AI Providers Look deeper. Find everything.

AI Providers

Intreys uses AI for narrative generation, anomaly summaries, and natural-language hunt queries. Local providers run on your hardware; remote providers are off by default and gated by a privacy classifier.

Default posture: force_local

force_local is the default. Out of the box, Intreys will not send any data to a remote AI provider. You must explicitly opt in to remote providers under Settings → AI.

Local providers

llama.cpp (Linux, Windows, macOS)

CPU-only inference; works on any modern x86_64 / ARM64
GGUF model format (download from Hugging Face)
Recommended models: Llama-3.1-8B-Instruct (Q4_K_M), Mistral-7B-Instruct, Qwen2.5-7B
RAM: 8 GB minimum for 7B Q4 models, 16 GB recommended

MLX (Apple Silicon only)

Metal Performance Shaders — uses GPU on M1/M2/M3/M4
Roughly 3–5x faster than llama.cpp on the same hardware
MLX-format models from huggingface.co/mlx-community
Recommended: Llama-3.1-8B-Instruct-4bit-MLX, Phi-3-mini-MLX

Installing a local model

Open Settings → AI → Local model manager.
Click Browse catalogue. The catalogue lists vetted models with size and target hardware.
Click Install. The download is verified by SHA-256.
Set the model as default for the AI tasks you want.

Remote providers (Pro+)

Anthropic Claude

Get API key at console.anthropic.com
Paste in Settings → AI → Anthropic
Recommended model: claude-opus-4-7 for narrative; claude-3-5-haiku for cheap classification

OpenAI

Get API key at platform.openai.com
Recommended: gpt-4o for narrative; gpt-4o-mini for classification
Bring-your-own-key — no Intreys proxy

xAI Grok

Get API key at x.ai
Recommended: grok-2 (default), grok-2-mini for cheap tasks

Azure OpenAI

Configure endpoint URL, deployment name, and API key
For regulated tenants — data residency and the same SLAs as the rest of your Azure subscription

The privacy classifier

Before any prompt is sent to a remote provider, Intreys runs the prompt through a small local classifier (~50 MB) that flags potential PII / secret material. Detected categories:

Email addresses (configurable: redact / allow)
Internal IP ranges (RFC1918, link-local, ULA)
Hostnames matching internal domain patterns
Known credential formats (AWS keys, Slack tokens, JWTs)
Authorisation headers in HTTP samples

Behaviour on detection (configurable):

Block — refuse the call
Redact — replace with placeholders before sending (default)
Warn — prompt the analyst with the redacted draft

Cost tracking

For each remote provider call, Intreys logs prompt tokens, completion tokens, and dollar cost (using the latest provider price list). View cumulative spend under Settings → AI → Cost tracking. Per-session and per-month buckets.

Use cases

Attack narrative — stage 29 turns the timeline into a written kill-chain story with a Mermaid diagram
Anomaly explanation — “why was this flow flagged?”
Natural-language hunts — “find DNS queries that look like exfiltration” → structured query
Report drafting — executive summary and findings section of PDF/DOCX reports

Disabling AI entirely

Settings → AI → Master switch: off. The pipeline skips stage 29 and all AI panels are hidden. Recommended for air-gapped or strict-policy environments.