Graphistry · Visual Investigation Platform01 / 17
Detection Engineering · Threat Investigation
Visual
Investigation
at Graph Scale
Turn every analyst into a hunter. A first-meeting walkthrough of the platform I bought twice — once for a crypto-native fintech, once for a global systemically important bank.
PresenterAnthony G. Tellez
MeetingFirst-meeting discovery
AudienceCISO · Detection Eng Lead · Hunter
PlatformGraphistry · Visual Graph Intelligence
Agenda02 / 17
18-minute first meeting. Three audiences. One platform.
Core narrative runs 18 minutes — deep-dive appendix slides available on request.
Time
Topic
Primarily for
0–2 min
Three drains on detection-engineering capacity
All attendees
2–4 min
Why visual investigation — tabular can't show relationships
All attendees
4–7 min
Why Graphistry — five capabilities that matter
Detection Eng Lead
7–13 min
Two deployments — crypto fintech + global bank
All attendees
13–16 min
Louie.ai — agentic investigation on top of the graph
Senior Hunter
16–18 min
Stakeholder outcomes · Q&A · closing
CISO · Director
CISO
False-negative risk, board-ready narrative, defensible audit trail
Detection Eng Lead
Rule-library health, coverage visibility, integrations with existing stack
Senior Hunter
Investigation velocity, pivot-on-the-fly across data sources, share sessions
Q&A held throughout · 15–30 min after
The Problem03 / 17
Three drains on detection engineering
Every mature SOC — fintech or G-SIFI bank — hits the same wall once the data grows past a few tools and a few billion events.
Investigation Blindness
Hunts are only as good as the mental model of the data. Tabular views can't show relationships. Multi-hop traversal collapses in SQL.

Hours per pivot before the real work begins.
Coverage Blindspots
Thousands of rules. No way to see redundancy. No way to see gaps.

The false negatives you don't know about hide in sparse regions of rule-space.
Tool Sprawl
Data in Splunk, Databricks, Neo4j, Elastic, S3. Every investigation is a pivot-and-join exercise before the hunt even starts.
"We spent more time joining data across tools than we spent actually hunting. By the time an analyst had the picture, the attacker was already two hops past them."
Why Visual Investigation04 / 17
Tabular views can't show you relationships
SQL and spreadsheets scale in rows. Investigations scale in edges. Something has to change when you're past a few billion events.
Tabular investigation versus visual graph investigation TABULAR VISUAL GRAPH Investigation request Query Splunk for first-hop entities Copy IDs · query Databricks Export to spreadsheet Manual join — guess at edges Time to first insight hours — days Investigation request splunk databricks neo4j · elastic click · 12 edges Time to first insight minutes ✓ Pivot on the fly ✓ Relationships in one view ✓ Coverage gaps visible ✓ Saved sessions shared
Why Graphistry05 / 17
Purpose-built for detection engineering
Five capabilities that separate Graphistry from every other graph-viz tool on the market.
Graphistry capability spoke diagram Graphistry FOR INVESTIGATION GPU Scale 100× more data in a commodity browser Louie.ai agentic co-investigator natural-language queries Any Data Source Splunk · Databricks · Neo4j anything with an API Pivot on the Fly Click any node to drop follow edges live Save & Share Sessions Reusable investigations across the whole team
Appendix · Solution Overview11 / 17
One platform. Two enterprise deployments. One pattern.
Graphistry is a GPU-accelerated visual investigation platform layered on whatever data stores you already run — the numbers below are from the two deployments I personally bought and stood up.
100×
More data in a single interactive view
5+
Native data-source integrations shipped
1B
Vectors tested at global-bank scale
$252M
Suspicious fund flows traced at a crypto fintech
2
Enterprise deployments I personally owned
0
Thick clients — runs in any browser
20×
Team-hours compressed by Louie.ai
minutes
Investigation time vs. hours of SQL
Appendix · Platform Architecture12 / 17
Graphistry is a lens you place over your data.
Not a pipeline. Your existing stores feed directly into a GPU engine — the engine renders an interactive graph in the analyst's browser. Data in, exploration out.
Graphistry hub-and-spoke architecture — data sources orbit a central GPU engine, outputs surface on the analyst side DATA IN ANALYST OUT Splunk · Splunk ES native pivot templates Databricks lakehouse ref arch Neo4j Cypher · direct import Elastic · OpenSearch KQL · DSL · REST S3 · CSV · Parquet ad-hoc file import Any REST API universal connector Graphistry GPU CLIENT / CLOUD 100× scale · <100 ms round-trip Analyst Canvas click · pivot · drop deeper Louie.ai agent natural-language queries Saved Session shareable · replayable link Audit Trail every pivot logged no pipeline · no thick client · no re-ingest — Graphistry queries your data in place
Louie.ai · The Outcome07 / 17
Agentic Co-Pilot · Benchmarked in the Open
20+ team-hours
of SOC work
→ 1 hour of AI.
Louie.ai is Graphistry's agentic layer. Analysts ask in plain English; Louie fires the queries, builds the graph, and hands back a session. This isn't a demo of a feature — it's the benchmarked result from public, adversarial competitions.
US Cyber CommandAlert-reduction comp. — won
Splunk analyst challenge100% tier-200 · 50%+ tier-300
Round-trip<100 ms browser to GPU cloud
The Differentiator08 / 17
You can see the false negatives.
The Problem
Unknown unknowns are invisible
A rule library has thousands of rules. Some are redundant. Some are malformed. Some entire categories of threat have no coverage at all.

