The Flaw In Our Thinking about ASM

In cybersecurity, the real threat isn’t the vulnerabilities you see, it’s the hidden connections that you don’t. Attackers look beyond isolated vulnerabilities, chaining together unseen pathways to reach your most valuable assets. Most security tools still treat vulnerabilities as standalone issues, but attackers seek out connected routes. I would assert that perhaps our entire mental model for cyber risk is flawed.

The October 2025 F5 breach proved the point. A nation-state actor used a known vulnerability to steal source code and erased $1.3 billion in shareholder value. Both the flaw and the malware were public knowledge. The real question: why didn’t they see the path to disaster?

I had the opportunity to attend a Rocketgraph and Threatworx’s webinar entitled “ASM++: How To Find (and Fix) Hidden High Value Vulnerabilities.” It introduced a new approach: stop managing risk as a checklist, start understanding it as a graph. The difference isn’t academic. It is the key to seeing the attack paths your tools miss.

Forrester defines attack surface management (ASM) as “… the process of continuously discovering, identifying, inventorying, and assessing the exposure of an entity’s IT asset estate.”

The ++ in ASM++ is the Rocketgraph+Threatworx’s dramatic take on the ASM definition implying an enhanced, more comprehensive, “next-generation” form of standard ASM that emphasizes advanced capabilities such as the use of AI, business context, and graph technology to extend the ASM definition to include discovery and remediation of the said IT asset estate.

The webinar was emceed by Walt Maguire, VP of Product for Rocketgraph, and featured David Haglin, Ph.D., Co-founder and CTO of Rocketgraph, and Ketan Nilangekar, Co-founder and CEO of Threatworx.

The following are my 5 key takeaways from the webinar.

1. The True Blast Radius Of A Single Breach Can Be Terrifyingly Large

The ‘blast radius’ is the total damage an attacker can inflict after breaking in. Breaches don’t stop at the entry point. They spread in hops, from L0 to L1, L2, and beyond, touching every connected system.

The centerpiece of the session was a live demo that illustrated this and several related concepts.

The scenario started from just two compromised VPN servers. At the first hop (L1), the impact looked contained, impacting 2 of 181 assets. At the second hop (L2), it had spread to 82 assets, or 45% of the total. But by the third hop (L3), the blast radius had exploded to encompass 173 out of 181 assets. That is over 95% of the company’s entire infrastructure.

Let’s net that out. A single breach of a single VPN server and exploits of two known vulnerabilities could give bad actors access to virtually the entire business.

Hardening the perimeter alone isn’t a strategy. The real damage happens in the unseen hops where risk multiplies. Treating vulnerabilities as isolated points is a relic of the past.

The Takeaway: If you don’t think in terms of attack paths, you’re implicitly assuming attackers stop after initial access. On the contrary, they are just getting started.

2. Security Tools See Dots. Attackers See Lines.

Most detection tools are still operating with blinders on, scanning for isolated issues while missing the bigger picture. That is exactly the gap attackers exploit. They aren’t looking for a high vulnerability count; they are looking for the path of least resistance to your assets.

The “dandelion” visual in the demo drove home this point. You have a cluster of high-value assets (such as source code) that appears safe in a standard scan. But when you apply graph analysis, you suddenly see a hidden three-hop path, connecting that “safe” cluster straight to a compromised VPN.

This new insight changes the strategy entirely, from trying to patch everything to finding “choke points”. Sever those, and the entire attack path collapses.

The Takeaway: Your high-value assets may look safe, but attackers will find the indirect routes your current tools can’t see.

3. Context Beats Severity Every Time

Relying solely on the National Vulnerability Database (NVD) may leave you, well, vulnerable! We saw a perfect example of this: a critical vulnerability had been known for months, yet the NVD still hadn’t updated the CVSS score. That lag isn’t just a delay; it’s an open invitation for attackers.

You cannot wait for an official score to tell you something is dangerous. You need to know if it’s dangerous to you now. Real-time context will always outperform a static score.

As Ketan commented, “They’re a government organization … doing this analysis for each and every CVE that pops up. It’s slow… they’re always in catch-up mode.”

To solve this, Threatworx’s AI-driven curation engine continuously scours not just official databases but also vendor advisories, security bulletins, and GitHub repositories. This intelligence feed is piped into the graph daily. By applying real-world exploitability and environmental context, ASM++ can auto-close up to 90% of “High” severity tickets that pose no practical risk, freeing teams to focus on threats with a viable path to impact.

The Takeaway: Severity is a property of a CVE. Risk is a property of your environment.

4. AI Needs To Drive Remediation, Not Just Discovery

Finding vulnerabilities has never been the bottleneck. It is fixing the critical ones before an attacker does.

We need to stop viewing AI as just a scanner. It should serve as scaffolding for your engineers, generating patch scripts, remediation steps, and deployment-ready code fixes.

This is about agility. You eliminate the handoffs and the “translation layers” between security findings and engineering action. Zero lag. Instant remediation.

The Takeaway: Detection is cheap. Operationalizing the fix is what reduces breach probability.

5. You No Longer Need to Be a Graph Expert to Find Hidden Threats

Graph analysis, which is superpowerful, has historically been inaccessible to most security leaders because it requires specialized knowledge of query languages such as Cypher.

The demo showed how Rocketgraph’s “AI-first user experience” eliminates this barrier. Using Claude Opus 4.5, the platform allows a user to ask complex, strategic questions in plain English, such as, “Find vulnerabilities that affect multiple high-value assets but aren’t widely exploited yet.” The AI translates this into the necessary query to search the graph.

To quote David, “CISOs are not going to want to learn how to write Cypher queries. But they want to know how to ask questions about their graph.”

The Takeaway: AI is making advanced threat hunting accessible to those who need it.

Conclusion

The core message: cybersecurity isn’t about listing vulnerabilities anymore. The future is mapping the web of relationships between assets, vulnerabilities, and threats, zeroing in on what matters, and fixing it. Why did the F5 breach happen? They only saw the dots, not the invisible lines that led attackers straight to their crown jewels.

You know the vulnerabilities in your environment. But do you know the paths they open to your crown jewels?

Want to Learn More?

You may replay the webinar using this link. For more information, contact Walt Maguire at Rocketgraph by emailing wa**@*********ph.com.

