use casesintermediate
Huntbase: Knowledge Cores for SecOps Intelligence
Learn how Huntbase uses TrustGraph's knowledge cores to power their security operations platform with multi-tenant threat intelligence and incident response
15 min read
Updated 12/24/2025
TrustGraph Team
#use-case#security#secops#knowledge-cores#huntbase
Huntbase: Knowledge Cores for SecOps Intelligence
Huntbase is a modern security operations platform that leverages TrustGraph's Knowledge Cores to deliver intelligent, multi-tenant threat intelligence and incident response capabilities. By using modular knowledge cores, Huntbase isolates customer data, manages threat intelligence feeds, and maintains historical security context with agentic AI-powered investigation assistance.
About Huntbase
Huntbase is an AI-powered SecOps intelligence platform that helps security teams:
- Investigate security incidents with AI-assisted context and historical analysis
- Correlate threat indicators across multiple data sources
- Conduct proactive threat hunting powered by knowledge graphs
- Maintain comprehensive investigation histories and timelines
- Enrich alerts with contextual threat intelligence
The platform is built on the principle that context is king in security operations—understanding the relationships between events, assets, threat actors, and attack patterns separates effective incident response from noise-driven alert fatigue.
The Challenge: Context-Aware Security Intelligence
Traditional security operations platforms fail to provide meaningful context when it matters most:
1. Alert Isolation Without Context
Security teams receive thousands of alerts daily, but most lack the contextual information needed for rapid triage:
- Which assets were truly targeted?
- What was the attacker's objective based on historical patterns?
- Is this part of a known attack campaign?
- How does this incident relate to past incidents?
2. Fragmented Intelligence
Security data lives in disconnected silos:
- SIEM logs (raw events, no interpretation)
- Threat intelligence feeds (isolated indicators without context)
- Incident reports (historical but disconnected)
- Internal asset inventories (static snapshots)
- Attack frameworks like MITRE ATT&CK (abstract patterns)
3. Human-Intensive Investigation
Without automation, security analysts must manually:
- Correlate events across multiple systems
- Search historical incidents for similar patterns
- Enrich alerts with threat actor context
- Build investigation timelines
- Document findings and create reports
4. Time-to-Insight Lag
Investigations that should take minutes take hours because context requires:
- Multiple database queries
- Manual graph traversal of relationships
- Threshold-based alerting that misses nuance
- Textual analysis of unstructured reports
How Huntbase Uses Knowledge Cores
Huntbase uses TrustGraph's Knowledge Cores as modular, isolated graph instances to build contextual intelligence for SecOps. Rather than a traditional multi-tenant isolation pattern, Huntbase leverages knowledge cores as specialized memory structures for different types of security context.
Architecture: Context Cores for Investigation
// Huntbase organizes investigation context across specialized cores
class HuntbaseSecurityArchitecture {
// Customer investigation core: Incident-specific context
async createCustomerInvestigationCore(customerId: string) {
// Each customer gets an isolated core for their investigations
const core = await tg.getKgCore(`huntbase-customer-${customerId}`);
// Load customer-specific context:
// - Internal asset inventory (IPs, hostnames, users)
// - Customer-specific incidents and investigations
// - Customer threat model and risk profile
// - Custom IOC lists and allowlists
return core;
}
// Shared threat intelligence core: Global context
async createThreatIntelCore() {
// Read-only core shared across all customers
const threatCore = await tg.getKgCore("huntbase-threat-intel-shared");
// Contains pre-loaded threat context:
// - MITRE ATT&CK framework (techniques, tactics, procedures)
// - Known threat actor profiles and their TTPs
// - Known malware families and their characteristics
// - CVE database with exploit chains
// - Attack campaign timelines and attribution
return threatCore;
}
