DICYME

VISCA: A data-driven approach to victim profiling and attractiveness modeling

DICYME Team | October 09, 2025

Victim Insight System for Cyber Attacks (VISCA) is our multi-agent system that turns scattered breach reports into solid, structured context about who was attacked and what those organizations look like. We built it to enrich a repository of OT and critical infrastructure cyber incidents by automatically identifying the victim and attaching firmographic facts (industry, country, size, revenue, NAICS, public/private, etc.).

This connects directly to our previous work on modelling organizational Attractiveness. We defined Attractiveness as the level of interest an organization raises in potential attackers, which depends on factors such as the type of business, the kind and amount of data it manages, and its operational footprint. Within that, Basal Attractiveness refers to the inherent characteristics that make an organization a valuable target, even before adversaries have specific knowledge or intent against it.

To study Attractiveness in practice, you need clean, complete victim profiles. That’s exactly the foundation VISCA provides.

 

Multi-agent architecture proposed for extracting victim information and completing missing firmographic data

 

How the multi-agent pipeline works

At the core is a LangGraph workflow where agents pass results forward, each one adding a layer of certainty:

  1. Entity Extractor: reads the incident text and proposes the victim name(s), aliases/subsidiaries, country, and industry. This is the seed for everything else.

  2. URL Extractor: uses search to pick the official website that best matches the victim name (disambiguates look-alikes and handles naming quirks).

  3. Entity Profiler: queries several sources to fill the firmographic fields. Two types of tools are involved:

    • Structured sources (no LLM parsing): RocketReach, DBpedia & BigPicture.

    • Unstructured web (LLM parses what search returns): a Google tool and a URL content tool.

Confidence-based data fusion

Each source result comes with a confidence score that reflects three things:

  • Completeness: how many fields did it actually find.

  • Response volume/precision: fewer, more targeted hits are better.

  • Retries: how many name variants did it try to get a valid answer.

VISCA then picks the highest-confidence source as primary and fills any missing fields from others if their confidence crosses a threshold. The outcome is a single, coherent profile plus an overall integration confidence so you know how much to trust the final record.

 

Why it matters (especially for OT/CI)

  • Ground truth for Attractiveness modeling: with consistent firmographics across many victims, we can analyze what makes organizations appealing targets empirically.

  • Better incident analytics: roll-up by sector, geography, or size becomes reliable.

  • Context-rich CTI: technical IOCs are more useful when tied to organizational traits.

  • Low-friction ops: multi-agent design automates the tedious bits (name matching, website picking, cross-checking sources), so analysts focus on interpreting Attractiveness and risk.