A spreadsheet can tell you what rules exist. It cannot tell you what rules should exist but don't.

Every detection team in the world is carrying coverage debt they can't measure.
What Graphistry Does
UMAP the whole library
Embed every rule semantically. Project into two dimensions via UMAP. Render in Graphistry at full library scale.

Tight clusters surface duplicates. Outliers flag malformed rules.

Sparse regions are the coverage gaps — the false negatives, visible at last.
Why This Matters
Rules engines can't do this
A rules engine matches patterns that exist. It cannot reason about the absence of a pattern.

Graph visualization of embedding-space can — in a single screen, every time, for every category of threat you care about.

This is the SuriCon talk in one slide. It's the thing that made detection engineers at BNY lean forward.
Two Deployments06 / 17
I bought this platform twice.
crypto fintech · global bank
01
A crypto-native fintech — the pain
Compliance team drowning in blockchain transaction data. SQL queries choking on multi-hop traversal — OFAC sanctions and FinCEN pressure were measured in hops, not rows. Investigations took days because analysts couldn't see wallet clusters, just addresses.
Regulatory stakes. Scale outpacing tooling. No visual layer.
Pain
02
Rapids + Databricks + Graphistry + Neo4j
Graphistry sat on top of the existing Databricks lakehouse. Non-engineer compliance analysts could trace fund flows visually for the first time. Investigations dropped from hours of SQL iteration to minutes of visual pivoting. OFAC screening shifted from binary SDN match to graph-proximity by hop count.
$252M in suspicious transactions traced · SAR evidence auto-generated from graph
Outcome
03
A global systemically important bank — the pain ★
Detection engineering team maintaining thousands of Suricata rules across the Splunk stack. Nobody could see redundancy. Nobody could see coverage gaps. The false negatives — the unknown unknowns — were invisible by definition because no one had a map of the rule library.
Rule sprawl outpacing audit. Coverage gaps invisible. Junior analysts adrift.
Pain
04
Graphistry + Louie.ai + graph-based RAG
Embedded every rule semantically. Built graph-based RAG on top via Graphistry + Louie.ai. UMAP-clustered the full library. Tight clusters surfaced duplicates. Outliers flagged malformed rules. Sparse regions of the embedding space lit up the coverage gaps — the unknown unknowns, visible at last.
1B vectors · 100× memory reduction · co-presented at SuriCon Madrid 2024
Outcome
Same platform. Different vertical. Same pattern.
Two buyers. Two domains. Same fundamental insight — detection engineering is a graph problem, and tabular tooling runs out of runway around a few billion events. I know this platform because I paid for it twice and watched it land.
This isn't a sales rep's pitch. It's a customer's.
Kicker
Appendix · Investigation Scenarios13 / 17
Four investigation patterns. One platform.
Every row is pulled from a deployment I either ran or co-presented. The bottom row is the differentiator — the one nobody else can do.
Four scenario demonstration matrix SCENARIO SEV KEY SIGNAL OUTCOME Wallet Cluster Hunt Crypto fintech · AML billions of ledger rows 9/10 SQL chokes past 3 hops Mixing obscures chains OFAC edges unclear ✓ Graph traversal ✓ Fund flow traced ✓ SAR evidence ready Network Threat Hunt Zeek · VPC flow logs 100× more packets 7/10 Spreadsheet-scale wall Patterns span tools Hypotheses stall ✓ Interactive pivot ✓ Databricks masterclass Analyst-driven flow Rule Library Audit Suricata · Splunk ES 1B-vector embedding 9/10 Duplicate rules hidden Malformed outliers ✓ UMAP clustered ✓ 100× memory cut Unknown Unknowns DIFFERENTIATOR False negatives · detection gaps hidden in rule-space invisible to rule engines 10/10 Sparse embedding zones Visible as empty space Graph highlights voids ✓ Coverage gaps seen ✓ SuriCon insight No rule engine does this
Stakeholder Value09 / 17
Different roles. Different outcomes.
CISO
False-negative risk becomes measurable — sparse regions of rule-space light up
Board-ready narrative: "we can see what we're not covering" is a new executive line
Analyst retention improves when senior hunters stop reading spreadsheets
Defensible audit trail — every investigation session is saved and shareable
Integrates with existing Splunk, Databricks, Elastic — no rip-and-replace
Detection Eng Lead
Rule library stops being a write-only medium — duplicates and gaps become visible
Junior analysts learn the library visually instead of by tribal knowledge
Investigation MTTR collapses from hours to minutes of visual pivoting
GPU-client architecture — no thick installs, runs in the browser
Louie.ai handles the query-and-join plumbing so engineers focus on detections
Senior Hunter
Pivot across every data source from a single interactive canvas
Click any node, drop deeper, follow edges — no query rewriting per pivot
