Threat Graph

Visualize the blast radius — which users, hosts, IPs and domains are connected to a case.

Last updated 3/8/2026

The Threat Graph turns the entity-relationship table into a visual map of an incident's reach.

What you see

  • Nodes for users, hosts, IPs, domains, services and access keys
  • Edges for observed relationships (authenticated_to, connected_to, queried, used_against, etc.) with confidence and evidence count
  • Risk-coloring driven by per-entity risk scores

Where the data comes from

The graph is built from the workspace's own entity and entity_relationships tables. It is not synthetic. Where data is missing the graph shows fewer edges, not invented ones.

Pivoting

Click any node to see the underlying entity record, related alerts and the investigations it appears in.

Related articles