Five graphs, one intelligence representation
Nexus is not five products. It is one investigation state projected as five graphs: Evidence, Asset, Attack, Hypothesis, Remediation — layered views over the same underlying structure.
Layer rules
- Evidence — lowest truth layer; LLM may create hypotheses, never evidence
- Asset — inventory and relationships between hosts, services, identities, code
- Attack — edges carry traversal scores: exploitability, required auth, lateral potential, evidence confidence
- Hypothesis — lifecycle: GENERATED → ACTIVE → TESTING → CONFIRMED | REFUTED | BRANCHED | RETIRED (
HypothesisArena) - Remediation — FP history and outcomes in
nexus_memory.dbviaContextLoader
Runtime projection
tcsf/graph/projector.py materialises nodes (target, assets, findings, hypotheses, chains) and edges (attack_path, …) for the 3D graph and API. Optional Bolt export exists for Neo4j/Memgraph — the system of record stays SQLite.
Why this is the moat
Model weights are rented. Customer-specific evidence structure, rejected FPs, and confirmed chains compound across runs. Scan 3 should be smarter than scan 1 for the same estate — that is a graph property, not a prompt.