The post Your “Secure” Assets Are More Exposed Than You Think appeared first on Rocketgraph.

One Year at Rocketgraph: A Year of Building, Learning, and Momentum

This week marks my first year at Rocketgraph. Stepping into a company with extraordinary technical depth and a strong heritage, my focus over the past twelve months has been simple: build the connective tissue that turns powerful technology into customer value, repeatable wins, and a durable commercial motion.

It’s been a year of sharpening our identity, evolving the product, expanding our reach, and proving—through real-world use cases—that graph-powered security analytics can materially shorten the time it takes teams to detect, investigate, and understand threats.

Most of all, it has been a year defined by the team. I’m incredibly proud of what the people at Rocketgraph accomplished—often with limited resources, always with tremendous resolve, and consistently with a level of creativity and commitment that makes this company special.

Here’s a look back at what changed, what we strengthened, and what we learned.

Clarifying Who We Serve and Why

Turning Deep Technology Into Repeatable Workflows

Growing Revenue and Expanding Our Customer Base

Strengthening Partnerships and Increasing Access

Creating a Community Around the Product

What We Learned — and Where We’re Heading

The Road Ahead

The post 2025 Reflections appeared first on Rocketgraph.

As graphs grow to billions and even trillions of nodes and edges, traditional methods struggle to keep up. Enter graph-wide scanning, a breakthrough technology that enables analysts to process entire graphs in real time. But computation alone is not enough. To truly understand large-scale networks, we also need intelligent visualization and interactive interfaces that help humans interpret what machines compute.

1. From Sampling to Summarization: How It All Began

When computers had limited memory and processing power, researchers faced a fundamental question: how can we study enormous graphs with minimal hardware? The solution was to reduce complexity through clever algorithmic shortcuts.

Early methods such as sampling, sparsification, coarsening, and compression became essential. Random sampling helped estimate global metrics without analyzing every connection. Sparsification removed less important edges while keeping the overall structure intact.

Later, multilevel coarsening algorithms such as the METIS framework grouped related nodes into clusters, enabling faster computation and easier visualization. Compression techniques, including the WebGraph framework developed by Boldi and Vigna in 2004, took advantage of repetitive structures in web data to reduce storage requirements.

By the 2000s, graph summarization had emerged, grouping similar nodes and frequent patterns into smaller “supergraphs.” This made visualization tools like Gephi and SNAP practical for real-world use. These early innovations laid the foundation for scalable graph analytics.

2. The Turning Point: The Rise of Graph-Wide Scanning

The past decade has brought a major shift in capability. Graph-wide scanning, which allows analysis of an entire network without relying on sampling or approximation, has now become both possible and affordable.

Modern frameworks such as Apache Spark GraphX, NVIDIA cuGraph, and TigerGraph use parallel processing, GPU acceleration, and distributed in-memory computing to handle billions of edges simultaneously. The massive parallelism of GPUs allows entire graphs to be traversed in real time, producing insights with complete fidelity.

At the same time, the rise of cloud computing has democratized access. What once required supercomputers can now be performed on scalable cloud clusters. High-speed interconnects such as NVLink and InfiniBand make it possible to move data across processors efficiently, transforming full-graph analysis from an academic dream into an everyday reality.

3. Why Graph-Wide Scanning Matters

Unlike reduction-based approaches, graph-wide scanning preserves every node and connection. This is critical when rare or subtle relationships carry the most value.

In cybersecurity, analysts can map the Internet as a live network of hosts, domains, and IP connections. Full-graph scanning reveals coordinated attacks and botnet behavior that sampling might miss.

In finance, regulators can track money laundering or fraud by following every transaction through the network.

In biomedical research, scientists can analyze complete gene and protein interaction networks to uncover previously hidden regulatory pathways.

Full fidelity leads to full understanding. Graph-wide scanning allows data scientists to capture both global structure and local detail at the same time, something that reduction algorithms cannot achieve.

4. Why It Was Not Possible Before

For decades, full-graph analysis was impossible due to hardware constraints. Memory was too small, processors were too slow, and disk access was a major bottleneck. Even supercomputers in the early 2000s needed days or weeks to process a few million edges.

Reduction algorithms such as sampling, summarization, and compression were not only efficient but also essential. They enabled researchers to study patterns at a time when scanning entire networks was not yet possible.

5. Why It Is Affordable and Available Now

Today’s computing landscape has completely changed.

• GPUs and TPUs now offer thousands of cores capable of executing parallel graph algorithms.
• Cloud scalability allows organizations to rent high-performance computing by the hour.
• Open-source frameworks enable teams to analyze massive graphs using commodity clusters instead of specialized hardware.
• Machine learning integration has driven further innovation, as Graph Neural Networks (GNNs) rely on full-graph traversals to train efficiently.

These advancements have eliminated the historical trade-offs between speed, cost, and completeness.

6. The Human Side of Graph Analytics

As technology removes computational barriers, new challenges emerge on the human side. Visualization and user interaction remain the most significant bottlenecks in big graph analytics.

A graph with billions of edges cannot be meaningfully displayed on a screen. Even with advanced rendering and zoom techniques, visualization is limited by the number of pixels available. Moreover, human cognition has strict limits. Research on working memory shows that people can actively hold only about seven items at once.

This gap between machine scalability and human comprehension highlights a critical truth: more data does not automatically mean more understanding. Without visual and interactive tools, even the best algorithms remain black boxes.

7. The Emergence of Hybrid Platforms

To bridge this divide, developers are now building hybrid platforms that combine computational power with cognitive usability. These systems integrate graph-wide scanning, multiscale visualization, and interactive exploration.

Such platforms allow users to zoom seamlessly between global and local levels of a graph, dynamically adjust the level of abstraction, and query patterns in real time. This approach is transforming how analysts and scientists work with large-scale networks.

For example, in cyber analytics, a hybrid platform can scan the entire Internet graph for suspicious activity, then let analysts zoom into a specific IP subnet for forensic detail. In scientific research, biologists can start with an organism’s full genetic network and drill down into individual regulatory pathways.

Hybrid systems make complex data both scalable and interpretable. They combine computational completeness with human-centered design.

