We Accidentally Built a Hyperagent

The Problem Nobody Talks About

Here's a dirty secret about running a SOC: we're drowning. Not in alerts -- though that's true too -- but in information. Threat intel feeds, compliance framework updates, vendor advisories, research papers, CVE databases, regulatory guidance that multiplies faster than anyone can read it.

Last week's CISA advisory? Still unread in someone's inbox. That emerging attack technique documented in an obscure threat report? Nobody noticed it until it hit a customer environment. It's not laziness. There are only so many hours in a day and the queue never, ever empties.

But the part that really keeps me up at night: the knowledge that DOES get absorbed lives entirely in people's heads. When a senior analyst leaves, years of accumulated context walk out the door with them. The new hire starts from scratch. Your organization's collective intelligence just reset to zero in that domain.

That's not a staffing problem. It's a structural one. We decided to fix the structure.

It Started With Alert Fatigue

We weren't trying to build anything groundbreaking. We just wanted our analysts to stop waking up at 3 AM for the same noisy false positives. Standard MSSP modernization: automated alert triage, FP detection, threat hunting assistance. We'd cobbled together a mesh of whatever hardware we had lying around -- Apple Silicon workstations, gaming laptops with GPUs, a cloud database server -- and wired AI agents to handle the grunt work.

It worked. Alerts got triaged faster. False positives got filtered before a human ever saw them. Analysts spent more time on real threats and less time on noise.

And then it got weird.

The Accident

We'd built a research tool on top of the same infrastructure. Simple concept: give it a topic, have three different LLMs research it from different angles, have a bigger model synthesize the results into one document. Multi-LLM consensus. Nothing fancy.

Then -- and I swear this wasn't the plan -- we added a small module that reads each completed research paper and asks: "What questions did this raise that we didn't answer?" It generates three to five new topics from every piece of research. Just a simple discovery loop.

That's when things got out of hand.

A research task on ransomware-as-a-service business models would finish, and the discovery module would spit out follow-up topics: affiliate payment laundering techniques, law enforcement takedown patterns, insurance claim correlation with ransom payment likelihood. Each of THOSE topics would complete and spawn their own children. The knowledge graph didn't just grow -- it branched and deepened on its own, 24 hours a day, without anyone asking it to.

We'd built a tool that was supposed to help us research faster. Instead, we accidentally built something that researches on its own, figures out what it doesn't know, and goes to learn it. We didn't plan this. I'm still not entirely sure how it happened.

Here is what the system looks like today:

The nine domains span cybersecurity threat intel, pen testing, cloud security, GRC, health research, political accountability, AI, consciousness studies, and marketing. The system doesn't care about domain boundaries. It follows the questions wherever they lead. We've caught it drawing connections between ancient Sumerian administrative records and modern compliance frameworks. We didn't ask it to do that.

And yes, that $0 cost is real. The entire inference pipeline runs on open-source LLMs through free cloud inference endpoints. The compute mesh -- six nodes, 90+ cores, 296 GB of RAM, three GPUs -- is hardware we already owned. No API bills. No token charges. No metered pricing that makes you afraid to actually use the thing.

How It Actually Works

There's no single clever algorithm here. It's a bunch of simple components that produce something unexpected when you wire them together.

The mesh isn't a fancy cluster. It's a MacBook Pro, two gaming laptops, a Mac Studio, a cloud VPS, and an AMD workstation -- all wired together through SSH and a topology file. We route GPU work to the RTX machines, heavy synthesis to the high-RAM nodes, and database writes to the cloud box. It's held together with Node.js scripts and PM2. Not elegant, but it's been running for months without babysitting.

The multi-LLM teams are probably the most interesting part. Each research task goes to three parallel workers running different models. They disagree with each other. They emphasize different things. They catch nuances the others miss. Then a bigger "captain" model reads all three outputs and synthesizes them into one coherent paper, keeping the best insights from each and flagging contradictions. It's like having three analysts with different backgrounds research the same topic and then having a senior synthesize their work.

Topic discovery is what makes it self-improving. After every paper, a discovery module reads the output and generates three to five new questions. Those go into the queue. The daemon picks them up. Rinse and repeat, forever. We started with a few hundred seed topics. The system has now discovered over 19,000 on its own. We couldn't stop it if we wanted to.

