Why This Exists
The honest version. No buzzwords, no quadrants, no "paradigm shifts." Just the story of why seventeen intelligence platforms exist, what they actually do, and why the industry's current approach to security tooling is an expensive joke.
The Problem Nobody Talks About
Here's what happens at every enterprise I've ever worked in. A threat actor compromises an identity. The SIEM fires an alert. The SOC analyst opens Splunk in one tab, CrowdStrike in another, ServiceNow in a third, maybe Recorded Future if they're lucky, and starts manually correlating information across systems that were never designed to talk to each other.
They might find the IOC in their threat intel platform. They might notice the compromised identity has excessive privileges in Active Directory. They might connect it to a geopolitical event if they read the news that morning. But they probably won't — because all of that information lives in separate databases, separate UIs, separate mental models.
The average enterprise SOC runs 45+ security tools. The median time to detect a breach is still measured in months. Not because the data isn't there, but because nobody connected it.
That's the problem. Not detection. Not data volume. Fragmentation.
The Thought That Started Everything
What if all of it — the IOCs, the threat actors, the techniques, the identities, the geopolitical context, the financial signals, the OSINT trails — lived in one graph? Not one dashboard stitched together with APIs. One actual graph database where a threat actor node connects to the technique node connects to the detection rule connects to the compromised identity connects to the financial entity that funded the campaign.
That's not a theoretical architecture diagram. That's what I built.
You can start at a Raz0r SIEM detection, traverse to the threat actor in Signal, pivot to the OSINT entity in Nexus, check the identity exposure in 1D, and see the economic correlation in V01d — in a single Cypher query. Nobody else does this. Not because it's impossible. Because it requires building all 17 platforms yourself.
Why Graphs Beat Tables
Most security tools store data in rows and columns. Relational databases. Elasticsearch indices. Flat files. That works fine until you need to ask questions like "show me everything within 3 hops of this threat actor" or "which identities are reachable from this compromised endpoint through these specific attack techniques?"
In a relational database, that's a nightmare of JOINs. In a graph, it's one traversal. The relationships are first-class citizens, not afterthoughts.
High-risk actor → connected techniques → connected software → connected CVEs. Risk flows through the graph automatically with temporal decay (2-year-old edge = 48% weight).
Start at any node, traverse N hops. Find lateral connections no analyst would manually correlate across 1M+ nodes and 14 entity types.
A geopolitical event connects to a cyber campaign connects to a financial entity connects to a sanctioned org. One graph. One query.
The Graph at Scale
This isn't a proof-of-concept with a few hundred nodes. It's a production intelligence graph with real data:
14 node labels in Signal alone — Vulnerability, ThreatActor, Software, Technique, Indicator, Campaign, Infrastructure, Mitigation, Source, Event, EventSummary, Alert, DetectionRule, TelemetrySource. Fusion extends this with 20+ labels for cross-domain entities: SocialPost, EconomicIndicator, GeopoliticalEvent, Country, SanctionedEntity, and more.
Every node got there through the Claims engine — a frozen, immutable dataclass that decomposes any intelligence source into atomic subject/predicate/object triples. 500-claim batches, UNWIND MERGE into Neo4j, deadlock retry with exponential backoff. Provenance travels with every assertion.
What Seventeen Platforms Actually Means
| # | Platform | Domain | What It Does | Key Numbers |
|---|---|---|---|---|
| 1 | Signal | CTI | Threat graph, ML risk scoring, adversary profiling, attribution, semantic search, causal inference, KQL generation, CISO briefings | 225 endpoints, 32 modules, 20 ingesters, 83 windows |
| 2 | Fusion | Cross-domain | 84 ingesters across 8 domains (cyber, geopolitical, economic, social, environmental, military, health, tech), narrative clustering, scanner, forecasting | 107 endpoints, 15 modules, 84 ingesters |
| 3 | Raz0r | SIEM | Rust EDR agent (ETW hooks, AMSI, memory scanning), ransomware predictor (phase 2 of 5 kill chain), cross-node correlator, auto-rule generation | 33 detection rules, 5-phase kill chain |
| 4 | Nexus | OSINT | Suspicion propagation, money flow analysis, shell company tracing, vessel tracking, sanctions screening, UBO resolution | Graph-native investigations |