// Investigation memory core: AI agent reasoning
async createInvestigationMemoryCore(incidentId: string) {
// Per-investigation core for AI agent reasoning state
const memoryCore = await tg.getKgCore(`huntbase-investigation-${incidentId}`);
// Stores the investigation state:
// - Discovered relationships and conclusions
// - Intermediate analysis results
// - Agent reasoning trail
// - Investigation timeline
return memoryCore;
}
}
Multi-Core Architecture
Huntbase uses multiple specialized knowledge cores working together:
┌─────────────────────────────────────────────────────────┐
│ Huntbase Investigation Engine │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ AI Investigation Agent │ │
│ │ (Agentic reasoning across multiple cores) │ │
│ └──────────────────────────────────────────────────┘ │
│ ▲ │
│ ┌─────────────────┼─────────────────┐ │
│ │ │ │ │
│ ┌────▼───┐ ┌────▼────┐ ┌─────▼────┐ │
│ │Customer │ │Threat │ │Investigation│ │
│ │Core │ │Intel │ │Memory Core │ │
│ │(Isolated│ │Core │ │(Per-incident)│ │
│ │per-cust)│ │(Shared) │ │ │ │
│ └────────┘ └────────┘ └─────────────┘ │
│ │
│ Each core contains RDF triples representing │
│ entities, relationships, and attack patterns │
│ │
└─────────────────────────────────────────────────────────┘
Core Type 1: Customer Investigation Core
Each customer gets an isolated core for their security investigations and asset inventory:
// Loading customer-specific investigation context
async function initializeCustomerInvestigationCore(
customerId: string,
customerAssets: AssetInventory
) {
// Load the customer's isolated core
await tg.loadKgCore(`huntbase-customer-${customerId}`);
// Add customer assets and context as RDF triples
const assetTriples = [];
for (const asset of customerAssets.servers) {
assetTriples.push({
s: { v: `http://huntbase.io/assets/${asset.id}`, e: true },
p: { v: "http://huntbase.io/hasHostname", e: true },
o: { v: asset.hostname, e: false }
});
assetTriples.push({
s: { v: `http://huntbase.io/assets/${asset.id}`, e: true },
p: { v: "http://huntbase.io/hasIPAddress", e: true },
o: { v: asset.ipAddress, e: false }
});
assetTriples.push({
s: { v: `http://huntbase.io/assets/${asset.id}`, e: true },
p: { v: "http://purl.org/dc/terms/type", e: true },
o: { v: asset.type, e: false }
});
}
// Ingest asset inventory into customer core
await tg.addDocument({
"kg-core-id": `huntbase-customer-${customerId}`,
"content": assetTriples,
"document-type": "rdf-triples"
});
}
// Investigate an incident within customer context
async function investigateIncident(
customerId: string,
incidentId: string,
rawAlertData: SecurityAlert
) {
// Query customer core + threat intel core together
const investigation = await tg.invokeGraphRag({
"flow-id": "incident-investigation-flow",
"query": `Given this security alert: ${rawAlertData.description}
Analyze using customer context:
- Which assets were targeted?
- What historical incidents match this pattern?
- Which threat actors typically use these techniques?
From the security investigation knowledge:
- What MITRE ATT&CK techniques are present?
- What is the likely attack objective?
- What should we investigate next?`
});
return investigation;
}
Core Type 2: Shared Threat Intelligence Core
A global threat intelligence core shared across all customers provides attack context:
// Create and manage shared threat intelligence core
async function initializeThreatIntelligenceCore() {
// Load the shared, read-only threat intelligence core
const threatCore = await tg.getKgCore("huntbase-threat-intel-shared");
// Threat intel includes:
// - MITRE ATT&CK techniques (T1234 = Lateral Movement)
// - Threat actor profiles (APT28, Lazarus Group, etc.)
// - Attack campaign information
// - Malware family signatures and behaviors
// - CVE exploitation chains
return threatCore;
}
// Load external threat feeds into shared core
async function updateThreatIntelligenceFeed(
feedSource: string,
threatIndicators: ThreatIndicator[]
) {
// External threat feeds: OSINT, commercial feeds, etc.
const feedTriples = [];
for (const indicator of threatIndicators) {
feedTriples.push({
s: { v: `http://huntbase.io/indicators/${indicator.hash}`, e: true },
p: { v: "http://huntbase.io/hasIndicatorType", e: true },
o: { v: indicator.type, e: false } // IP, domain, file hash, etc.
