From Chatbots to Trusted AI Agents: Graphs as the Backbone of AI Cybersecurity Use Cases

Cybersecurity vendors often claim that artificial intelligence will revolutionize threat detection, yet many of these AI-driven tools deliver only surface-level answers. They produce confident-sounding text, but they fail to see the deeper relationships between users, systems, and evolving threats. At Mandiant, I saw a startling contrast firsthand: a talented intel team used hypergraphs to map out indicators across multiple incidents, revealing patterns that simplistic “chat” tools overlooked. In that moment, it became clear that true intelligence requires relational insight and contextual awareness.

In this post, I want to show why graphs are so critical in cybersecurity. I won’t bury you in data-science jargon; instead, I’ll take a practitioner’s approach and share real experiences. You’ll see how graphs unify all those disparate data points — malware signatures, compromised hosts, adversary TTPs — and illuminate hidden attack paths that traditional AI might miss.

By the end, you’ll understand how graph technology doesn’t just collect data; it explains the “why” behind each decision, making your security operation more efficient and trustworthy. We’ll also explore the power of combining two key graph types — knowledge graphs and event graphs — to deliver both in-depth historical context and real-time insights. Let’s get started on a journey that proves AI can do much more than spit out scripted responses.

Early Foundations

For decades, organizations have struggled to make sense of massive, ever-growing volumes of data. Early on, standards like RDF (Resource Description Framework) and OWL (Web Ontology Language) showed how structured relationships could bring data to life, but these concepts stayed mostly within academic and specialized research circles. Then, Neo4j and other “property graph” databases made it simpler to store and query data as nodes and relationships — no more forcing everything into rows and columns.

The real turning point arrived in 2012, when Google’s Knowledge Graph launched and demonstrated to the broader public how interconnected data could transform search. Suddenly, the term “knowledge graph” began appearing in mainstream conversations, and businesses outside of academia took a fresh look at how graphs could bridge isolated data silos.

Why Graphs Matter in Security

Traditional security logs often sit in separate systems, each capturing only a fragment of the overall picture. You have SIEMs logging events, threat intelligence feeds flagging indicators, and asset inventories listing systems that matter. Without a unifying framework, these pieces remain scattered.

Graphs tackle this problem by creating a single map of who, what, when, and how. Nodes represent entities like users, IP addresses, and malware families. Edges capture the relationships: “User logged into Host,” “Malware targets Vulnerability,” or “Threat Actor uses TTP.” As more data flows in, the graph grows richer, exposing intricate patterns and previously unseen connections.

In cybersecurity, this context is everything. A single alert might look benign until you spot its relationship to a known adversary or a compromised user account on a critical server. Graph technology adds depth and intelligence to security operations, helping teams spot subtle attack chains that slip past siloed analysis. Whether you call it a knowledge graph or an event graph, the same principle applies: context is the key to unlocking genuine insight rather than generating surface-level alerts.

Graph Use Cases in Cybersecurity

Threat Intelligence

Threat intelligence involves mapping adversaries, their tactics, and associated indicators into a coherent picture. Graph modeling is a perfect fit here, especially when using STIX (Structured Threat Information eXpression), an open standard that defines how threat actors, campaigns, malware, and indicators all interrelate. By treating each entity as a node and each relationship (e.g., “Threat Actor uses Malware”) as an edge, security teams gain an at-a-glance understanding of who is attacking, how they operate, and which vulnerabilities they might exploit next.

My experience at Mandiant drove home the power of this approach. Our intel team relied on hypergraphs to track where we had seen an indicator across both closed investigations and publicly available intelligence. Later, many from that same team built Vertex Synapse, which continues to serve as the “connective tissue” for threat research at various organizations. When AI agents tap into such a graph, they can quickly identify linked threat actors, correlate TTPs across different campaigns, and deliver richer context than a standalone chatbot could ever manage.

Lateral Movement Tracking

Attackers don’t stay put once they breach an entry point; they move laterally, hopping between hosts to escalate privileges and exfiltrate data. Traditional tools struggle to visualize these pivots in real time because logs are often siloed, slow to update, or difficult to correlate. A graph-based approach solves this by building an event graph that captures the continuous flow of logins, connections, and file accesses as edges between nodes.

A few years ago, I experimented with a Virtual Reality (VR) prototype to visualize large network flows, user sessions, and system events in a spatial environment. While VR might not become a standard part of the cybersecurity toolkit, it underscored how a graph’s interlinked structure makes large-scale movement patterns more visible. By recognizing where a single compromised account pops up in multiple hosts, or how unusual paths form across network segments, analysts can follow the threat actor’s trail more quickly.

Grapl: A Short-Lived SIEM Attempt

The open-source project Grapl (created by Christopher Maier) set out to build a graph-based SIEM, unifying diverse logs and events in a single model. It correlated information from multiple sources, then highlighted suspicious links, all in near real-time. Despite showing strong potential, Grapl had a short run. Scaling a real-time graph for enterprise data — and ensuring the right engineering and data-science skills — proved challenging.

Even so, Grapl’s brief journey illustrated the power of a unified data model for continuous threat monitoring. It also showed that while graph technology holds enormous promise, teams must be prepared to manage complex pipelines, handle high-velocity data, and maintain specialized infrastructure. When done right, this effort pays off with faster detection and clearer context for each security event.

…but what about AI?