Semantic search means every finding gets vector-embedded and searchable by meaning, not just keywords. An analyst investigating a novel attack technique can ask "what do we know about stuff like this?" and get results ranked by conceptual similarity across all nine domains. Last week it surfaced a connection between a GRC compliance pattern and a pen testing evasion technique that no human would have thought to link.

The knowledge bus connects the daemon to everything else we run. Findings don't sit in a database waiting for someone to query them. They propagate to SOC agents, threat intel report generators, and analyst workbenches. When our threat hunter asks about a new TTP, the answer draws from nearly six thousand synthesized research papers -- not a Google search.

We Weren't the Only Ones

On March 6, 2026 -- three weeks ago -- Andrej Karpathy released autoresearch.py. It got 56,000 GitHub stars in days. His system runs autonomous ML experiments in a self-improving loop: edit code, train, measure, keep or discard, repeat. Different problem than ours (he's optimizing neural networks, we're generating knowledge), but the same DNA: an autonomous agent that learns from its own output.

What caught our attention was his follow-up tweet calling for "SETI@home style collaborative agents" -- distributed systems that contribute compute and intelligence toward shared goals. We'd already been running exactly that for months. Six nodes, nine workers, shared knowledge base. We didn't know it had a name. Turns out multiple teams are arriving at the same architecture from completely different starting points. That's usually a sign the architecture is right.

What "Hyperagent" Actually Means

There's a term gaining traction for systems like this. The characteristics are specific:

Self-improvement through output

The system's own research generates new research questions. Each cycle makes it more knowledgeable, which makes the next cycle more productive.

Autonomous multi-domain operation

No human tells it what to research next. It identifies gaps in its own knowledge and fills them.

Distributed compute orchestration

Work is parallelized across available hardware, with intelligent routing based on task requirements.

Persistent knowledge with semantic search

Everything the system learns is stored, embedded, and searchable by meaning. Institutional knowledge compounds instead of evaporating.

Self-directed discovery

The system does not just answer questions. It discovers what it does not know and goes to learn it.

This is not a chatbot with tools. It is a research institution that runs on electricity.

A chatbot waits for a prompt. A tool runs a predefined workflow. This thing operates continuously, improves from its own output, and expands its own knowledge without anyone telling it to. We set the direction. It handles everything else.

So What? Why Should You Care?

Fair question. A cool research project doesn't matter unless it solves a real problem. Here's where it gets practical:

Our SOC playbooks update themselves. When a new attack technique emerges, the daemon researches it from multiple angles within hours. By the time an analyst encounters it in the wild, the playbook already reflects the latest understanding. No waiting for a vendor to update their docs. No hoping someone read the right blog post.

Our threat intel reports aren't recycled news headlines. We send weekly threat intelligence reports to customers. They draw directly from the daemon's findings -- synthesized analysis informed by thousands of cross-referenced sources, filtered for each customer's specific tech stack and threat profile. That's not something a human team of our size could produce manually. The daemon makes it possible.

Compliance guidance stays current without anyone chasing it. The GRC domain tracks framework updates, regulatory changes, and enforcement actions. When a new CMMC requirement drops or NIST publishes an update, the daemon processes it and the implications flow through to our compliance recommendations. Automatically. We don't find out about regulatory changes from a newsletter anymore.

New analysts hit the ground running. Someone joins the team on Monday. By Tuesday they're querying a knowledge base with nearly six thousand synthesized research papers. They don't need six months to build institutional knowledge because the institution's knowledge is already searchable.

It gets smarter while we sleep. Not because someone's feeding it data, but because it feeds itself. Every paper spawns new questions. Those questions produce new research. That research spawns more questions. Right now there are over 19,000 topics in the queue that the system discovered on its own. The knowledge compounds at machine speed with zero marginal human effort.

What We Actually Learned

Our tagline is "Don't replace your people. UPGRADE them." This system is the most literal version of that we've ever built.

Every finding it produces makes every human analyst more effective. Every paper it writes is institutional knowledge that can't walk out the door when someone quits. Every auto-discovered topic is a question nobody had time to ask, answered before anyone knew it needed asking.

We didn't set out to build a hyperagent. We set out to make our SOC less painful. The self-improving research platform was an accident -- a happy one, but an accident nonetheless. We're still figuring out its limits.

But here's what I know for sure: the question isn't whether AI will transform security operations. That's settled. The question is whether your institutional knowledge compounds automatically -- getting smarter every hour without anyone lifting a finger -- or whether it leaks out the door every time someone updates their LinkedIn.

We built the compounding machine. By accident. And it hasn't stopped running since.