});
feedTriples.push({
s: { v: `http://huntbase.io/indicators/${indicator.hash}`, e: true },
p: { v: "http://huntbase.io/attributedToThreatActor", e: true },
o: { v: `http://huntbase.io/threat-actors/${indicator.actorId}`, e: true }
});
feedTriples.push({
s: { v: `http://huntbase.io/indicators/${indicator.hash}`, e: true },
p: { v: "http://purl.org/dc/terms/source", e: true },
o: { v: feedSource, e: false }
});
}
// Ingest into shared threat intel core
await tg.addDocument({
"kg-core-id": "huntbase-threat-intel-shared",
"content": feedTriples,
"document-type": "rdf-triples"
});
}
Core Type 3: Investigation Memory Core
Each investigation gets its own temporary core for the AI agent to reason through the incident:
// Create per-incident investigation memory for AI reasoning
async function createInvestigationMemory(incidentId: string) {
const memoryCore = await tg.getKgCore(`huntbase-investigation-${incidentId}`);
// This core holds the agent's working memory:
// - Discovered entities (hosts, users, processes)
// - Relationships found during investigation
// - Attack chain hypotheses
// - Analysis state and conclusions
return memoryCore;
}
// AI agent updates investigation memory with findings
async function recordInvestigationFinding(
incidentId: string,
finding: InvestigationFinding
) {
// Agent discoveries get added as RDF triples
const findings = [];
findings.push({
s: { v: `http://huntbase.io/incidents/${incidentId}`, e: true },
p: { v: "http://huntbase.io/discoveredRelationship", e: true },
o: { v: `http://huntbase.io/findings/${finding.id}`, e: true }
});
findings.push({
s: { v: `http://huntbase.io/findings/${finding.id}`, e: true },
p: { v: "http://purl.org/dc/terms/description", e: true },
o: { v: finding.description, e: false }
});
findings.push({
s: { v: `http://huntbase.io/findings/${finding.id}`, e: true },
p: { v: "http://huntbase.io/confidence", e: true },
o: { v: finding.confidence.toString(), e: false }
});
// Store in investigation memory core for agent context
await tg.addDocument({
"kg-core-id": `huntbase-investigation-${incidentId}`,
"content": findings,
"document-type": "rdf-triples"
});
}
Real-World Use Cases
Use Case 1: AI-Assisted Incident Investigation
An analyst is investigating a suspicious alert. The AI agent uses knowledge cores to provide rich context:
async function aiAssistedInvestigation(
customerId: string,
incidentId: string,
initialAlert: SecurityAlert
) {
// Agent queries across cores for investigation context
// Step 1: Understand what happened
const incidentContext = await tg.invokeGraphRag({
"flow-id": "investigation-flow",
"query": `
Alert: ${initialAlert.description}
Target: ${initialAlert.targetHost}
From customer assets (customer core):
- What is the business context of this asset?
- Who has access to this system?
- What systems communicate with it?
From threat intelligence (shared threat core):
- What known attacks target this asset type?
- Which threat actors use these techniques?
- What is the likely attacker objective?`
});
// Step 2: Correlate with historical incidents
const historicalContext = await tg.invokeGraphRag({
"flow-id": "investigation-flow",
"query": `
Similar past incidents in customer core:
- Have we seen this attack pattern before?
- What was the outcome of similar incidents?
- What assets were compromised?
From threat intelligence:
- Attack campaign patterns
- Attribution confidence for similar attacks`
});
// Step 3: Generate investigation recommendations
const recommendations = await tg.invokeGraphRag({
"flow-id": "investigation-flow",
"query": `
Based on the incident context and historical patterns:
- What should we investigate next?
- Which systems need immediate isolation?
- What indicators should we hunt for?
- What information should we collect for forensics?`
});
return {
incidentContext,
historicalContext,
recommendations
};
}
Use Case 2: Threat Hunting via Pattern Similarity
Security analysts hunt for similar incidents using knowledge cores:
async function threatHuntBySimilarity(
customerId: string,
threatQuery: ThreatHuntQuery
) {
// Query customer core for matching patterns
const customerIncidents = await tg.invokeGraphRag({
"flow-id": "threat-hunt-flow",
"query": `
Search customer incident history for:
- Incidents with similar attack techniques
- Incidents targeting similar asset types
- Incidents with matching IOC patterns
Return timeline and relationships between incidents`
});
// Cross-reference with threat intelligence
const threatContext = await tg.invokeGraphRag({
"flow-id": "threat-hunt-flow",
"query": `
From threat intelligence core:
- Which threat actors use these techniques?