Save the entire investigation session — share with a teammate in one link
100× more data in view than any BI tool or SIEM dashboard can render
Natural-language questions via Louie.ai — the hunt agent you've been asking for
Appendix · Return on Investment14 / 17
Per-investigation time comparison
TaskTabular / SQLGraphistrySaved
Hop-1 entity enumeration from source data10–20 min~10 sec~15 min
Multi-hop traversal across 3+ data stores30–90 min~30 sec~60 min
Join and reconcile (spreadsheet hell)30–60 min~45 min
Relationship discovery + cluster analysis60–120 min~2 min~90 min
Investigation documentation for handoff30–60 min1 click~45 min
Rule-library coverage audit (BNY scale)weekshours100× faster
Typical investigation3–6 hrs< 5 min~4 hrs
~400 hrs
returned per hunter per year
at 2 investigations / week
50–80×
investigation velocity gain
hours of SQL → minutes of pivoting
$252M
traced at a crypto fintech
real number from a real deployment
Appendix · Roadmap15 / 17
From first session
to hunt-team adoption
Phase 1
Connect & First Hunt
Weeks 1–2
Wire Graphistry to existing data: Splunk · Databricks · Elastic · Neo4j
Pick one high-pain investigation — trace the first real case on the canvas
Share the saved session with stakeholders — proof the platform works on your data
Phase 2
Playbook Library
Weeks 3–6
Capture 5 recurring investigation patterns as reusable templates
Train 2–3 senior hunters on pivot, save, and share workflows
Turn on Louie.ai for natural-language investigation queries
Phase 3
Detection Engineering
Quarter 1
Embed the rule library — cluster, find duplicates, surface gaps
Graph-based RAG over threat intel + historical incidents
Quarterly coverage review — board-ready map of what you detect and what you don't
Phase 4
Hunt-Team Force Multiplier
Ongoing
Louie.ai as default co-investigator — hunters start from plain English, not SPL
Graphistry sessions become the canonical record of every investigation
Appendix · Integration Matrix16 / 17
Data source / stackHow Graphistry plugs inStatus
Splunk · Splunk ESNative pivot templates + official partner blog (Graphistry hub docs)✓ Native
Databricks · LakehouseDatabricks Industry Solution Accelerator — "Incident Investigation Using Graphistry"✓ Ref arch
Neo4jCypher queries, direct graph import, native node/edge binding✓ Native
Elastic · OpenSearchKQL + DSL via REST, index pattern binding✓ Native
Azure Data Explorer / KustoKusto graph integration — published blog & reference✓ Native
Apache Spark · ArrowArrow bridge — zero-copy for columnar data interchange✓ Native
Snowflake · BigQuery · PostgresSQL-based pivot configs, any standard JDBC/ODBC source✓ Native
Amazon S3 · CSV · ParquetDirect file import for ad-hoc investigations✓ Native
Any REST APIUniversal connector — if it has an API, Graphistry can ingest from it✓ Universal
PyGraphistry (Python SDK)Build graph sessions programmatically, embed in notebooks, Jupyter/Colab✓ SDK
Louie.aiAgentic co-investigator — natural-language query → Graphistry session✓ Differentiator
GPU client/cloud runtimeBrowser-side GPU rendering — no thick client, no server install per analyst✓ Architecture
Saved & shared sessionsEvery investigation becomes a replayable, shareable artifact✓ Native
Audit trail & complianceSession history, user attribution, defensible narrative for exams✓ Native
On-prem · air-gappedDeployment options for regulated environments (G-SIFI, public sector)✓ Available
Closing10 / 17
Thank You
Let's talk
about your graph.
Three concrete next steps. Pick whichever helps your team this quarter — we can book any of them in the next two weeks.
Option A · Deep Dive
90-minute technical walkthrough on your actual stack — Splunk, Databricks, Elastic, whichever you run. Before you formalize any vendor shortlist.
Option B · 2-Week POC
One real investigation on two of your data stores. End-to-end on your canvas. Zero migration, zero re-ingest.
Option C · Reference Call
30 minutes with a current customer at your scale — fintech or global bank — without me in the room. Hear the story straight.
Email[email protected]
LinkedIn/in/anthonygtellez
GitHub@anthonygtellez
Websiteanthonygtellez.com
Appendix · Why Visual (reference)17 / 17
Tabular views can't show you relationships
Earlier framing — AFTER panel as a rectangular "Graphistry view" box. Kept here so a reviewer can flip between this and slide 04 to compare the two visual treatments.
Reference — earlier rectangular-box framing of the visual investigation comparison TABULAR VISUAL GRAPH Investigation request Query Splunk for first-hop entities Copy IDs · query Databricks Export to spreadsheet Manual join — guess at edges Time to first insight hours — days Investigation request GRAPHISTRY VIEW Pivot across every data source 100× more data · commodity browser Splunk · Databricks · Neo4j · Elastic · S3 GPU-accelerated client/cloud Time to first insight minutes ✓ Pivot on the fly ✓ Relationships in one view ✓ Coverage gaps visible ✓ Saved sessions shared
anthonygtellez.com
Anthony G. Tellez