GRAPHCTI
graphcti // an ai-native knowledge graph for threat intelligence

Threat intel platforms store intelligence.
This one analyzes it with you.

the graph is the product · conversation is the interface

Traditional Threat Intelligence Platforms (TIPs) are enriched repositories: everything hangs off siloed report objects, and the analysis is still on you. GraphCTI extracts what reports actually assert, the claims about actors, TTPs, intent, and indicators, into nodes an interpretation layer can traverse. The result: threat profiles in seconds, a fast-moving landscape you can interrogate at scale, and a clear view of what your collection knows and doesn't. Those gaps feed straight back into your PIRs. It does the labor; you own the judgment. Watch one claim become structure.

 ingest // multi-source → knowledge graph
RUNS USES DEPLOYS EXPLOITS TARGETS IN_SECTOR DESCRIBES Actorqilin Campaignspring 26 TTPT1486 Malwarepayload CVEexploited Orgvictims SectorHealth Reportcited
the model

The intelligence cycle, automated end to end

These five steps are how every intelligence function on earth works. The order below is the order they run: each stage feeds the next. Watch where a traditional platform stops, and where this one doesn't.

PHASE 1

Requirements

A lightweight profile (sector, geography, stack) defines what matters to you.

PHASE 2

Collection

Connectors pull leak sites, ATT&CK, KEV, and the premium feeds you already license.

PHASE 3

Processing

Extraction, entity resolution, and dedup turn raw records into provenance-tagged claims.

PHASE 4

Analysis

A reasoning model traverses the graph: trends, divergences, actor profiles.

PHASE 5

Dissemination

Written briefings, on schedule, in intelligence-community language: fact, then assessment.

Legacy platforms cover phases two and three, then hand you a search box. The other half of the cycle, the half that was your job, is the product here.

▸ click any phase to watch it run

Phase 1 · Requirements — GraphCTI

PIRs are nodes, not paperwork
HAS_PIR Acmeprofile PIR-01ransom·health PIR-02edge exploit PIR-03supply chain SectorHealth TTPT1190 Orgvendor requirements live in the graph, queryable like everything else

Phase 2 · Collection — GraphCTI

every source, one graph
leak sites vendor reports ATT&CK KEV your licensed feeds every record lands with source and timestamp; provenance is not optional

Phase 3 · Processing — GraphCTI

claims, resolved and deduplicated
"victim": "ACME HEALTH LLC" "group": "qilin" "desc": "…zoominfo.com/acme…" aggregator domain → denylisted acme-health.com ACME HEALTH LLC Orgacme-health.com deduplicated · one node two names, one entity entity resolution at ingest

Phase 4 · Analysis — GraphCTI

relevance is a traversal
MENTIONS ANSWERS HAS_PIR Rpt2h ago Rpt9h ago Rpt26h ago Qilin ShinyHunters PIR-01ransom·health PIR-03supply chain Acmeyou the report answers PIR-01 → PIR-01 belongs to you → relevance is structural · stale reporting falls out of the window

Phase 5 · Dissemination — GraphCTI

augmented report writing: drafted by the graph, owned by the analyst · not built yet
WEEKLY INTELLIGENCE BRIEFING · MON 06:00 · DRAFT FOR ANALYST REVIEW
FACT

qilin disclosed 17 healthcare victims this week. graph: 3 sources · PIR-01

FACT

New edge-device exploitation reporting links T1190 to two actors active in your sector. PIR-02

ASSESS

Elevated risk to regional providers over the next quarter; prioritize edge appliance patching. moderate confidence

NOT BUILT YET: dissemination here is augmentation, not replacement. The graph drafts grounded facts and surfaces insights; the analyst writes the assessment and owns the product. Teams that prefer fully analyst-written reports keep them; the graph just does the gathering.

Phase 1 · Requirements — traditional TIP

a document, not data
PIR_2026_FINAL_v3.docx 1. Which ransomware groups target healthcare? 2. Which vulns are exploited against our stack? 3. Are our suppliers being targeted? last modified: 9 months ago · SharePoint a static document the platform never reads, so requirements can't drive queries

Phase 2 · Collection — traditional TIP

feeds in, rows out
MISP connector TAXII feed RSS / vendor blogs INDICATORS & OBSERVABLES 10.4.x.x · ip-src · qilin · 2026-06-08 a3f9…c41 · sha256 · unattributed · 2026-06-08 acme-health[.]com · domain · — · 2026-06-07 ‹ prev · page 1 of 4,217 · next › rows accumulate; context doesn't

Phase 3 · Processing — traditional TIP

DIY playbooks · paywalled rules
triggernew report object enrich IOCyou build this tag & fileyou maintain this auto-extraction of TTPs & intent · ENTERPRISE TIER 🔒 processing is build-it-yourself, or behind a subscription wall

Phase 4 · Analysis — traditional TIP

you are the traversal engine
REPORT #4412 actor: Qilin TTPs: see PDF (p. 7–11) related: Qilin → ACTOR: QILIN aliases: Agenda sectors: (per report) related reports (38) → REPORT #3007 actor: Qilin open PDF · read 18 pages extract relevance by hand …12 clicks later, the hypothesis lives in your head, not in the data

Phase 5 · Dissemination — traditional TIP

manual drafting, every week
Weekly_Threat_Report_DRAFT_v3.docx Executive summary — TODO copy stats from TIP · reformat · cite · screenshot due Friday COB dissemination is an analyst-hour tax; most TIPs don't even try
the landscape

The same intelligence, two ways

Below is one dataset rendered twice. A traditional TIP stores victimology as records and makes you page through them; relationships exist only if you think to ask. A knowledge graph stores the relationships as the data, so the pattern is the first thing you see, not the last thing you find.