- Known campaign infrastructure and IOCs
- Attribution confidence levels
- Historical target patterns`
});
return {
customerMatches: customerIncidents,
threatContext: threatContext,
huntingRecommendations: generateHuntingLeads(customerIncidents, threatContext)
};
}
Use Case 3: Investigation Timeline and Context Report
Generate comprehensive investigation reports with full context:
async function generateInvestigationReport(
customerId: string,
incidentId: string
) {
// Query investigation memory core for discovered findings
const investigationMemory = await tg.getKgCore(`huntbase-investigation-${incidentId}`);
// Build timeline from investigation memory
const timeline = await tg.invokeGraphRag({
"flow-id": "reporting-flow",
"query": `
From investigation memory core:
- Chronological timeline of discovered events
- Attack stages and progression
- IOCs discovered in sequence
- Critical decision points in investigation`
});
// Get attacker context from threat intel core
const attackerContext = await tg.invokeGraphRag({
"flow-id": "reporting-flow",
"query": `
From threat intelligence core:
- Identified threat actor(s)
- Typical attack patterns and objectives
- Known infrastructure
- Attribution confidence`
});
// Get customer impact from customer core
const customerImpact = await tg.invokeGraphRag({
"flow-id": "reporting-flow",
"query": `
From customer core:
- Assets compromised or accessed
- Data exposed or exfiltrated
- Business impact
- Affected users and services`
});
return generateReport({
timeline,
attackerContext,
customerImpact,
recommendations: generateRecommendations(timeline, attackerContext)
});
}
Benefits of Knowledge Cores for Huntbase
1. Complete Data Isolation
// Customers cannot access each other's cores
// Customer A's core is completely isolated
await tg.loadKgCore("huntbase-customer-A");
// All queries are isolated to Customer A's investigation data
// Customer B's core is completely separate
await tg.loadKgCore("huntbase-customer-B");
// No cross-contamination possible
Each customer's investigation context remains completely isolated, meeting strict data residency and compliance requirements.
2. Flexible Schema Management
Different customer security infrastructures have different characteristics:
// Customer can customize their threat model
// - Industry-specific threat patterns (finance, healthcare, government)
// - Custom asset classification schemes
// - Customer-specific IOC formats
// - Custom threat actor profiles relevant to their sector
// Without being constrained by a shared schema
3. Modular Memory for Agentic AI
Knowledge cores act as persistent memory structures for AI agents:
// Investigation memory allows agent to:
// 1. Store reasoning state across multiple queries
// 2. Build up context incrementally
// 3. Avoid re-computing relationships
// 4. Maintain coherent narrative of investigation
const agentMemory = await tg.getKgCore(`huntbase-investigation-${incidentId}`);
// Agent can reason about relationships discovered across multiple steps
// And build a coherent investigation timeline
4. Historical Investigation Archive
Completed investigations are preserved as cores for future reference:
// Investigation cores can be:
// - Archived and compressed for long-term storage
// - Queried for similar patterns in new incidents
// - Used for compliance reporting and audit trails
// - Analyzed for attacker TTPs and patterns
// No expensive re-extraction needed - the graph is already built
5. Cross-Core Federation for Threat Hunting
Query across customer cores to identify global threat patterns:
async function globalThreatHunt(threatIndicator: string) {
// Admin view: Hunt for indicators across all customer cores
const customerCores = await tg.listKgCores({
"filter": "huntbase-customer-*"
});
// Federated query across all customer environments
// (respecting isolation - only admin can do this)
const results = await tg.invokeGraphRag({
"flow-id": "global-hunt-flow",
"query": `
Search all customer cores for indicator: ${threatIndicator}
Return:
- Which customers have been affected
- Timeline of compromise
- Related incidents and correlations`
});
return results;
}
Technical Implementation
Core Provisioning Pipeline
class HuntbaseProvisioning {
async onboardNewCustomer(customer: Customer) {
// 1. Create customer's isolated investigation core
