The 32 built-in invariants

A transition between two graph nodes is observed for the first time. Catches new attack steps that don't match any historical baseline.

A service runs with root privilege and listens on a non-localhost port. Classic privilege-escalation exposure SMBs routinely miss.

An identity is logged in on 2+ hosts within 5 minutes. Signature of lateral movement — one credential touching many machines.

A root-owned process running from /tmp, /dev/shm, /var/tmp, or /home. Common malware execution pattern.

A non-root identity transitions to root activity with no observed sudo or su, suggesting credential compromise or exploit.

A binary with SUID permissions appears for the first time. Potential privilege-escalation vector.

A known service process spawns sh, bash, zsh, dash, fish, or csh. Typical of reverse shell or command injection.

Five or more auth failures within 5 minutes followed by a successful login from the same source. Classic brute-force signature.

An SSH connection is detected between two internal hosts in the same organization. Potential lateral movement if unexpected.

Two hosts that have never communicated before are now linked via a shared identity or service. New lateral path.

An administrative tool (psexec, wmic, winrm, ansible, puppet, chef-client, salt-minion) runs on a host not classified as an admin or management server.

The same credential appears on hosts in different network segments. Suggests credential theft and lateral movement across trust boundaries.

A process consistently appears at boot that was not in previous boot sequences. Potential persistence mechanism.

A change in cron, at, systemd-timer, or schtasks. Common persistence technique.

A previously unseen binary appears in /usr/bin, /usr/sbin, /usr/local/bin, or /usr/local/sbin. Potential backdoor installation.

A process running from a hidden (dot-prefixed) directory or with a dot-prefixed name. Common malware concealment.

A host initiates an outbound connection to an IP never observed before in your graph. Flags novel egress paths.

A service process launches dig, nslookup, host, or drill. Potential DNS tunneling or C2 prep.

tar, zip, 7z, rar, gzip, or bzip2 running outside known backup windows or from an unexpected user. Classic pre-exfiltration pattern.

nc, ncat, socat, or nmap listening on a port outside 22/80/443/8080/8443. Strong indicator of backdoor or reverse shell.

A running process exposes what looks like an API key or secret token (sk-, api_key=, token=, OPENAI_API_KEY, etc.) in its command-line arguments — visible to any user on the host via ps.

A process not on the authorized list contacts api.openai.com, api.anthropic.com, api.cohere.ai, or generativelanguage.googleapis.com. Potential data exfiltration via AI.

An ML model file (.bin, .pt, .safetensors, .onnx, .gguf, .pkl) has been modified or replaced. Potential model poisoning or supply-chain attack.

A process identified as an AI agent (langchain, autogpt, crewai, generic agent/copilot) has access to sensitive resources (sudo, /etc/shadow, /etc/passwd) beyond its expected scope.

The SSH daemon is configured to allow direct root login. Expands the attack surface for brute force and credential theft.

A sensitive file (/etc/shadow, /etc/gshadow, .env, SSH private keys) has world-readable permissions.

postgres, mysql, mongod, redis-server, or memcached listening on a non-localhost interface. Network-level exposure.

No firewall rules detected or default policy is ACCEPT. Host is network-unprotected.

A host that has been consistently reporting stops sending snapshots for 5+ minutes. Potential compromise, crash, or network isolation.

Running process count jumps to 3× historical baseline. Suggests fork bomb, resource exhaustion, or malware spawning.

The Kefal agent binary on the host does not match the expected hash. Potential tampering or supply-chain compromise.

Host clock differs from server clock by more than 60 seconds. Breaks TLS, log correlation, and certificate validation.