| 5 | Kin0bi | Financial | Real-time crypto/stocks/forex, ML anomaly detection, cross-asset correlation, portfolio risk modelling | Log returns, not raw prices |
| 6 | 1D | Identity | BloodHound-style AD/Azure AD graph, LDAP integration, attack path analysis, kerberoastable account detection | Identity exposure scoring |
| 7 | V01d | Sentiment | GDELT/RSS/Reddit/FRED pipeline, Oracle composite score, Cyber Barometer, ninjaTONE dashboard, Galaxy 3D visualisation | Granger causality, 3D point cloud |
| 8 | V0id Agents | Autonomous | 3 LLM-driven agents: Sentinel (triage), Warden (containment), Spectre (hunting). IR playbooks, detection engineering, forensic packaging | 8 IR playbooks, chain-of-custody |
| 9 | Los Alamos | Wargaming | Red vs Blue agentic range. LLM-driven red team trinity (Kage, Oni, Yurei) vs V0id blue agents. Tick engine, ELO scoring, chimera TTP randomiser | 5 environment templates, ELO rating |
| 10 | Knox | Secrets | Encrypted vault, crypto toolkit (AES-GCM, ChaCha20, SHA-3, Ed25519, ML-KEM), privacy engine (13 PII types), TOTP authenticator, password generator | No Neo4j — lightest app, PWA |
| 11 | Social | Collaboration | Real-time TI messaging, WebSocket channels, DMs, IOC auto-detection in messages, NATS live feed, E2E encryption | 6 default channels, PWA |
| 12 | War Room | Incident Response | LiveKit video conferencing, shared incident timelines, IOC enrichment panel, NATS alert feed, 4 IR playbooks, 8-phase breach containment tracker | Commander/analyst/observer roles |
| 13 | ANTOS | UX | Embedded unified analyst desktop at /antos | UI-only, sub-app |
| 14 | NinjaClaw | CLI | Hardened CLI security agent, 10 scanners, CIS benchmark rules, Claude AI assessment, Signal intel integration, zero attack surface | PyPI package |
| 15 | Sabaki | Vulnerability | Vuln triage & remediation, multi-scanner ingest (Nessus/Qualys/Tenable/Inspector), 8-factor priority scoring, auto-FP detection, ServiceNow integration | Top 10 generator, auto-ticket routing |
| 16 | Depth | Supply Chain | Recursive dependency auditor, SBOM generation, licence compliance, vulnerability cross-reference with Signal graph | Recursive tree analysis |
| 17 | GITAIR | DevSecOps | Git security scanning, air-gapped repository management | — |
Every single one shares SSO authentication (JWT token exchange), NATS JetStream event bus (9 subject hierarchies, at-least-once delivery), and the Neo4j graph mindset. When Raz0r detects a suspicious process, it publishes to the bus. V0id agents auto-triage. Signal enriches the IOC. Fusion correlates with geopolitical context. All without any app knowing about the others.
Signal: The Cyber Core
225 API endpoints. 32 core modules. 83 floating windows. 20 ingesters. Signal is the hub — the cyber threat intelligence platform that everything else connects to.
Intelligence Sources (20 Ingesters)
NVD (CVEs), MITRE ATT&CK (TAXII + D3FEND), CISA KEV, OTX (AlienVault), Abuse.ch suite (MalwareBazaar, ThreatFox, Feodo, URLhaus), GitHub Advisories, CIRCL MISP, OpenCTI, phishing feeds, ransomware trackers, AML sanctions.
Analytical Modules (32)
Plus forecast.py, emergent.py, traffic.py, datalab.py, mesh.py, predictions.py, normalize.py, cache.py, settings.py, graph.py, claims.py, access_intel.py.
Fusion: The Cross-Domain Layer
107 API endpoints. 15 core modules. 84 ingesters across 8 domains. Fusion is why the graph has depth. Cyber threat intelligence without context is like reading a police report without knowing about the war next door.
NVD, CISA KEV, OTX, EPSS, Abuse.ch, CrowdSec, Exploit-DB, CIRCL
GDELT, ACLED, GTD, SIPRI, OpenSanctions, OFAC SDN, ReliefWeb, UNHCR
FRED, IMF WEO, World Bank, WTO, commodities, ILOSTAT, UN Comtrade
Twitter/X, Reddit, Mastodon, Telegram, Bluesky, Google Trends, RSS
NASA FIRMS, GDACS, EM-DAT, Safecast, WHO outbreaks, WHO GHO
Shodan, AIS maritime, OpenSky flights, NPM, PyPI, GitHub repos
The signature capability: narrative clustering. TF-IDF vectorisation of social posts from all platforms, DBSCAN clustering, coordination scoring to detect information operations, LLM labelling per cluster, and a reality divergence score — how far is the online narrative drifting from what's actually happening (GDELT ground truth)?
Plus the Emergent Behaviour Engine — 7 detectors that compare the current graph state against historical snapshots: TTP convergence, infrastructure overlap, community drift, velocity anomalies, cascade emergence, cross-domain bridges, and prediction materialisation.
The ML That Actually Works
I'm going to be direct about this. Most security ML is marketing. "AI-powered threat detection" usually means someone trained a Random Forest on labelled data and called it a day.
