← Research

Five graphs, one intelligence representation

2026-05-28 · architecture · Ryan Editraj

Nexus is not five products. It is one investigation state projected as five graphs: Evidence, Asset, Attack, Hypothesis, Remediation — layered views over the same underlying structure.

Layer rules

  • Evidence — lowest truth layer; LLM may create hypotheses, never evidence
  • Asset — inventory and relationships between hosts, services, identities, code
  • Attack — edges carry traversal scores: exploitability, required auth, lateral potential, evidence confidence
  • Hypothesis — lifecycle: GENERATED → ACTIVE → TESTING → CONFIRMED | REFUTED | BRANCHED | RETIRED (HypothesisArena)
  • Remediation — FP history and outcomes in nexus_memory.db via ContextLoader

Runtime projection

tcsf/graph/projector.py materialises nodes (target, assets, findings, hypotheses, chains) and edges (attack_path, …) for the 3D graph and API. Optional Bolt export exists for Neo4j/Memgraph — the system of record stays SQLite.

Why this is the moat

Model weights are rented. Customer-specific evidence structure, rejected FPs, and confirmed chains compound across runs. Scan 3 should be smarter than scan 1 for the same estate — that is a graph property, not a prompt.