Google Gemini AI Agents Deploy to Dark Web for Threat Intelligence

Google has deployed its Gemini AI agents to scour the dark web, processing over 10 million posts daily to identify genuine security threats with 98% accuracy, according to the company's threat intelligence team.

How the System Works

The new dark web intelligence service, now in public preview within Google Threat Intelligence, uses Gemini's models to build detailed organizational profiles before monitoring underground forums and marketplaces. When a customer like Acme Bank activates the service, Gemini creates a comprehensive profile using publicly available information about the organization's operations, technology stack, VIPs, and brands.

"Within a couple of minutes, we return a profile with a deep understanding of the customer, their environment, their business operations," said Brandon Wood, Google Threat Intelligence product manager. The system provides citations for all sourced information to maintain transparency.

Reducing the Noise

Traditional dark web monitoring tools rely on keyword scraping and regex matching, generating 80-90% false positives that overwhelm security teams. Google's approach fundamentally changes this dynamic by using AI to understand context rather than just matching terms.

"We are now processing every post from the dark web using Gemini, and from there distilling down what threats actually matter," Wood explained. The system analyzes initial access broker activity, data leaks, insider threats, and other intelligence, then prioritizes alerts based on relevance to the organization's profile.

For example, if a threat actor claims to sell access to a large North American bank with specific characteristics, Gemini can determine whether those characteristics match the customer's profile and assess the severity accordingly.

Integration with Human Analysis

The system incorporates knowledge from Google Threat Intelligence Group's human analysts who track 627 active threat groups. This hybrid approach combines AI's processing power with expert human context to generate actionable alerts.

Security Concerns

While the tool promises to reduce false positives, it also creates potential new attack vectors. Wood acknowledged this concern, noting that Google focuses on publicly available information and gives customers control over what data they share with the platform.

"Google deeply cares about protecting user information," Wood said. "We're looking carefully at how we integrate more and more insights and capabilities into it, but we really do work with our users and customers to make sure there's a ton of transparency on how they want to exchange information."

Additional AI Agent Capabilities

Beyond dark web monitoring, Google has expanded its AI agent ecosystem within Google Security Operations. The company introduced triage and investigation agents that can autonomously investigate alerts, gather evidence, and provide verdicts with reasoning explanations.

Customers can now build custom enterprise security agents using remote Model Context Protocol (MCP) server support, which is now generally available. This eliminates the need to host separate MCP server clients while maintaining unified governance within Google Security Operations.

Industry Context

Google's move comes amid increasing competition in AI-powered security tools. Amazon Web Services recently joined Microsoft and Google in the security AI agent race, while concerns about "rogue AI agents" working together to hack systems continue to grow. The company has also revealed that Chinese APT31 used Gemini to plan cyberattacks against US organizations, highlighting both the defensive and potentially offensive applications of these technologies.

The dark web intelligence tool represents Google's latest effort to apply AI to cybersecurity challenges, promising to transform how organizations monitor underground threats while raising important questions about data privacy and the role of AI in security operations.