8. Why Visualization and Interaction Still Matter

As artificial intelligence continues to automate data analysis, some might question the need for visualization. But human insight remains essential. Decision-making, explanation, and trust in analytics all rely on the ability to see and interact with data directly.

Visualization turns computation into comprehension. Interaction turns observation into discovery. Together, they transform raw data into actionable understanding.

Without visual and interactive layers, even the most powerful analytics risk becoming opaque and inaccessible. Graph-wide scanning reveals every connection, but visualization and interaction reveal meaning.

9. From Big Data to Deep Understanding

Graph-wide scanning has changed what is possible in data analysis. It enables complete, real-time exploration of massive networks that once required approximations and guesswork. Yet the ultimate goal is not just to compute faster but to understand more deeply.

The future of big graph analytics will depend on the combination of three capabilities:

1. Graph-wide computation for accuracy and completeness.
2. Adaptive visualization for clarity and accessibility.
3. Interactive design for exploration and understanding.

Systems that integrate all three will transform how we interpret complex relationships across many domains, including cybersecurity, finance, healthcare, and others.

As our world becomes increasingly interconnected, the ability to analyze and understand large-scale graphs will define the next generation of insight. Graph-wide scanning has given us the power to see everything. Now we must learn how to make sense of what we see.

By Author: Pak Chung Wong, PhD
Vice President, User Experience
linkedin.com/in/pakchungwong

The post The Cutting Edge of Big Graph Analytics: From Compression to Comprehension appeared first on Rocketgraph.

So let’s keep it simple, shall we?

What Is a Graph? What Can It Be Used For?

At the heart of every graph are two fundamental building blocks: nodes and edges. Nodes (sometimes called vertices) are the individual entities in your network—they could represent people, places, computers, or any distinct object. Edges are the connections between these nodes, representing relationships like “is friends with,” “is connected professionally,” or “is a road segment.” What makes graphs particularly powerful is that both nodes and edges can have attributes—additional pieces of information that provide context.

For instance, in a downtown street graph, an intersection node might have attributes like number of lanes, whether there is a light or stop sign, or lane restrictions, while a street edge might have an attribute indicating speed limit or the number of available lanes. Attributes enrich the graph such that we can start asking some very useful questions.

Let’s take a tangible example. Below you can see a simplified street map of a small town. We’ve got a Main Street, a few Avenues, and four cross-streets.

Now let’s turn this into a graph. This is an area where folks can often go astray. What would a node be? This is where graph thinking starts to become important. What we care about here is understanding connections (aka edges). Clearly we have streets doing the connecting. So what are they connecting to? Intersections. Ahh! So our nodes would be intersections, and our edges are the streets connecting them. With this in mind, we can now create a graph representation of our small downtown.

Now we can bring the power of graph to bear on our questions. Once I’ve added attributes such as street capacity, speed limit, lights, stop signs, merges, commute lanes and hours, etc. I’m ready for analysis. Here are a few simple things I could ask of this graph:

– What is the shortest path from the intersection of 1st Street & 1st Avenue to 4th Street & 3rd Avenue?

– How many different routes exist between 1st Street & Main Street and 3rd Street & 2nd Avenue that don’t backtrack?

– If the street segment between 2nd Street & 2nd Avenue and 2nd Street & Main Street is closed for construction, what’s the detour distance for vehicles traveling along 2nd Street?

While these are interesting questions, we haven’t really used the power of graph yet because they don’t take the reality of the roads into account. Given that the graph now reflects stop lights, stop signs, speed limits, number of lanes, etc., what more useful questions can I ask? Here are a few:

– What is the fastest route from 1st Street & 1st Avenue to 4th Street & 3rd Avenue, considering speed limits on each street segment and stoplight or stop sign delays at intersections?

– If I want to minimize total travel time from 3rd Street & 3rd Avenue to 1st Street & 1st Avenue, where some streets have school zones (15 mph) during certain hours and four-way stops always add 10 seconds each, what’s my optimal route?

Now we’re getting somewhere! But so far, we’ve been asking very specific questions of our graph by starting from a particular spot. There are often unknown patterns that we need to search for in a graph to uncover new insights. To find these requires a graph-wide search. Here are just a few questions we can ask to find the unknowns:

– If we close Main Street entirely for a parade, does the street network remain connected, or are some intersections completely cut off from others?

– Which intersection is the most “central” to the downtown network – meaning it has the minimum average drive time to all other intersections?

Now we see the real power of graph. It allows us to quickly identify the simple stuff (e.g. the shortest path from one spot to another), the more interesting stuff (e.g. the fastest path from one spot to another), and the very interesting stuff (do we break the town if we close Main street for a parade?). In this last example, I lived through what happens when you don’t do this analysis–in Boston, Massachusetts, during the notoriously messy “Big Dig”. Entire streets in Boston were accidentally rendered inaccessible by closures, which drove locals to do things like drive through construction parking lots to get where they were going. I did it myself more than once. While it sometimes worked, it was no bueno for the cab driver who was trying to find his way across the North End one evening and drove into a 30-foot deep hole!

So whether you’re a driver, first responder, urban planner, or business owner, this graph can help you be more effective at what you do. And creating the graph definitely was not rocket science!

Stay tuned for the next installment in this series: “A Node by Any Other Name” in which I will discuss and clarify common graph terms.

The post Demystification Series Part One: What is Graph? appeared first on Rocketgraph.

In modern cybersecurity, the biggest threat isn’t the single, noisy intrusion—it’s the Advanced Persistent Threat (APT) that sits and waits for six months, slowly executing a multi-stage lateral movement attack. These threats hide in the noise, representing just a tiny fraction of all your data.

Traditional graph tools, which rely on index lookups or a “seed set,” simply can’t find them. They only search a small predefined set of data, leaving 99% of the data unexplored. (And frankly, if we knew what we were looking for, finding bad actors would be easy.) 

This challenge is why a company like Rocketgraph exists, and it’s the core concept I explored with CTO and Co-founder David Haglin and graph and AI expert David Hughes on a recent episode of the GraphGeeks podcast. The consensus is clear: to detect the most sophisticated threats, you must move beyond pattern matching to Graph-Wide Scanning.

From Graph Lookup to Complete Context

In a discussion about the limitations of current approaches, David Haglin noted that you must “look over six months worth of cyber data to see if this advanced persistent threat is there and how it’s progressed.”

