Traditional security looks for "what happened." We ask "is the system becoming structurally unsafe?"
Every network topology can be described using five fundamental measurements. Attacks necessarily alter these metrics in predictable ways.
Rate of increase in edges per node over time.
Detects: Lateral movement, ransomware spread, correlation spikes
Disproportionate outbound connectivity from a single node.
Detects: OAuth app abuse, identity compromise, power concentration
Maximum path length of trust or control inheritance.
Detects: Privilege escalation, role chaining, supply chain attacks
Change in diversity of nodes or edges accessed by an actor.
Detects: Reconnaissance, scope expansion, unusual system access
Rate of removal or degradation of redundancy edges.
Detects: Backup deletion, logging disabled, destructive attacks
90% of enterprise networks exhibit three fundamental structural patterns. Understanding these patterns enables zero-configuration deployment.
High-centrality hub connecting to spokes. Normal user accessing standard applications.
✓ SAFE
Sequential flow from root to leaf. Supply chains, deployment pipelines, admin hierarchies.
✓ SAFE
Peer-to-peer saturation. Lateral movement, worm propagation, collusion networks.
⚠ HIGH ALERT
Raw data never leaves your environment. Docker container. Single deployment.
Stateless detection. No historical storage. Herd immunity without individual exposure.
To evade structural detection, an attacker must move at human velocity. This creates an impossible trade-off:
Be Fast (Effective)
Be Slow (Invisible)
The topology of an attack is inextricably linked to its intent. You cannot traverse a network without creating a path.