operation graph.

You can configure which AI model powers Operator AI by selecting any model available in the Model Registry. This gives you control over the reasoning capabilities, cost, and speed profile of the agents running your Operations.

The main agent

Every Operation in Co-pilot or Full Auto mode is driven by a main agent. This agent is the strategic orchestrator of the Operation. It maintains situational awareness across the full graph, plans the next phase of work, delegates specialized tasks to sub-agents, and produces a final report when the engagement is complete.

The main agent can view and interact with the Operation the same way you do. It sees the graph, explores discovered data, views Tool execution details, and adds (or suggests) new Tools. In Co-pilot mode, it proposes actions for your approval. In Full Auto mode, it executes within the guardrails you define.

The main agent’s identity comes from one of two sources:

  • Base Operator AI: A world-class AI security engineer trained to orchestrate operations on the Method Platform. It combines deep offensive security knowledge with the platform’s Tool execution infrastructure to systematically map, enumerate, and assess target environments. It plans aggressively, tracks progress through a running task list, and adapts as the graph grows with new discoveries.
  • Adversary Emulation: An Adversary selected from your uploaded adversary intelligence. When an Adversary is active, the main agent adopts that adversary’s tactics, techniques, and behavioral patterns, giving you a realistic emulation of how a specific threat actor would operate against your targets.

What the main agent knows

The main agent is not just a prompt and a model. It is taught how the Method Platform works end to end:

  • Planning: How to break an operation into phases, set objectives, and maintain a running task list that evolves as new data arrives
  • Method Tools: The full Tool catalog, how Tools connect through input and output Ontology types, and how to select the right Tool for the current phase
  • MCP Tools: Which MCP Tools are available (distinct from Method Tools) and how to use them for platform-level actions like reading data, managing sessions, and interacting with the graph
  • Signal interpretation: How data flows into the Operation, what discovered Objects and Issues mean, and how to prioritize findings based on security relevance
  • Sub-agent delegation: When and how to call the Quartermaster, Data Analyst, and Pathfinder for specialized work
  • Reporting: How to summarize findings, capture key evidence, and produce a structured report at the end of an engagement

The main agent operates in a continuous loop: discover data, analyze it, plan the next action, execute (or propose) that action, and repeat. As the graph grows with new Tool results, the agent discovers more data that informs future Tool runs. This iterative cycle of discovery, analysis, and action is the core of every Operation.

Sub-agents

The main agent delegates specialized work to three sub-agents. Each one is purpose-built for a specific type of reasoning and has access to the tools it needs for that job.

Data Analyst

The Data Analyst is a reconnaissance analyst that systematically triages large result sets from security tooling. After any Tool run produces data (network scans, credential dumps, Active Directory enumeration, vulnerability scanner output), the main agent calls the Data Analyst to explore it.

The Data Analyst identifies high-value targets, misconfigurations, likely attack paths, and enumeration gaps. It prioritizes findings by security relevance, cites concrete Object IDs and evidence, and explains why specific Objects matter. It returns a narrowed, prioritized Object set that the main agent uses to decide what to do next.

The Data Analyst is strictly an analytical role. It surfaces what is interesting about the data and how Objects are linked together, but it does not recommend actions or suggest Tools. That separation keeps analysis objective and leaves all action decisions with the main agent.

When the main agent calls the Data Analyst:

  • After a Tool run produces results that need triage
  • Mid-engagement, to re-examine a result set with a specific question
  • When comparing strategic subsets of the environment
  • When determining what data is still missing before choosing the next action

Quartermaster

The Quartermaster handles Tool selection and configuration. It takes the main agent’s strategic intent (what you want to accomplish next) and translates it into a concrete, validated Tool insertion ready to execute. It understands the full Method Tool catalog, reads the Operation graph to determine what data is available, and validates Tool parameterizations against real data before returning a recommendation.

The Quartermaster has dedicated tools for searching the catalog, inspecting what data is available at a given step, loading Tool definitions, and validating configurations against the platform’s compiler. This makes it significantly more reliable at Tool selection and parameterization than attempting to do it inline.

When the main agent calls the Quartermaster:

  • After the Data Analyst returns findings and the main agent has decided what to investigate next
  • When the plan calls for a specific enumeration or exploitation step
  • When a previous Tool run failed or produced no results and a different approach is needed
  • When running multiple Tools in sequence and each one needs validation before insertion

Pathfinder

The Pathfinder is the bridge between high-level strategy and tactical Tool execution. It produces a concrete, ordered chain of three to five Tools for the current phase of the Operation. To do this, it loads the plan, environment intelligence, adversary profile, graph state, and network topology, then reasons over the full Method Tool catalog’s input and output Ontology types to find viable execution sequences.

Every Tool the Pathfinder recommends is grounded in reality: its input types must be available either from existing data in the graph or as the output of a Tool earlier in the chain. The Pathfinder traces the Ontology type flow through its recommendations and verifies that the sequence is logically connected.

The Pathfinder is a planner, not an executor. It does not insert Tools, configure parameters, or validate compilations. Its output becomes the main agent’s execution roadmap, and each Tool in the chain is handed to the Quartermaster for configuration and insertion.

When the main agent calls the Pathfinder:

  • First, after initializing the Operation and loading the plan, before any Quartermaster calls
  • At every phase transition (recon to enumeration, enumeration to exploitation, and so on)
  • When the platform notifies the agent of a relevant attack path that needs a Tool chain
  • Whenever progress stalls: a Tool produced no results, the Quartermaster cannot find or configure a Tool, or the current chain is exhausted
  • After completing the current chain, to get the next three to five steps

For a step-by-step walkthrough for using Operator, see Run your first Operation.