Traditional graph tools, which rely on index lookups or a “seed set,” simply can’t find them. They only search a tiny fraction of a graph, leaving 99% of the data—and the APT—unexplored. As David Hughes points out, “The challenge… is you have to have a strong belief in the starting points that you choose in your graph.” This fundamental flaw is why Rocketgraph pioneered the concept of Graph-Wide Scanning.

Graph-wide scanning is an approach that analyzes the entire data universe to find a pattern, regardless of where it’s hiding or how long it took to emerge. It’s the difference between checking a few known doors and surveilling the entire warehouse for anomalies.

For organizations dealing with extreme-scale data, this shift requires a complete re-evaluation of performance metrics. Throw out “queries per second.” Instead, the focus is on completeness and traversed edges.

In one incredible internal example, David Haglin shared a query executed on a 150 billion-edge graph that scanned a mind-boggling 123 trillion edges. It took three days to run, but the result was fewer than 4,000 answers. That is the power of finding the critical few from the overwhelming many, a capability made possible only by Rocketgraph’s underlying architecture built for High-Performance Computing (HPC) and extreme scale.

Democratizing Discovery 

The need for graph-wide completeness is paired with an equally critical need for democratization. Even with the fastest, most scalable engine, analysts shouldn’t be burdened with complex query languages like Cypher.

This is why Rocketgraph baked GenAI into their Mission Control user experience from day one. Instead of requiring a data scientist, they empower the security analyst with domain expertise.

“GenAI insertion allowed this democratization of who can ask these 20 questions of the large data.” – David Haglin.

Critically, empowering the analyst means moving beyond just looking for known attack signatures. Analysts must be able to explore the entire connected dataset to discover anomalies they weren’t explicitly looking for. The state-of-the-art tooling is about embedding semantics and heuristics directly into the graph to assist this intuitive, investigative work. As David Hughes noted, the goal is to fully explore the data to:

“…look for anomalies in patterns that I don’t know about, but that still may represent crime or something that I should dig into a little bit more and see if there’s a connection. This is a connected data set, after all.”

With Mission Control, analysts can:

1. Use Natural Language: Ask a question in plain English, and the system generates the complex query needed to traverse the graph.
2. Iterate on Results: Rocketgraph’s unique edge frame approach allows analysts to save a result set and use it as the starting point for a subsequent query, enabling an investigative, “play 20 questions” approach to quickly peel back layers of complex threats.

The Future: Intelligence First

Both Davids agreed that the ultimate goal is to remove the current, high cognitive burden from the intelligence analyst.

The future Rocketgraph is actively building is one where the system does the heavy lifting, providing analysts with a summarized report of the most important events that occurred since their last shift. This vision frees the analyst to focus on what they do best: intelligence and investigation.

David Hughes perfectly summarized this evolution: “The systems that are being developed today are going to allow them to focus on intelligence.” With Rocketgraph, they are no longer data engineers or query composers—they are strategic cyber defenders.

If you’re ready to move past the limitations of sampling and index lookups and achieve true Graph-Wide Scanning on your most challenging datasets, you’re ready for Rocketgraph.

Ready to see the power of Graph-Wide Scanning? 

See it in action or take Rocketgraph for a Test Flight today!

The post Stop Looking for the Needle: Why Graph-Wide Scanning on Billions of Edges is the Future of Cybersecurity appeared first on Rocketgraph.

In an era where data breaches make headlines daily and regulatory compliance grows ever stricter, enterprise customers face a fundamental dilemma: how to leverage the power of modern AI while maintaining absolute control over sensitive data. Today, Rocketgraph, IBM, and Distil Labs announce a breakthrough solution using Small Language Models (SLMs) that delivers performance on par with Large Language Models (LLMs) for graph analytics without a single byte of customer data ever leaving the enterprise perimeter all whilst running 10x faster and using 100x less energy than cloud-based LLMs.

The Privacy Paradox in Enterprise AI

Many Rocketgraph customers running graph analytics on IBM Power hardware have been asking for AI-powered natural language querying capabilities. They’ve seen the impressive demonstrations of ChatGPT and Claude translating plain English into complex database queries. But there’s a catch that’s been a blocker for regulated industries, government agencies, and security-conscious enterprises. Using these cloud-based LLMs means sending potentially sensitive query patterns, schema information, and business logic to external servers.

Add to this are both financial and environmental hidden costs of cloud-based LLMs. Each query costs money, takes seconds to process, and consumes significant energy in remote data centers. For organizations running thousands of queries daily, these costs compound quickly.

For organizations handling financial transactions, healthcare records, defense contracts, or intellectual property, the privacy issue alone is often legally insurmountable. When you factor in the performance and sustainability concerns, the need for a different approach becomes clear.

Enter SLMs: The Enterprise AI Revolution

Small Language Models (SLMs) represent a fundamental shift in how enterprises can deploy AI. Unlike their massive LLM cousins that require entire data centers to run, SLMs are compact, specialized models typically ranging from 1-10 billion parameters (compared to popular closed-source LLMs that are rumored to be north of 1 trillion parameters).

The key insight: SLMs can match or exceed LLM performance on specific tasks while being many orders of magnitude smaller, faster, and more efficient. Think of it as the difference between using a Swiss Army knife versus a specialized surgical instrument, when you know exactly what you need to accomplish, the specialized tool is superior.