Here's what this ecosystem actually does — and why each choice was made:
| Technique | What | Why Not The Obvious Alternative |
|---|---|---|
| Temporal decay risk | Risk propagation with time-weighted edges | Static weights treat 2015 IOCs the same as yesterday's. A 2-year-old edge carries 48% weight — because threat intel ages. |
| Louvain communities | Find clusters in 1M+ nodes | K-means needs you to guess K. Louvain finds the natural community structure of the graph without hyperparameter tuning. |
| MAD anomaly detection | Median Absolute Deviation | Z-scores assume Gaussian distributions. Real-world security data has fat tails. MAD is robust to outliers. |
| GraphSAGE embeddings | Inductive node embeddings | Transductive methods (DeepWalk) can't embed new nodes without retraining. GraphSAGE generalises to unseen nodes at inference time. |
| GAT classification | Graph Attention Networks | GCN treats all neighbours equally. GAT learns attention weights — a Cobalt Strike beacon connecting to APT29 matters more than a generic IP. |
| Weighted Jaccard (ORIGAMI) | TTP fingerprint similarity | Cosine similarity on sparse TTP vectors is noisy. Weighted Jaccard with technique-class weights gives stable attribution signals. |
| DoWhy causal inference | Actual causal estimation, not correlation | "Does mitigation X reduce technique Y?" requires causal reasoning. Correlation alone can't answer interventional questions. |
| Granger causality (V01d) | Do economic indicators predict sentiment? | Correlation says they move together. Granger tests whether one precedes and predicts the other. Temporal precedence matters. |
| Log returns (Kin0bi) | Financial correlation | Raw price correlation is spurious (everything goes up together in a bull market). Log returns isolate actual co-movement. |
| DBSCAN clustering (Fusion) | Narrative clustering | K-means forces every post into a cluster. DBSCAN allows noise — not every social post is part of a coordinated narrative. |
The point isn't that we use fancy algorithms. The point is that we use the right ones, for the right reasons, and we fix them when they're wrong.
What $300M Buys You vs. What One Engineer Built
| Capability | CrowdStrike / Palo Alto / Splunk | ninja.ing |
|---|---|---|
| Cross-domain graph | No — siloed products, separate DBs | Yes — one Neo4j, 1M+ nodes |
| CTI + OSINT + Identity in one query | No — requires 3+ tools | Yes — one Cypher traversal |
| Geopolitical context | No — external TIP required | Yes — 18 geopolitical ingesters |
| Economic correlation | No | Yes — FRED, IMF, World Bank |
| Social narrative clustering | No | Yes — TF-IDF + DBSCAN + LLM |
| Causal inference (not correlation) | No | Yes — DoWhy |
| Graph Attention Networks | Partial — some ML, mostly rules | Yes — GAT + GraphSAGE + GDS |
| Adversary digital twins | No | Yes — Monte Carlo sim, wargaming |
| Autonomous IR agents | Partial — SOAR playbooks | Yes — 3 LLM agents, 8 playbooks |
| Red vs Blue wargaming range | No | Yes — Los Alamos, ELO scoring |
| 24/7 MDR staffing | Yes — thousands of employees | No — one engineer |
| Petabyte-scale log retention | Yes | No — graph-first, not log-first |
CrowdStrike has 8,000 employees. Palo Alto Networks has 15,000. Splunk (now Cisco) has 8,000. Between them, they've raised or generated tens of billions of dollars. And their products still don't talk to each other.
The architecture is the moat. Not the code — code can be replicated. The fact that someone thought about all 15 domains simultaneously and built them to share a graph from day one. That's what makes it different. Bolting Nexus onto Splunk after the fact would be a multi-year integration project. Here, it was a Tuesday afternoon.
Infrastructure: The Stealth Stack
Two Hetzner dedicated servers — a Ryzen 9 7950X3D with 128GB DDR5 running Signal + Fusion, and a Ryzen 5 3600 with 64GB running everything else. Connected via WireGuard tunnel. Caddy reverse proxy handles HTTPS for 17 domains. No Kubernetes. No AWS bill.
Caddy security_shield snippet blocks .git probes, PHP scanners, WordPress bots, empty UAs. fail2ban with 3 jails (scanner/auth/aggressive). CSP + Permissions-Policy headers.
JWT token exchange across all apps. Each app has its own cookie name. No shared session store — just cryptographic trust. One login, 17 platforms.
JetStream pub/sub with 9 subject hierarchies. Durable, at-least-once delivery. When Raz0r detects, V0id triages, Signal enriches, Fusion correlates — no direct coupling.
Where This Goes
The intelligence mesh is the architecture. The platforms are the proof. What comes next is scale.
The autonomous agents in V0id are the beginning of a world where the SOC analyst isn't the bottleneck. Where the graph itself — with 1M+ nodes of cross-domain context — becomes the reasoning engine for LLM-powered incident response. Where detection engineering generates itself from threat intelligence, and forensic evidence packages itself for legal.
Los Alamos runs simulated campaigns where LLM-driven red teams attack generated enterprise environments and V0id's blue agents defend — scored by ELO. Every run makes both sides smarter. The War Room puts analysts in a LiveKit video call with shared timelines, real-time IOC enrichment, and NATS alert feeds — the operational counterpart to the analytical graph.
The mesh gets denser with every ingester, every detection rule, every new relationship. The graph compounds. The intelligence compounds. That's why it's a mesh and not a dashboard.
You don't actually want seventeen platforms. Nobody wakes up wanting more dashboards. What you want is to ask a question and get one answer, from one graph, that connects things no human would have time to connect.
The silos were always the vulnerability.