Revealing Hidden Paths in an always on Connected World
The Changing Nature of Cyber Threats
Attackers today don’t follow linear paths. Advanced Persistent Threats (APTs), insider threats, and lateral movement campaigns are often designed to evade detection by avoiding known signatures and behaving in a piecemeal, distributed fashion. Reconnaissance might occur weeks before privilege escalation. Exfiltration may come later, through an entirely different vector. Yet these actions are connected.
Traditional detection tools often look at events in isolation or in narrow time windows. They’re tuned for precision on known bad behavior, which makes them brittle in the face of novel attacks. Even SIEMs and XDR platforms, despite their scale, struggle to correlate behavior that spans multiple domains, devices, and users unless the threat precisely matches a pre-defined rule or signature.
This is not a failure of engineering — it’s a failure of structure. To understand a threat actor’s behavior, defenders must understand connections, not just components.
Why Graph? Why Now?
Graph-based thinking flips the model. Rather than treating events as rows in a table, it treats them as nodes connected by relationships. This allows for the modeling of behavior, not just facts.
A logon event isn’t just a timestamp — it’s a connection between a user and a machine. A DNS request links a device to a domain. A privilege escalation is a transition from one set of permissions to another.
When modeled as a graph, these relationships form a web of interactions that can be explored using traversal-based logic. Suddenly, it’s possible to ask not just “what happened?” but “how did it unfold?” and “where might it go next?”
Temporal Triangles: A Behavioral Pattern Worth Watching
One such structure is the temporal triangle. At its core, this is a simple motif: three entities (nodes) connected in a closed loop, where each interaction (edge) is timestamped and the entire cycle unfolds within a bounded time window.
Why is this important? Because this pattern surfaces in many real-world attack behaviors:
– Lateral movement
– Data exfiltration
– Botnet activity
These patterns aren’t anomalies — they’re behavioral signatures. What makes them hard to detect in traditional systems is not their complexity, but the fact that they unfold across multiple entities, systems, and time intervals.
Scaling the Analysis: From Hypothesis to Reality
Detecting temporal triangles at enterprise scale — across tens or hundreds of billions of events — is computationally expensive. Many graph platforms struggle with the necessary traversal depth and timestamp ordering constraints.
Rocketgraph, designed around scale-up, in-memory processing with multi-threaded parallelism, has demonstrated significant speed advantages. Benchmarking shows that temporal triangle queries that might take hours or days in legacy systems can be resolved in minutes or seconds when optimized for temporal filtering and structural pattern matching.
Cybersecurity Use Case: Lateral Movement Detection
Using data from system logs, authentication events, and message flows, Rocketgraph models how attackers often crawl sideways through networks over long periods — escalating privileges, mapping internal architecture, and preparing for data extraction.
This behavior is subtle. An attacker might use legitimate credentials. They may never trigger an alert. But they leave a trail of relationships that, when modeled temporally and structurally, form patterns of concern.
Whole-Graph Search: Why Parallelism Changes the Game
When most people think of graph search, they imagine a query crawling from one node to the next. Most graph databases execute traversals starting from a few entry points, expanding outward. But in cybersecurity, you often don’t know where the threat starts.
Whole-graph search means a query is evaluated not from a single anchor, but across the entire dataset, in parallel. Every node is treated as a potential starting point. Rocketgraph’s in-memory, multi-threaded architecture evaluates these combinations simultaneously using optimized C++ code across all CPU cores.
Rocketgraph’s architecture — rooted in high-performance computing (HPC) and designed for multi-core machines — allows whole-graph search to operate at scale. The platform doesn’t just store data; it activates it with a purpose-built execution layer that can scan for patterns like temporal triangles or lateral movement motifs in real time. This makes it practical to ask, “Where are all the suspicious three-hop sequences occurring across my global infrastructure within a 10-minute window?” and get answers in seconds.
This approach:
– Eliminates reliance on predefined starting points
– Enables detection of rare, anomalous behaviors
Cascadia Global Ventures 
Leave a comment