A Fundamentally Different Approach: Specialized SLMs for Enterprise Security

Instead of trying to work around the privacy limitations of cloud-based LLMs, we’ve taken a completely different approach. By partnering with Distil Labs, we’ve developed a specialized SLM that:

• Runs entirely within your infrastructure – The SLM operates on your IBM Power hardware, behind your firewall, under your security policies
• Never phones home – No telemetry, no cloud connectivity required, no data leakage risk
• Achieves 85% of Claude 4 performance – Despite being many orders of magnitude smaller
• Executes 10x faster – Sub-second query translation vs several seconds for cloud LLMs
• Uses 100x less energy – A few watts vs kilowatts for large model inference
• Specializes in one thing – Translating natural language to Rocketgraph-compliant OpenCypher queries

How We Built Enterprise-Grade Privacy Into SLMs

The Training Data Challenge

The key insight was that we could train an SLM with 8B parameters using publicly available information and synthetic data, meaning the SLM itself contains no customer-specific information. This dramatic size reduction is what enables the 10x speed improvement and 100x energy savings. Here’s how we did it:

1. Started with Rocketgraph documentation – Public information about our OpenCypher variant
2. Created synthetic schemas – Translated 900+ schemas from public Neo4j datasets into Rocketgraph-compatible formats
3. Generated 15,000+ training examples – All validated against the Rocketgraph platform
4. Fine-tuned IBM Granite 3.3 8B – An SLM small enough to run efficiently on-premise

The Technical Innovation

The challenge wasn’t just about privacy but also accuracy. Rocketgraph uses a specific variant of OpenCypher that differs from standard Cypher. For example, where standard Cypher might use:

MATCH (d)-[r:EdgeType]->() RETURN d, count(r) AS count

Rocketgraph’s idiomatic approach is:

MATCH (d) RETURN d, outdegree(d, EdgeType) AS count

Our SLM had to learn these Rocketgraph-specific patterns without ever seeing actual customer queries or schemas during training.‍

What SLMs Mean for Your Enterprise

Complete Data Sovereignty

• Your queries never leave your data center
• Your schema remains confidential
• Your business logic stays proprietary
• Compliance teams can sleep soundly

Deployment Simplicity

The SLM integrates directly with your existing Rocketgraph installation on IBM Power hardware. No complex networking, no firewall exceptions, no data governance reviews for external services. It’s your SLM, running on your hardware, analyzing your data, under your complete control.

The Performance and Sustainability Revolution of SLMs

Speed That Changes How Teams Work

When SLMs run locally on optimized hardware, the difference is dramatic:

• Query translation in milliseconds, not seconds – No network latency, no API queuing
• Instant feedback loops – Analysts can iterate and refine queries in real-time
• Batch processing becomes viable – Process thousands of natural language queries without API throttling
• Consistent sub-second response times – No variability from cloud service congestion

Our benchmarks show the SLM translating complex natural language queries to Cypher in under 200ms on IBM Power hardware, compared to 2-5 seconds for cloud-based LLMs (including network overhead).‍

Real-World Impact: SLMs in Banking

Consider a financial institution analyzing transaction patterns for fraud detection. Their analysts need to query complex relationship graphs containing:

• Customer personal information
• Transaction histories
• Account relationships
• Suspicious pattern indicators‍

With our SLM solution, an analyst can simply ask: “Show me all transactions over $10,000 involving accounts opened in the last 30 days that have connections to flagged entities.”

The SLM translates this to precise Rocketgraph Cypher in under 200 milliseconds, executes it locally, and returns results without any data exposure risk. This speed is critical for fraud detection where every second counts. Compare this to cloud-based LLMs where:

• Network round-trip alone adds 50-100ms
• Query processing takes 2-5 seconds
• API rate limits might delay batch analysis

For a fraud team running hundreds of investigative queries per hour, SLMs mean faster investigations, lower costs, and complete data privacy.

The Technical Deep Dive: How Distil Labs Makes SLMs Possible

The breakthrough came from Distil Labs’ expertise in knowledge distillation, which involves teaching SLMs to replicate the capabilities of larger models for specific tasks. This process doesn’t just make models smaller; it makes them dramatically more efficient. Instead of requiring 10,000+ hand-labeled examples (which would likely contain sensitive information), their platform enabled us to:‍

1. Generate high-quality synthetic training data from documentation and public schemas
2. Validate all examples programmatically against Rocketgraph
3. Fine-tune the SLM to understand query variations (“List all,” “Find all,” “Show me all”)
4. Optimize specifically for Rocketgraph’s OpenCypher variant
5. Compress the SLM to run efficiently on CPUs without GPU acceleration

Getting Started: Your Data, Your Control, Your SLM

For Rocketgraph customers on IBM Power hardware, deploying your own SLM is straightforward:

1. The SLM runs directly on your existing infrastructure
2. No external dependencies or API keys required
3. Integration with your current Rocketgraph installation
4. Full support from the combined Rocketgraph, IBM, and Distil Labs team‍

The Future of Enterprise AI: Specialized SLMs Leading the Way

This collaboration between Rocketgraph, IBM, and Distil Labs represents more than just a product release, it’s a blueprint for how enterprises can adopt AI without compromising on security, speed, or sustainability. By embracing SLMs over LLMs for specialized tasks, and by keeping computation local, we’ve proven that organizations don’t have to choose between innovation and responsibility.

In a world where data is the most valuable asset and environmental responsibility is paramount, SLMs represent the future of enterprise AI. Your graph analytics can be intelligent, secure, fast, and sustainable.

This article was originally published on DistilLabs.ai, where Distil Labs detailed its collaboration with Rocketgraph and IBM to bring secure, on-premise Small Language Models (SLMs) to enterprise AI.

The post Distil Labs Enables Rocketgraph’s Private AI on IBM Power with Small Language Models appeared first on Rocketgraph.

According to LexisNexis Risk Solutions, financial institutions worldwide spent approximately $206.1 billion on financial crime compliance in 2023. U.S. institutions with assets exceeding $10 billion averaged $27.8 million in annual compliance costs in 2021, and 70% of EMEA institutions reported rising technology/KYC software costs. Yet, the security tools we have been relying on amount to bringing a knife to a gunfight. These older methods, typically built on relational databases and models that rely on historical data, usually lack the speed, flexibility, and comprehensive view needed to uncover the intricate, multi-layered patterns that modern attackers employ.

Here’s where things get interesting: graphs are revolutionizing the game. Instead of looking at data in contextless, siloed table structures, graph models view everything as one big, connected asset. They can instantly identify how users, accounts, devices, and transactions are all interconnected because complex relationships are inherent to the graph. Case studies report that graph-based features helped Intuit detect nearly 50% more risk events with 50% better precision, and a separate deployment at Danske Bank cut false positives by nearly 60% while boosting true-fraud detection by as much as 50%. What used to take hours, or even days, to uncover — such as complex money laundering schemes or fraud networks — now occurs in milliseconds.

It is no surprise, then, that the graph market has experienced explosive growth, with widespread enterprise adoption and continuous innovation, in recent years.  According to Fortune Business Insights, the global graph database market is projected to grow from $2.85 billion in 2025 to $15.32 billion by 2032, at a CAGR of 27.13%. 

