Skip to content

Digital Twin

The digital twin is Salient's core abstraction — a living, compounding model of your organization's security posture. It knows your tools, your people, your processes, your gaps, and how your team actually behaves under pressure.

What Is the Twin?

The twin is not a static document. It is an evolving knowledge graph built from multiple data sources and enriched automatically after every interaction with the platform. It stores:

  • Organization profile — industry, size, tech stack, team structure
  • Verified facts — tools, vendors, processes, people, capabilities confirmed through exercises or connectors
  • Gaps and weaknesses — identified through scoring, cross-exercise pattern detection, and connector analysis
  • Decision patterns — how your team responds under pressure, recurring behaviors
  • Contradictions — where declared posture differs from observed reality

How the Twin Is Built

The twin grows through five data channels:

  1. Exercises — every answer is mined for organizational facts (tools mentioned, gaps revealed, processes described)
  2. Connectors — Okta, Entra ID, and other integrations provide verified telemetry (MFA coverage, privileged roles, SSO inventory)
  3. Artifact uploads — PDFs, CSVs, configs, IR plans uploaded through the UI are parsed and mined
  4. Sibling MCPs — data from Gmail, Notion, Calendar, and other MCP servers flows in via /ttx enrich
  5. Manual profile editing — direct markdown editing of the org profile

Building Your Twin

The Compounding Intelligence Loop

This is the mechanism that makes Salient's twin a moat rather than a feature:

Exercise ──► Score ──► Mine Facts ──► Enrich Twin
    ▲                                      │
    │                                      ▼
    └──── Recommend Scenario ◄──── Threat Match

Each exercise makes the twin smarter. A smarter twin produces more targeted scenarios. More targeted scenarios reveal deeper gaps. Deeper gaps produce richer facts. The loop compounds.

The twin is the real product

Exercises are the input mechanism. The twin — and the compiled intelligence it produces — is what organizations actually need. Every feature should feed back into this loop.

Twin Intelligence

Once the twin has data, it supports:

  • Natural language queries — "What EDR tools do we have?", "Are we prepared for ransomware?"
  • Pattern detection — recurring weaknesses across exercises, even when described differently
  • Event bridging — connecting real security events to training gaps
  • Scenario recommendations — what to exercise next based on the weakest areas

Twin Intelligence

Compiled Twin & SIF

The twin compiles into the Salient Intelligence Format (SIF) at three detail tiers, served via MCP resources. This is how AI agents consume your security posture.

Compiled Twin & SIF · SIF Specification