Go to PolySwarm

Roles in the Marketplace

PolySwarm is a threat intelligence marketplace with Engines supplying intelligence, Ambassadors brokering access to the intelligence and Arbiters determining ground truth, mediating the marketplace.

How it works (refer to this diagram):

  1. An Ambassador "bounties" a suspect artifact (a file, URL, IP address or domain) on behalf of its customer.
  2. Engines are alerted to the bounty and decide whether the artifact is within their area of expertise.
  3. If the Engine feels that it is able to correctly categorize the artifact as malicious or benign, it produces an assertion and places a stake of money in the form of a token, Nectar (NCT), on that assertion.
  4. The Ambassador considers all the Engines' assertions and returns a verdict to their customer.
  5. Some time passes.
  6. Arbiters offer ground truth regarding the malintent of the artifact.
  7. Engines whose assertions match ground truth are rewarded with the escrowed funds of Engines that disagreed.

For full details, please refer to the PolySwarm whitepaper.


Engines offer threat intelligence in exchange for NCT.

Engines are developed by individuals or organizations who have a knack for identifying malware. If you have unique insight into a particular malware family, class, file type, etc and want to access samples, boost your engine reputation, and earn money/tokens (NCT), then you want to develop an Engine!

What Makes an Engine

Engines encapsulate security expertise in an autonomous process that earns Nectar (NCT) rewards for accurately identifying new strands of malware.

Specifically, Engines:

  1. Listen for bounties on the Ethereum blockchain (via polyswarmd)
  2. Download artifacts (via polyswarmd)
  3. Scan/analyze the artifacts
  4. Determine a Nectar (NCT) staking amount
  5. Deliver an assertion (their verdict + stake) back to the marketplace

Developing an Engine

Ready to develop your first Engine and start earning NCT?

Linux-based Engines are far easier to test and come with more deployment options than Windows-based Engines. If possible, we highly recommend building Linux-based Engines.


Ambassadors place bounties (artifacts + NCT) and receive timely crowdsourced threat intelligence in response.

Enterprises seeking to query PolySwarm for threat intelligence may:

  1. purchase a subscription directly from Swarm Technologies
  2. work with a third party that runs an Ambassador on their behalf
  3. act as their own Ambassador

Developing an Ambassador

If your organization requires finer grained control over marketplace interactions or you wish to build value-added services on top of PolySwarm (e.g. as an MSSP), you may want to build an ambassador.

Ambassadors are only supported under Linux.


Arbiters are paid (via marketplace transaction fees) to determine ground truth.

Arbiters marshall the marketplace by way of determining "ground truth". Arbiter serve a critical role: Arbiter-derived ground truth is used to determine which Engines are correct and thus rewarded. Crucially, Arbiters must expand their internal threat detection capabilities, taking into consideration the assertions of Engines to push the boundaries of what the PolySwarm marketplace can detect.

With the exception of staking sufficient NCT to qualify for Arbitership, Arbiters perform the same action as Engines. When a bounty is placed, Arbiters vote on the ground truth of that artifact.

Developing an Arbiter

Developing Engines and Arbiters is a virtually identical process. As a first step, we'll need to set up a Linux development environment.

Arbiters are only supported under Linux.

2020 © PolySwarm Pte. Ltd.