The true power of graphs is further amplified when integrated with advanced artificial intelligence. In their paper “Improving Network Threat Detection by Knowledge Graph, Large Language Model, and Imbalanced Learning“, Zhang et al propose a multi-agent AI framework that combines a Knowledge Graph (KG), an Imbalanced Learning Model (ILM), and a Large Language Model (LLM). The KG analyzes user activity patterns and identifies the risks associated with unknown threats. The ILM detects rare malicious events through a specialized AI technique that handles datasets where one class (such as fraud) is rare compared to another (such as everyday transactions). Standard models naturally show bias toward the majority class, which causes them to miss rare but important cases. The ILM technique intentionally creates a counter-bias toward the minority class to catch those critical, rare events, like fraud. The LLM then acts as a query-and-reasoning engine, translating user questions into graph queries, retrieving and interpreting these risks from the KG and ILM, and providing human-readable explanations of anomalies. It can even generate multi-step attack templates to predict complex Advanced Persistent Threat (APT) behaviors. This approach has been shown to improve threat capture rates by 3%-4% (worth nearly $500 million in 2023 alone) and adds crucial natural language interpretations to risk predictions, thereby increasing human response times.

At Rocketgraph, we are already making this a reality. Our system delves deep into connections without requiring any starting points (seedless traversal). Our GenAI interface enables security analysts to ask questions in natural language with a minimal learning curve. For Zero-Day attacks, for example, Rocketgraph unifies endpoint, identity, and network telemetry into a live attack graph, surfacing abnormal privilege chains and lateral movement at first touch, which helps deliver time‑to‑detect zero‑day exploitation in minutes, not hours.  

The bottom line? Instead of treating every piece of data like it exists in a vacuum, we’re finally looking at the big picture. This approach is helping security teams catch the bad guys in real-time and stay one step ahead of an increasingly clever and pesky group of cybercriminals.

The post Agile Network Threat Detection with Graph and Multi-Agent AI appeared first on Rocketgraph.

Implementing Rocketgraph’s capabilities is not just an IT decision but a strategic financial choice—one that can prevent catastrophic data leaks, protect brand value, and deliver a measurable return on every dollar spent.

Data breaches are expensive not just because of stolen records but because attackers often remain in networks for months, quietly exploring and exfiltrating sensitive data.

• In 2024, the average cost of a data breach was US$4.88 million, and organizations took about 194 days to detect an intrusion and 292 days to identify and contain it (varonis.com).

• When a breach’s lifecycle exceeds 200 days, the total cost increases by roughly US$1.02 million compared with breaches contained more quickly (centraleyes.com).

This long “dwell time” amplifies damages because attackers can quietly copy databases, move laterally to privileged systems, and plant persistence mechanisms.

Real-World Examples of Prolonged Breaches

• Marriott/Starwood (2014–2018) – Attackers gained access to Starwood’s reservation system years before the 2016 acquisition by Marriott. Suspicious activity was detected only in September 2018; investigations showed that hackers had unfettered access for roughly four years, during which they extracted names, passport numbers, and payment card data (strongdm.com). The protracted intrusion compromised up to 500 million guest records and triggered lawsuits, regulatory fines, and reputational damage.

• Equifax (2017) – A missed patch allowed attackers to infiltrate Equifax’s systems in March 2017 and remain hidden for several months. They accessed the personal data of 147 million individuals—including Social Security numbers and driver’s license information. The company eventually spent US$1.4 billion on remediation plus US$1.38 billion in legal settlements (strongdm.com).

• Yahoo (2013–2016) – By forging cookies, attackers gained persistent access to user accounts and remained undetected for roughly three years (strongdm.com). The breach ultimately affected three billion accounts and resulted in a US$117.5 million class-action settlement plus a US$35 million SEC fine; Verizon reduced its purchase price for Yahoo by US$350 million.

• SolarWinds (2019–2020) – Attackers inserted malicious code into SolarWinds’ Orion updates in February 2020 and removed it in June 2020; the breach was uncovered only in December 2020 (bitlyft.com). Over the course of nearly a year, they infiltrated government and enterprise networks, exposing national-security data and leading to significant remediation costs.

Key takeaway: Long-term intrusions lead to legal settlements, incident-response expenses, reputational harm, lost customers, and even reduced acquisition valuations. Organizations that detect breaches sooner save millions in direct and indirect costs.

ROI of Rocketgraph’s Graph-Based Detection

Rocketgraph is a high-speed graph analytics platform designed to shorten dwell time and amplify the return on cybersecurity investments. Its ROI comes from three main factors:

1. Early Detection Saves Millions

• According to IBM’s Cost of a Data Breach report, breaches discovered in under 200 days cost about US$3.93 million, whereas those with longer lifecycles cost US$4.95 million—an extra US$1.02 million (centraleyes.com).

• Rocketgraph accelerates detection by correlating disparate data sources (NetLog, authentication logs, threat-intel feeds) in near real time, enabling security teams to spot lateral movement and privilege escalation quickly.

By reducing dwell time, the platform can save over US$1 million per breach in direct costs alone, not including intangible benefits like avoiding reputational damage and regulatory fines.

2. Enhanced Productivity and Automation

• IBM’s 2025 report shows that organizations using extensive AI and automation cut breach costs by US$1.9 million compared with those lacking such capabilities (cinchops.com).

• Rocketgraph’s AI-driven query interface and automated graph traversals empower less-technical analysts to query complex relationships (e.g., “Which users accessed high-value assets before privilege escalation?”) without writing code.

This reduces labor costs and response times.

3. Prevention Pays for Itself

• Research indicates that every US$1 spent on breach prevention saves US$2.90 in breach costs, and organizations with mature security programs incur 63% lower costs when breaches occur (teramind.co).

• By integrating Rocketgraph as an additive layer to existing tools (SIEM, EDR, fraud platforms), enterprises can enhance their security posture without replacing current investments.

The savings from avoiding a single major breach can more than justify the platform’s subscription cost.

Conclusion: A Compelling Return on Investment

Real-world breaches demonstrate that undetected attackers can lurk for years, resulting in multimillion-dollar losses, regulatory fines, and reputational damage.

• On average, catching a breach early saves more than US$1 million.