LLMs and AI Agents Powered by Graphs

Challenges of LLMs Alone

Large Language Models (LLMs) like GPT can produce eloquent responses, but they often struggle with accuracy if they rely solely on text-based training data. When you ask an LLM to analyze a new piece of malware or identify a specific threat actor, it might “hallucinate” details that sound convincing yet lack grounding in real-world evidence. This shortfall becomes critical in cybersecurity, where false positives and overlooked threats carry major consequences.

One promising solution is Graph-Assisted RAG (Retrieval Augmented Generation), which couples an LLM’s language capabilities with a knowledge graph or event graph. In this model, the LLM pulls verified facts from graph-based data structures. That external reference keeps the AI from guessing, ensuring it returns factual, context-rich insights instead of fluent fiction.

Augmenting LLMs With a Knowledge Graph

A knowledge graph anchors the AI in concrete relationships among threats, vulnerabilities, and historical incident data. By modeling malicious indicators in frameworks like STIX, you preserve connections between threat actors, exploited CVEs, and observed TTPs. When an LLM references this graph, it taps into a curated pool of established truths rather than relying on guesswork.

Tools like Elemendar streamlined this process by parsing indicators and attacker attributions from unstructured threat reports, then converting them into structured data. Neo4j Knowledge Graph Builder shows how graph-based retrieval ties into AI-driven text generation by grounding LLM responses in accurate information. Instead of offering a best guess, the AI references known relationships, enabling more trustworthy outputs.

Interfaces and Maintenance

Building a knowledge graph is only half the challenge. You also need the right interface to help both humans and AI agents consume and update the graph in real time. New solutions like WhyHow, Trustgraph, and Microsoft GraphRAG address the ongoing maintenance and data security aspects of graph management. They provide user-friendly dashboards, policy enforcement layers, and automated workflows that integrate with existing security stacks.

When security teams can seamlessly add new indicators, pivot to live event data, and control access at a granular level, they reduce the chance of human error and free up time for higher-level analyses. With robust interfaces and maintenance processes, the knowledge graph evolves alongside the threat landscape, keeping LLMs — and by extension, your security operations — rooted in verifiable context at every turn.

Combining Graphs, AI Agents, and Security Events

Bringing Knowledge and Event Graphs Together

Knowledge graphs capture the persistent, interconnected facts — threat actors, vulnerabilities, attack techniques — while event graphs track the dynamic, real-time stream of security logs and alerts. By merging both views, you empower security teams and AI agents to see a far bigger picture. An LLM that references a knowledge graph understands who your adversaries are and how they usually operate. At the same time, it can watch an event graph to spot signs of active lateral movement, suspicious logins, or malware execution. This integrated approach delivers historical context and on-the-spot insight all in one place.

Real-Time Correlation and Insight

When new alerts, network flows, or endpoint logs pour in, a graph-based system can quickly map them to existing knowledge. If an account suddenly logs into a system that a known adversary group typically targets, the AI can warn you right away. As data volume scales, streaming graph platforms like Quine.io keep the graph updated in near real time without overwhelming your infrastructure. Because the knowledge graph already stores relationships among malware families, CVEs, and known threat actors, your AI won’t waste cycles on guesswork — it matches each event to a relevant piece of the larger puzzle.

Why AI Agents Need Both

By uniting knowledge and event graphs, you give your AI a “3D” perspective on security incidents instead of a flat, one-dimensional view. It can reference a known vulnerability (from the knowledge graph) while tracking new exploit attempts (in the event graph), connecting the dots to recognize a coordinated attack. This synergy fosters:

• Deeper Reasoning: The AI combines historical data with real-time alerts to detect patterns that purely text-based systems miss.

• Quick Adaptation: Events update the graph continuously, so the AI always works from the latest intelligence.

• True Explainability: Tracing a recommendation back to specific nodes and edges shows how the AI reached its conclusion, building trust with security analysts.

When you integrate both graph types, your security operations transform from reactive monitoring to proactive defense. AI agents can spot anomalies faster, prioritize alerts more accurately, and explain their decisions based on actual relationships. That’s the true power of graphs in a modern cyber landscape: they connect the dots, enabling both humans and machines to act with greater confidence.

Conclusion

Graphs are the missing link that elevate AI in cybersecurity from shallow text generation to rich, context-aware analysis. By fusing knowledge and event graphs, teams gain a holistic view of their threat landscape, bridging historical data with real-time activity. Instead of guesswork, AI agents track relationships, spot subtle attack patterns, and explain every move through actual evidence.

What’s Next in the Graph SpaceGraph technology continues to evolve at a rapid pace. We already see innovations in streaming graph systems, which reduce latency for real-time correlation at scale. Advanced ontologies, like extended versions of STIX or domain-specific schemas, will refine how we model threat actors and TTPs. Visualization breakthroughs — ranging from immersive VR environments to intuitive web interfaces — will help security teams and others grasp complex networks in seconds instead of hours. These developments point to a future where graphs and AI jointly deliver truly trustworthy, actionable experiences.

If you want to explore or share experiences with graph-based security, let us know. At Huntbase, we’re leveraging these methods to ensure our AI agent, Scout, isn’t just a chatbot but a reasoned partner for security teams. As threats continue to evolve, graph technology will remain a critical force for transforming flat data into multi-dimensional insight that analysts can rely on when it matters most.