Nexus is not five products. It is one investigation state projected as five graphs: Evidence, Asset, Attack, Hypothesis, Remediation — layered views over the same underlying structure.
Layer rules
- Evidence — lowest truth layer; LLM may create hypotheses, never evidence
- Asset — inventory and relationships between hosts, services, identities, code
- Attack — edges carry traversal scores: exploitability, required auth, lateral potential, evidence confidence
- Hypothesis — lifecycle: GENERATED → ACTIVE → TESTING → CONFIRMED | REFUTED | BRANCHED | RETIRED (
HypothesisArena) - Remediation — FP history and outcomes in
nexus_memory.dbviaContextLoader
Runtime projection
tcsf/graph/projector.py materialises nodes (target, assets, findings, hypotheses, chains) and edges (attack_path, …) for the 3D graph and API. Optional Bolt export exists for Neo4j/Memgraph — the system of record stays SQLite.
Why this is the moat
Model weights are rented. Customer-specific evidence structure, rejected FPs, and confirmed chains compound across runs. Scan 3 should be smarter than scan 1 for the same estate — that is a graph property, not a prompt.
Why this matters
Autonomous security research only earns trust when the runtime can refuse to overclaim. This note documents a shipped invariant in Nexus / TCSF — the kind of detail practitioners and search engines both need to evaluate the system honestly.
FAQ
Can the LLM create evidence nodes?
No. The LLM may create hypotheses. Evidence is the lowest truth layer and must come from tools, experiments, or humans.
Where does FP learning live?
Remediation / memory layer: nexus_memory.db via ContextLoader — rejected false positives stay down-ranked across runs.