• Using AI-driven automation yields an additional US$1.9 million in savings (centraleyes.com, cinchops.com).

• Proactive investments return nearly 3× savings in breach costs (teramind.co).

Rocketgraph’s graph-based detection, AI-powered querying, and scalable, secure architecture provide a unique advantage in reducing dwell time and exposing hidden attack paths.

Every dollar spent on Rocketgraph works like insurance that pays for itself: reducing breach costs, shielding revenue streams, and ensuring that cybersecurity investments translate directly into measurable financial outcomes.

The post Rocketgraph Cybersecurity ROI in the Real World appeared first on Rocketgraph.

In today’s data-driven world, the most valuable insights often hide in the connections between entities.  But when graphs contain billions of connections, traditional analytics tools hit a wall: they simply can’t scan fast enough to find complex patterns before the insights become stale.

What if you could:

• Analyze your entire graph—not just samples or neighborhoods—to find patterns that span dozens of relationships in seconds instead of hours?

• Eliminate millions of unnecessary calculations with smart mathematical reasoning?

Today, I’m excited to share some innovations behind our Graph Search Optimization System (GSOS), protected by three patents that work together to enable true graph-wide scanning at scale. I’m talking about analyzing entire datasets—all of the graph—for complex patterns that span dozens of relationships, and getting results in seconds instead of hours.

Why This Matters (And Why It’s Been So Hard)

Think about how cybersecurity analysts work today. When they’re tracking an advanced persistent threat, they need to trace communications that might flow from person A to B to C, with specific timing requirements and maybe geographic constraints. Or consider fraud investigators hunting for money laundering schemes that bounce between multiple banks, countries, and timeframes.

Today’s tools force analysts into an impossible choice:

• Get fast results by looking at small chunks of data (and probably miss the big picture)

• Try to analyze everything comprehensively (and wait so long that the insights become useless)

This isn’t a minor limitation—it’s the difference between finding 10% of the threats in an Enterprise network and finding all of them.

Rocketgraph’s Three Patents

We developed three innovations that solve different pieces of this puzzle. Individually, each one makes graph analysis faster. Together, they make comprehensive graph-wide scanning possible.

Always Take the Smart Path

Patent: US-10885116-B2

This one’s conceptually simple but mathematically powerful.

Think of it like this: you need to find both your uncle and your aunt at a party where the men are in one room (10 people) and the women are in another (100 people). If you search the men’s room first and don’t find your uncle, you’re done after checking just 10 people. But if you start with the women’s room and don’t find your aunt, you’ve wasted effort checking 100 people to reach the same conclusion. That’s why our Edge-Count Directed system always explores the path with fewer possibilities first. When this compounds across every step of a multi-hop graph search, the time savings become exponential.

What this means in practice:

• Complex relationship searches that used to take hours now finish in minutes

• You can analyze an entire dataset instead of settling for samples

• The bigger a graph gets, the better this technique works

Predict Dead Ends Before You Hit Them

Patent: US-10885117-B2

This is where things get really interesting. Our Derived Constraint system uses logical reasoning to eliminate search paths before wasting computational cycles on them.

Here’s a real example from financial fraud detection: if transaction A must happen before transaction B, and B must happen before time X, then obviously A must happen before time X too. Seems obvious, right? But most systems don’t make these logical connections automatically. They’ll still check thousands of transaction chains that violate this basic constraint.

Our system figures this stuff out ahead of time and eliminates millions to billions of unnecessary calculations. It’s like having a mathematical crystal ball that tells you which paths are worth exploring.

Work With Your Data, Not Against It

Patent: US-11727061-B2

The third piece is about smart data organization. Our Sorted Property system arranges information so that finding complex relationships becomes dramatically more efficient.

In our patent documentation, we show a simple example that reduces 63 evaluations to just 12. But scale that up to enterprise data: when you have millions of incident edges that need checking against property constraints, you’re talking about transforming trillions of potential evaluations into thousands.

The bigger a dataset, the more dramatic the improvement. Analysis that would take weeks becomes feasible in minutes. It’s not just faster—it makes previously impossible analyses routine.

What Graph-Wide Scanning Actually Gives You

Here’s where these three innovations become transformational. Working together, they enable something that was genuinely impossible before: real-time, comprehensive analysis of your entire graph.

Instead of sampling 10% of data and hoping to catch important stuff, you analyze 100% of your relationships. Instead of waiting hours for results, you get insights in seconds—while threats are still developing and opportunities are still available.

Questions you can finally ask:

• What sophisticated schemes span my entire network?

• What attack patterns are unfolding right now across my infrastructure?

• What supply chain vulnerabilities could cascade through my entire operation?

From Defense Research to Real-World Impact

These techniques emerged from national security work where “good enough” analysis simply wasn’t an option. We needed to find sophisticated threat patterns across massive datasets in real-time, every time.

But the applications go way beyond government work:

• Cybersecurity teams can now identify advanced persistent threats by tracing complete attack paths across entire network infrastructures, not just individual system logs.

• Banks can detect complex money laundering schemes that span multiple institutions and countries—patterns that sampling-based approaches would never catch.

• Manufacturers can spot cascading risk patterns across global supplier networks, identifying vulnerabilities weeks before they cause operational disruptions.

• Researchers can analyze complete biological networks to understand disease mechanisms at unprecedented scale and detail.

The common thread? These organizations stopped asking “What can we find in our data samples?” and started asking “What insights exist across our complete dataset?”

The Technical Foundation

These techniques covered by our patents are designed for modern parallel processing architectures. They scale efficiently across multiple cores and processors. They’re built to handle billion-edge graphs entirely in memory, enabling response times that give data owners their insight long before the information is stale.

Each optimization is grounded in formal mathematical principles, so performance improvements are predictable and reliable across different data types and query patterns. Whether you’re analyzing financial transactions, network communications, geospatial data, supply chains, or scientific datasets, these optimizations adapt to your specific requirements.

The result is counterintuitive: the system actually performs better as your datasets become larger and more interconnected.

What’s Next

The future belongs to organizations that can ask bigger questions of their data—and get complete answers while they still matter.

These patents represent a fundamental shift from “sample and hope” to complete data comprehension. As organizations generate increasingly complex, interconnected data, graph-wide scanning becomes essential for understanding how threats propagate, where opportunities emerge, and how to optimize across complete systems.

