ThreatGraph Lab

Adversary knowledge graphs for cyber, crypto and machine-speed threat intelligence.

ThreatGraph Lab models threat intelligence as relationships, not lists: actors, tools, infrastructure, malware, vulnerabilities, wallets, bridges, protocols, campaigns and controls.

Knowledge GraphsOSINTGraph-RAGDeFi Threat Intel
Graph Intelligence Layer

Relationships carry more value than isolated indicators.

The entity mesh shows how actors, tools, infrastructure, TTPs, exploit primitives, sources and controls can be represented as a living intelligence graph.

Confidence, provenance and time decay become first-class properties rather than analyst footnotes.

Current Landscape

What matters now.

Flat IOC feeds decay quickly. Relationships decay more slowly. The strategic value is in the graph: who used which tool, which infrastructure supported it, which exploit primitive enabled it, and which control breaks the chain.

AI can accelerate analysis, but only when grounded in provenance-scored evidence. A credible analyst assistant must cite graph facts, expose uncertainty and refuse unsupported attribution.

The future of threat intelligence is graph-native, temporal and scenario-generating: the same dataset can support investigation, detection engineering and cyber-range mission creation.

Research Programme

Operational focus.

  • Entity model for actor, campaign, infrastructure, malware, wallet, exploit, protocol, bridge, vulnerability, control and source.
  • Temporal edges with confidence, source class, corroboration count, freshness and contradiction handling.
  • Graph-RAG analyst interface restricted to curated evidence rather than open-ended speculation.
  • Scenario generator that converts observed chains into safe defensive training missions.
research programmeprototype trackdashboard tracksecurity-first
Prototype Entity SchemaGRAPH MODEL
{
  "entity": "campaign",
  "id": "camp.synthetic-id-ops.2026",
  "relations": [
    {"type":"uses", "target":"tool.llm-voice-clone", "confidence":0.74},
    {"type":"targets", "target":"sector.financial-kyc", "confidence":0.68},
    {"type":"observed_with", "target":"wallet.cluster.bridge-drain", "confidence":0.41}
  ],
  "provenance": ["osint.report", "chain.telemetry", "incident.note"],
  "decay_model": "confidence *= freshness * corroboration"
}
2026–2030 Prognosis

Likely trajectories for the next cycle.

Forward-looking forecasts grounded in present standards, tooling direction and adversary incentives.

2026

Graph intelligence normalises

Security teams increasingly move from indicator lists to entity graphs with explicit provenance and confidence scoring.

2027–2028

Graph-RAG enters analyst workflows

Natural-language interfaces become useful only where graph evidence is inspectable, cited and uncertainty-aware.

2029–2030

Threat graphs generate training environments

Knowledge graphs feed cyber ranges, control testing and adversary-emulation scenario generation.

Research Outputs

What the programme produces.

The output layer converts research into visible artefacts: models, diagrams, simulators, dashboards, datasets, playbooks and defensible architectures.

Graph ExplorerInteractive entity, relationship and confidence view.
DeFi Exploit MapCross-chain exploit primitives and dependency chains.
Actor DossiersEvidence-backed profiles with confidence levels.
Scenario GeneratorDefensive missions derived from graph patterns.