How CACI's DarkBlue Uses Elasticsearch and Claude to Accelerate Dark Web Criminal Investigations
CACI's DarkBlue Intelligence Suite is a cloud-based platform that enables national security agencies, law enforcement, and intelligence teams to search and analyze dark web and open-source intelligence (OSINT) data to identify and deanonymize criminals. Built on Elasticsearch and Elastic Observability, DarkBlue's newest feature, CluesAI, harnesses Anthropic Claude LLMs via AWS Bedrock to generate automated intelligence reports that connect criminal personas across the dark web in seconds.
Impact
Seconds per query regardless of data age or volume
Criminal investigation acceleration
Countless hours saved
Analyst time saved on lead investigation
Rapid — no new software stack needed
New data source integration time
Full dark web search without browser exposure
Client safety
Challenge
CACI needed a search and analytics foundation capable of ingesting massive, unstructured dark web and OSINT datasets from constantly evolving sources, delivering search results in seconds regardless of data volume or age, and enabling law enforcement clients to investigate criminal activity without the security risks of accessing the dark web directly.
Solution
Elasticsearch and Elastic Observability power DarkBlue's core search and analytics platform, using Elastic Agents, Fleet, Kibana, and persistent data archiving to enable OSINT investigation across dark and open web sources. CluesAI, built on Anthropic Claude LLMs via AWS Bedrock, adds automated intelligence report generation to deanonymize threat actors.
Tools & Technologies
Amazon BedrockWhat Leaders Say
“Elastic's search and pivot capabilities allow us to connect the dots. We can often link anonymous personas to a single actor with just one query.”
“Elastic helps us move quickly. It simplifies the process of integrating new data sources and removes the need for complex setup across multiple applications.”
“Our clients trust us, and we trust Elastic. We count on Elastic to help us track criminal activity across hidden spaces online.”
Sign up to read complete case studies, access detailed metrics, and unlock all use cases.
Full Story
The dark web hosts illegal activities—drug trafficking, arms trading, ransomware sharing, human trafficking—worth over $4 billion. CACI is an international leader in dark web analysis. Its DarkBlue Intelligence Suite enables national security and intelligence teams to search open-source intelligence (OSINT) and unmask criminals operating on the dark web, with additional expansion to other open web sources hosting illicit activity.
Building a platform to search and analyze this volume of unstructured, constantly shifting data required infrastructure capable of ingesting diverse data sources at scale, delivering search results in seconds regardless of data age, and enabling clients to analyze data without exposing themselves to the dark web's inherent risks.
DarkBlue chose Elasticsearch and Elastic Observability as the core of its platform from the beginning. Running on AWS cloud with Elastic Agents and Fleet for data collection, DarkBlue can ingest structured and unstructured data from almost any source using schemas and templates set up once—without needing to build new software and connections for each. Kibana makes it easy to visualize and query large volumes of ingested data in real time. Filter functionality and keyword fields enable exact matching on targeted selectors, while Boolean operations, fuzzy matching, and full-text search allow investigators to explore data in the ways investigations demand. Elasticsearch also archives data indefinitely, enabling investigators to trace criminal personas that change identities over time.
The platform's newest capability, CluesAI, adds generative AI to the workflow. Harnessing Anthropic Claude LLMs via AWS Bedrock, CluesAI cross-references potentially identifying information across the dark web dataset maintained in Elasticsearch and generates automated intelligence reports—saving analysts and investigators countless hours of manually running down leads to deanonymize threat actors.
With DarkBlue, law enforcement clients can search for information without downloading a dark web browser or exposing themselves to malware or disturbing content. Searches complete in seconds regardless of the data's age or source. Seamless integration of new data sources—including leading crypto analyst firms added for cryptocurrency investigation—means the platform evolves alongside the dark web itself.
"Elastic's search and pivot capabilities allow us to connect the dots. We can often link anonymous personas to a single actor with just one query," said Cory Everington, Head of the DarkBlue Intelligence Suite.