We’re continuing to build on these foundations at Rocketgraph, recently adding generative AI interfaces that make this level of analytical power accessible to those that need it most, decision makers and domain experts, not just data scientists.

Patents & Credits

These innovations are protected under U.S. Patents 11,727,061, 10,885,117, and 10,885,116, with David Haglin, Daniel Chavarria-Miranda, Robert Adolf, and Patrice Loos as co-inventors.

Learn more about graph-wide scanning capabilities.

The post How We Solved The Graph Analytics Problem Everyone Said Was Impossible appeared first on Rocketgraph.

The Power of Breadth-First Search in Graph Analytics

Breadth-First Search (BFS) is one of the fundamental graph traversal algorithms, but its utility extends far beyond simple pathfinding. BFS explores a graph level by level, visiting all vertices at distance 1 from the source, then all vertices at distance 2, and so on. This systematic approach makes it particularly valuable for analyzing relationships and discovering patterns within specific neighborhoods of a graph.

What makes BFS especially compelling for modern graph analytics is its inherent parallelism. Unlike depth-first approaches that must follow a single path, BFS can process multiple vertices simultaneously at each level. This natural parallelism aligns perfectly with modern multi-core processors and distributed computing environments, making it an ideal candidate for high-performance implementations.

Rocketgraph’s Parallel BFS: Built for Scale

Rocketgraph’s implementation of BFS takes full advantage of this algorithmic parallelism through sophisticated engineering that maximizes throughput while maintaining the correctness guarantees that analysts depend on. Our parallel BFS implementation distributes the workload across multiple threads, processing vertices at each level concurrently while carefully managing synchronization to ensure accurate results.

The benefits of this parallel approach become immediately apparent when working with large-scale graphs. Where traditional sequential implementations might struggle with graphs containing millions of vertices and edges, Rocketgraph’s parallel BFS maintains responsive performance for graphs containing billions of vertices and edges, enabling real-time exploration and analysis. This performance advantage isn’t just about speed—it’s about enabling new types of analysis that would be impractical with slower implementations.

Neighborhood Extraction: Focusing Analysis Where It Matters

One of the most powerful applications of BFS in Rocketgraph is neighborhood extraction—the ability to identify and extract all vertices within a specified distance from a set of source vertices. This capability transforms how analysts approach complex graph problems by allowing them to focus on relevant subgraphs rather than wrestling with entire datasets.

Consider a fraud detection scenario in a financial network. Instead of analyzing millions of transactions across the entire system, an analyst can use BFS to extract the 2-hop or 3-hop neighborhood around suspicious accounts. This focused approach reveals the immediate network of related entities—the accounts, transactions, and patterns that are most likely to contain evidence of fraudulent activity.

The Analyst’s Advantage: Why Neighborhood Analysis Matters

For data analysts and researchers, the ability to extract meaningful neighborhoods provides several critical advantages:

Reduced Complexity: By focusing on neighborhoods rather than entire graphs, analysts can work with datasets that are orders of magnitude smaller, making visualization, pattern recognition, and statistical analysis more manageable and meaningful.

Faster Iteration: Smaller subgraphs mean faster query execution, enabling analysts to iterate quickly through different hypotheses and analytical approaches. This speed is crucial during investigative work where time-to-insight directly impacts outcomes.

Enhanced Visualization: Modern graph visualization tools can effectively display hundreds or thousands of vertices, but struggle with millions. Neighborhood extraction ensures that visualizations remain interpretable and actionable rather than becoming overwhelming hairballs of connectivity.

Targeted Feature Engineering: Machine learning workflows often require feature extraction from graph structures. Working with focused neighborhoods allows for more sophisticated feature engineering without the computational overhead of processing entire graphs.

Contextual Understanding: Neighborhoods preserve the local structure around points of interest, maintaining the relational context that makes graph analysis valuable while eliminating distant, irrelevant connections.

Parallel Processing: The User Experience Advantage

The performance benefits of Rocketgraph’s parallel BFS implementation translate directly into improved user experiences. When analysts can execute neighborhood queries in seconds rather than minutes or hours, they can maintain their analytical flow and explore multiple hypotheses without interruption.

This responsiveness is particularly valuable in interactive analytical workflows. Whether building dashboards, conducting ad-hoc investigations, or developing machine learning models, the ability to quickly extract and analyze neighborhoods enables a more exploratory and iterative approach to graph analytics.

Furthermore, the parallel implementation ensures that performance scales naturally with hardware capabilities. As organizations invest in more powerful servers or migrate to cloud environments with greater parallelism, Rocketgraph’s BFS implementation automatically takes advantage of additional resources without requiring changes to queries or analytical workflows.

Cypher Integration: Making BFS Accessible

Rocketgraph’s BFS capabilities are seamlessly integrated into our Cypher query language support, making powerful graph algorithms accessible through familiar, declarative syntax. Analysts can specify neighborhood extraction queries using intuitive patterns, while the underlying parallel BFS implementation handles the computational complexity.

This integration means that the sophisticated parallel processing capabilities operate transparently, allowing analysts to focus on their analytical objectives rather than algorithmic implementation details. The result is a platform that combines the power of advanced graph algorithms with the accessibility that modern analytical workflows demand.

Conclusion: The Future of Graph Analytics

As graph datasets continue to grow in size and complexity, the ability to efficiently extract and analyze meaningful subsets becomes increasingly critical. Rocketgraph’s parallel BFS implementation represents a significant step forward in making large-scale graph analytics both practical and performant.

By combining algorithmic sophistication with user-focused design, we’re enabling analysts to tackle complex problems with confidence, knowing that the underlying platform can deliver the performance and accuracy their work demands. Whether investigating fraud networks, analyzing social connections, or exploring biological pathways, Rocketgraph’s BFS capabilities provide the foundation for insights that drive real-world impact.

The future of graph analytics lies not just in handling larger datasets, but in enabling analysts to work more effectively with the data that matters most. Through intelligent neighborhood extraction and parallel processing, Rocketgraph is helping to unlock that future today.

The post Unlocking Graph Intelligence: How Rocketgraph’s Parallel BFS Implementation Transforms Neighborhood Analysis appeared first on Rocketgraph.