Go to PolySwarm

Roles in the Marketplace

PolySwarm is a threat intelligence marketplace with Microengines supplying intelligence, Ambassadors brokering access to the intelligence and Arbiters determining ground truth, mediating the marketplace.

How it works (refer to this illustration):

  1. An Ambassador "bounties" a suspect artifact (a file, URL, IP address or domain) on behalf of its customer.
  2. Microenginess are alerted to the bounty and decide whether the artifact is within their area of expertise.
  3. If the Microengines feels that it is able to correctly categorize the artifact as malicious or benign, it produces an assertion and places a stake of money in the form of a token, Nectar (NCT), on that assertion.
  4. The Ambassador considers all the Microengines' assertions and returns a verdict to their customer.
  5. Some time passes.
  6. Arbiters offer ground truth regarding the malintent of the artifact.
  7. Microenginess whose assertions match ground truth are rewarded with the escrowed funds of Microenginess that disagreed.

For full details, please refer to the PolySwarm whitepaper.

Engines and Webhooks

Going forward, Engines is a blanket term for both Microengines and Arbiters.

Engines have gone through a major revision at PolySwarm. Webhooks have replaced websockets as the means to receive new Bounties. This means Engines only receive Bounties containing artifacts that the Engine is configured to process. Engines no longer have to filter the bounties themselves, reducing the complexity and total time to scan.

The webhook bounty flow is summarized in the following list.

  1. PolySwarm sends a relevant bounty webhook to the Engine's HTTP server.
  2. Engine validates that PolySwarm is the sender by checking the signed HMAC against the body using a shared secret.
  3. The scan is started, using some concurrency tool to keep the server from being blocked.
  4. Engine responds with 202 Accepted
  5. During the scan, the Engine fetches the artifact according to the given artifact uri.
  6. After the scan, the Engine sends a response to the given response uri.


Microengines offer threat intelligence in exchange for NCT.

Microengines are developed by individuals or organizations who have a knack for identifying malware. If you have unique insight into a particular malware family, class, file type, etc and want to access samples, boost your engine reputation, and earn money/tokens (NCT), then you want to develop a Microengine!

What Makes a Microengine

Microengines encapsulate security expertise in an autonomous process that earns Nectar (NCT) rewards for accurately identifying new strands of malware.

Specifically, Microengines:

  1. Are notified of bounties by a webhook call
  2. Download artifacts from PolySwarm
  3. Scan/analyze the artifacts
  4. Determine a Nectar (NCT) bid value
  5. Deliver an assertion (their verdict + bid) back to the marketplace

Developing an Engine

Ready to develop your first Engine and start earning NCT?


Arbiters are paid (via marketplace transaction fees) to determine ground truth.

Arbiters marshall the marketplace by way of determining "ground truth". The Arbiter-derived ground truth is used to determine which Microengines are correct and thus rewarded.

PolySwarm is manually selecting Arbiters at this time, but we plan to develop a process where a Microengine can be promoted to an Arbiter, based on performance.

Developing an Arbiter

Developing Microengines and Arbiters is a virtually identical process. As a first step, we'll need to set up a development environment.


Ambassadors place bounties (artifacts + NCT) and receive timely crowdsourced threat intelligence in response.

Swarm Technologies is the only Ambassador currently supported by the PolySwarm Marketplace. Enterprises seeking to query PolySwarm for threat intelligence may purchase a subscription directly from Swarm Technologies

2024 © PolySwarm Pte. Ltd.