const customerCore = await this.createCustomerCore(customer.id);
// 2. Load customer asset inventory
await this.loadCustomerAssets(customerCore, customer.assetInventory);
// 3. Create investigation memory template
await this.createInvestigationCoreTemplate(customer.id);
// 4. Link to shared threat intelligence
// (customer can query threat intel, but cannot modify it)
await this.configureSharedThreatIntelAccess(customer.id);
// 5. Initialize monitoring and audit trail
await this.initializeAuditLogging(customer.id);
return customerCore;
}
async createCustomerCore(customerId: string) {
// Each customer core contains:
// - Asset inventory (servers, networks, users)
// - Incident history (archived investigations)
// - Custom threat actor profiles
// - Customer-specific IOC lists
return await tg.getKgCore(`huntbase-customer-${customerId}`);
}
async loadCustomerAssets(
coreId: string,
assets: AssetInventory
) {
// Convert asset inventory to RDF triples
const assetTriples = this.assetInventoryToTriples(assets);
// Load into customer core
await tg.addDocument({
"kg-core-id": coreId,
"content": assetTriples,
"document-type": "rdf-triples"
});
}
}
Loading and Using Knowledge Cores
// Huntbase investigator workflow
// 1. Load the customer's core for investigation
await tg.loadKgCore("huntbase-customer-acme-corp");
// 2. Create investigation-specific memory core
const incidentId = "incident-2025-12-24-001";
const memoryCore = await tg.getKgCore(`huntbase-investigation-${incidentId}`);
// 3. AI agent performs investigation using both cores
const investigation = await tg.invokeGraphRag({
"flow-id": "investigation-flow",
"query": "Investigate this alert with full context"
});
// 4. Investigation findings are stored in memory core
// 5. Completed investigation core can be archived for future reference
Results and Impact
Operational Benefits
- Context-Driven Triage: Security analysts get immediate context rather than isolated alerts
- Accelerated Investigations: Graph traversal provides investigation paths in seconds vs. hours
- Historical Pattern Matching: Automatically correlate new incidents with past patterns
- Agentic Assistance: AI agents can reason across domains and provide recommendations
- Audit-Ready: Complete investigation trails captured in knowledge cores
Technical Advantages
- Zero-Trust Isolation: Customer data never mixes (no shared schema or tables)
- Flexible Schemas: Each customer can model their threat domain differently
- Persistent Agent Memory: Cores provide long-term memory for agentic AI systems
- Modular and Reusable: Investigation cores can be archived, queried, and re-analyzed
Best Practices from Huntbase
- Core-per-Customer for Isolation: Each customer gets a dedicated investigation core
- Shared Threat Intelligence: Single read-only threat intel core used by all customers
- Per-Investigation Memory: Temporary cores for investigation reasoning and state
- Archival Strategy: Move completed investigations to archive cores for compliance and historical analysis
- Agent Tool Configuration: Provide agents with knowledge-query tools to access cores during reasoning
- Federated Queries for Threat Hunting: Platform admins can query across customer cores to identify global patterns (with proper authorization)
Conclusion
Huntbase's use of TrustGraph Knowledge Cores demonstrates how modular, isolated graph instances power intelligent security operations:
✅ Complete data isolation for regulatory compliance
✅ Contextual intelligence that accelerates investigation and triage
✅ Agentic AI reasoning with persistent memory across investigations
✅ Flexible schema management for diverse security contexts
✅ Historical analysis preserved in searchable investigation cores
✅ Multi-tenant scalability without compromising data security
By leveraging knowledge cores, Huntbase delivers enterprise-grade security operations with the isolation, context, and intelligence required for modern SecOps platforms.
Related Concepts
- Knowledge Cores as Modular Memory - Deep dive into knowledge cores
- GraphRAG - Graph-enhanced retrieval and generation
- Collections - Logical data groupings within cores
- Agent Tool Configuration - Setting up agents with knowledge query tools
- RDF and Semantic Web - Understanding RDF triples and semantic representation