Roles in the Marketplace

PolySwarm is a threat intelligence marketplace with Microengines supplying intelligence, Ambassadors brokering access to the intelligence and Arbiters determining ground truth, mediating the marketplace.

How it works (refer to this diagram):

  1. An Ambassador "bounties" a suspect artifact (a file, URL, IP address or domain) on behalf of its customer.
  2. Microengines are alerted to the bounty and decide whether the artifact is within their area of expertise.
  3. If the Microengine feels that it is able to correctly categorize the artifact as malicious or benign, it produces an assertion and places a stake of NCT on that assertion.
  4. The Ambassador considers all the Microengines' assertions and returns a verdict to their customer.
  5. 過了一段時間。
  6. 仲裁者 提供關於此惡意樣本的 真正事實
  7. Microengines whose assertions match ground truth are rewarded with the escrowed funds of Microengines that disagreed.

For full details, please refer to the PolySwarm whitepaper.


Microengines offer threat intelligence in exchange for NCT.

Microengines are developed by individuals or organizations who have a knack for identifying malware. If you have unique insight into a particular malware family, class, file type, etc and want to earn tokens (NCT) along with a reputation for that insight, then you want to develop a Microengine!

What Makes a Microengine

Microengines encapsulate security expertise in an autonomous process that earns Nectar (NCT) rewards for accurately identifying new strands of malware.


  1. 1 frontend (producer): responsible for communicating with the PolySwarm marketplace: ingesting bounties, triaging artifacts, producing pub/sub scan events for backends, implementing a staking strategy and posting assertions. The frontend translates marketplace bounties into events on a pub/sub queue for backends to consume and distills responses from backends into marketplace actions.
  2. N backends (consumers): the actual scanners that process artifacts and produce assertions (malicious / benign) coupled with confidence ratings. These backends are tasked by the frontend. The pub/sub architecture between the two components allows for trivial horizontal scaling of heavier backends.


  1. Listen for bounties on the Ethereum blockchain (via polyswarmd)
  2. Download artifacts (via polyswarmd)
  3. Scan/analyze the artifacts
  4. Determine a Nectar (NCT) staking amount
  5. Deliver an assertion (their verdict + stake) back to the marketplace


準備好開始開發您的第一個微引擎並開始賺取 NCT 了嗎?

Set up a Linux development environment (Recommended) →

Linux-based Microengines are far easier to test and come with more deployment options than Windows-based Microengines. If possible, we highly recommend building Linux-based Microengines.

My scan engine only supports Windows; set up a Windows developement environment →


Ambassadors place bounties (artifacts + NCT) and receive timely crowdsourced threat intelligence in response.

Enterprises seeking to query PolySwarm for threat intelligence may:

  1. purchase a subscription directly from Swarm Technologies
  2. work with a third party that runs an Ambassador on their behalf
  3. act as their own Ambassador

If your organization requires finer grained control over marketplace interactions or you wish to build value-added services on top of PolySwarm (e.g. as an MSSP), you may want to build an ambassador.

Set up a Linux development environment →

Ambassadors are only supported under Linux.


Arbiters are paid (via marketplace transaction fees) to determine ground truth.

Arbiters marshall the marketplace by way of determining "ground truth". Arbiter serve a critical role: Arbiter-derived ground truth is used to determine which Microengines are correct and thus rewarded. Crucially, Arbiters must expand their internal threat detection capabilities, taking into consideration the assertions of Microengines to push the boundaries of what the PolySwarm marketplace can detect.

Learn more about creating an Arbiter → (coming soon)