Why a Graph
Attack paths are graphs by nature. A pivot is a relationship; a credential is an edge between an account and a host; a defense brief connects a vulnerability to a detection. Modeling this as a graph means:- The orchestrator can query “which hosts can I reach from this credential?” in one Cypher query, not by re-reading conversation history.
- The defender’s deliverable is a structured graph, not a PDF — easy to overlay on existing detection coverage.
- Cross-engagement queries become possible: “did this CVE show up in any prior engagement against this customer?”
Node Types
Edge Types
Tools the Agents Use
The graph is exposed to agents throughKGMiddleware, which builds two tools per attaching role and dispatches them through a shared KGStore (packages/decepticon/decepticon/middleware/kg_internal/):
Agents never write raw Cypher in their prompts. Read paths go through the middleware’s typed summary projections (and through Skillogy for ATT&CK lookups); write paths go through
kg_record / kg_ingest. This keeps the engagement scope, schema validation, and migration-runner contract centralized so a buggy specialist can’t corrupt the graph.
The pre-middleware standalone @tool functions (kg_add_node, kg_add_edge, kg_query, kg_neighbors) are still importable from decepticon.tools.research.tools for transitional callers and emit a DeprecationWarning. New code should attach KGMiddleware and use the middleware-built surface.
Operator Access
The graph is also exposed to the operator:- Browser: Neo4j browser at
http://localhost:7474with credentials from the onboarding wizard. - CLI:
decepticon kg-healthruns diagnostics and surfaces orphan nodes or missing relationships. - Web Dashboard: The attack graph canvas in the Next.js dashboard renders the live engagement graph.
The Graph as Deliverable
At engagement out-brief, the graph becomes part of the deliverable. The blue team gets:- A JSON export of all nodes and edges.
- An ATT&CK Navigator layer derived from the graph.
- A “blue spots” overlay — vulnerabilities the engagement found that the customer’s existing detections do not cover.
- A “red spots” overlay — detections that fired against Decepticon’s actions, proving the SOC works.
Privacy and OPSEC
The graph is engagement-scoped. Customer data captured during the engagement (credential strings, service banners, sensitive paths) is encrypted at rest in Neo4j and purged when the engagement is closed unless explicitly retained for the deliverable.Offensive Vaccine Pipeline
How DefenseAction nodes are produced by the Detector and Patcher agents.