TRADITIONAL TIP · TABLE VIEW
disclosedgroupvictimsectorcountry
2026-06-08qilinacme-imaging.comHealthcareUS
2026-06-07INC Ransomacme-fabrication.comManufacturingUS
2026-06-06qilinacme-clinics.orgHealthcareUS
2026-06-05ShinyHuntersacme-metallwerk.deManufacturingDE
2026-06-04INC Ransomacme-health.netHealthcareUS
2026-06-03qilinacme-medical.caHealthcareCA
2026-06-02INC Ransomacme-machining.comManufacturingUS
2026-06-01qilinacme-surgical.comHealthcareUS
‹ prevpage 1 of 4,217next ›
RECORD DETAIL · siloed view
group:
victim:
meta:
related entities: none linked · shared TTPs: unknown · PIR relevance: unknown
extraction: manual: open the report, read it, copy TTPs / intent / IOCs by hand
context requires three more searches, each one another silo

Every fact is in here. The connections between facts (shared techniques, sector concentration, actor overlap) are not. Click a row: the detail view is a dead end.

GRAPHCTI · KNOWLEDGE GRAPH VIEW
PIR-01ransom·health qilin INCRansom ShinyHunters T1486encrypt Healthsector Mfg US two actors · one technique a shared detection priority, visible as a path sector concentration at a glance, not on page 47 row 1: same record, connected maps to PIR-01 6 victims → briefing item actor victim org sector technique country PIR (requirement)

Same eight records, restructured as a knowledge graph: every entity is a node and every relationship can be traversed. An answer is a path. Start at PIR-01, walk to the sector it covers, to the victims inside the window, to the actors behind them, to the technique those actors share. The conclusion emerges from the hops, not from rereading reports.

lookup
traversal

A TIP answers "show me records matching X." A graph answers "what connects X to Y": paths, not pages.

dashboard
question

Dashboards pre-compute the questions someone anticipated. The graph takes the question you have today.

record
relationship

In a repository the value is in the rows. In intelligence the value was always in the edges between them.

long-form reporting

Reports become claims, not stored prose

A twenty-page vendor report is mostly narrative. Its intelligence payload is a handful of atomic assertions. Extraction keeps the assertions, each grounded to a verbatim source span, and lets the prose go.

VENDOR REPORT // 18 PPJUN 2026

…Initial access in the observed intrusions followed exploitation of CVE-2024-3400 on internet-facing PAN-OS appliances, with web shells staged within minutes of first contact. After credential harvesting and lateral movement over SMB, the operators deployed a Rust-based locker consistent with T1486 across both ESXi and Windows estates. Victimology over the period clusters in US healthcare delivery organizations, mirroring leak-site cadence we track separately. Overlap in negotiation portal infrastructure and payload code-signing supports attribution to Qilin with moderate confidence

extracting claims…
EXPLOITS USES TARGETS CITES Qilin CVE2024-3400 T1486encrypt Healthsector Reportnew existing nodes converge · only the Report node is new
accuracy

Grounded by architecture, not by promise

This is retrieval-augmented generation (RAG) in its strictest form: retrieval returns structured assertions and deterministic query results, not loose text snippets. Facts in an answer come only from the graph; the model's own knowledge is fenced off as labeled assessment; and what the graph doesn't contain is reported as a gap, never papered over. Every fact carries a receipt:

ANSWER Qilin leads Healthcare this month: 6 victims in the 30-day window. produced by QUERY · deterministic, inspectable MATCH (g)-[:POSTED]->(p)-[:NAMES]->(o)-[:IN_SECTOR]->(:Sector {name:'Healthcare'}) … which matched CLAIM · provenance-tagged (Qilin)-[:TARGETS {confidence:'high', source:'rpt-4412'}]->(Healthcare) extracted from SOURCE SPAN · verbatim, or the claim is rejected "Victimology over the period clusters in US healthcare delivery organizations" vendor report #4412 · June 2026 · p. 7 no receipt, no fact: anything ungrounded ships as labeled assessment or as a gap
the interface

Ask the graph a question

No query language, no dashboard builder. A question in plain English becomes validated Cypher (deduplicated, date-bounded, auditable) and comes back as an answer you can put in front of leadership. Including what the graph doesn't know: known unknowns are a deliverable here, not an embarrassment.

sample exchange · demo data · live platform queries your tenant graph
Questionplain English Cyphervalidated · bounded PIR Posts Actors RESULTS · raw rows frontiermodel ANSWER · grounded facts · labeled assessment · flagged gaps