Cyber Threat Analytics With Graph Analysis and Visualization

Sa Wang
|
Software Engineer
|
March 24, 2025
Cyber Threat Analytics With Graph Analysis and Visualization

Cyber threats continue to rise, becoming more sophisticated and harder to predict. As these threats evolve, staying ahead of attacks requires more than just traditional security measures.

In this article, we explore how cyber threat analytics can help you detect, predict, and prevent security risks by uncovering hidden patterns and connections. We’ll discuss the core components of cyber threat analytics, how graph analysis enhances these efforts, and examine real-world applications. Additionally, we’ll look at how integrating Open Threat Exchange (OTX) can provide valuable threat intelligence, helping organizations stay proactive. Finally, we’ll guide you step by step in using PuppyGraph to visualize your threat landscape.

By the end, you’ll understand how combining graph-based analysis and threat intelligence can strengthen your organization’s ability to identify and respond to cyber threats in real time.

Figure: Recently Modified Pulses on OTX, which are collections of indicators of compromise (IOCs) describing specific cyber threats.

What is Cyber Threat Analytics?

Cyber threat analytics is the discipline of interpreting and transforming raw security data into actionable insights. Organizations generate massive amounts of logs, events, and alerts from firewalls, intrusion detection systems, and endpoint devices. Instead of treating each alert in isolation, cyber threat analytics looks for hidden connections that may indicate a coordinated threat. By evaluating how different pieces of data relate to each other, security teams can detect malicious activity that traditional signature-based tools might miss.

What sets cyber threat analytics apart from older approaches is its focus on real-time analysis, relationship mapping, and external threat intelligence. A single suspicious login attempt might go unnoticed, but combined with unusual network access and data exfiltration patterns, it may reveal a larger attack in progress. External feeds such as Open Threat Exchange (OTX) enrich the data with global indicators of compromise (IOCs). This helps teams cross-reference local findings with known threat actors, malicious IP addresses, or domains, providing a more complete picture of the threat landscape.

By synthesizing data from multiple sources, cyber threat analytics goes beyond reactive defenses. It not only flags potential threats but also shows how they spread through networks, which assets are at risk, and what level of impact to expect. This broader perspective enables security teams to respond faster, allocate resources more effectively, and stay ahead of evolving attacks.

How Cyber Threat Analytics Works

Cyber threat analytics follows a structured process to detect, investigate, and respond to potential threats. By analyzing data from multiple sources, security teams can uncover patterns and connections that indicate malicious activity. 

Data Ingestion

Security data is collected from logs, network traffic, endpoints, cloud services, and external intelligence feeds. Common sources include firewalls, security information and event management (SIEM) platforms, intrusion detection systems (IDS), and malware analysis reports. These raw data points form the foundation of threat detection.

Normalization and Correlation

Raw security data comes in different formats from various sources. To make it useful, the data is structured and standardized. Correlation engines analyze events across different systems to identify relationships between suspicious activities. A login attempt from an unusual location might seem harmless alone, but when combined with other indicators like failed authentication attempts and unusual network access, it could reveal an ongoing attack.

Threat Detection and Anomaly Identification

The system continuously monitors activity, looking for deviations from normal behavior. Unusual authentication patterns, unexpected spikes in network traffic, lateral movement within a network, or unauthorized access attempts can signal a threat. By linking related activities, cyber threat analytics helps security teams identify attacks that would otherwise go unnoticed.

Threat Intelligence Enrichment

Open Threat Exchange (OTX) and other external intelligence sources provide real-time context for suspicious activity. Indicators of compromise (IOCs) such as known malicious IP addresses, domains, or file hashes can be cross-checked against internal data to confirm potential threats. This external context helps security teams distinguish between false alarms and real risks.

Risk Prioritization

Not all threats carry the same level of risk. Cyber threat analytics assigns risk scores based on factors like severity, potential impact, and correlation with known attack patterns. This prioritization allows security teams to focus on high-risk incidents instead of being overwhelmed by minor anomalies.

Incident Response and Mitigation

Once a threat is confirmed, security teams take action. This may involve blocking an IP address, isolating a compromised system, disabling an affected account, or launching a deeper investigation into the attack path. In some cases, automated response mechanisms trigger immediate defenses to prevent further damage.

Cyber threat analytics is a continuous process that adapts to evolving threats. By analyzing relationships between different activities, security teams can detect attacks earlier and respond faster, reducing the risk of serious security incidents. These capabilities make cyber threat analytics essential across various security functions. From incident response to fraud detection, organizations use it in different ways to strengthen their defenses.

Figure: Information and visualization of malware clusters in OTX.

Applications and Use Cases

Cyber threat analytics plays a critical role in cybersecurity operations. By analyzing relationships between data points, security teams can uncover hidden threats, track attack paths, and prevent security breaches. Here are some key applications.

Incident Detection and Response

Quickly identifying and responding to security incidents reduces damage and recovery time. Cyber threat analytics helps detect unauthorized access, malware infections, and suspicious activity in real time. By analyzing connections between network events, security teams can pinpoint the origin of an attack and take immediate action to contain it.

Threat Hunting

Rather than waiting for alerts, security teams can proactively search for threats. Cyber threat analytics helps identify suspicious patterns that might not trigger traditional security tools. Analysts can map attacker behaviors, uncover stealthy movements, and stop intrusions before they escalate.

Fraud Detection

Financial institutions and online services rely on cyber threat analytics to identify fraudulent activity. By tracking transactions, user behaviors, and account activity, security teams can detect account takeovers, payment fraud, and identity theft. Analytics helps spot unusual behavior, such as a sudden change in spending patterns or access from an unexpected location.

Insider Threat Monitoring

Not all threats come from external attackers. Employees or contractors with access to sensitive systems can pose security risks. Cyber threat analytics helps detect unauthorized data access, privilege abuse, and unusual login patterns that may indicate an insider threat.

Supply Chain Security

Organizations rely on third-party vendors, cloud providers, and supply chain partners, which expands the attack surface. Cyber threat analytics helps monitor external relationships, detect vulnerabilities in partner networks, and assess risks from compromised third-party systems.

Threat Intelligence Correlation

Integrating cyber threat analytics with external intelligence sources like Open Threat Exchange (OTX) improves detection capabilities. Security teams can cross-check internal security events against known threat indicators, identifying active threats faster and preventing attacks linked to global adversaries.

Network and Endpoint Security

By analyzing traffic patterns and endpoint activity, security teams can detect malware infections, command-and-control (C2) communications, and lateral movement within networks. Cyber threat analytics helps uncover coordinated attacks that involve multiple devices, making it easier to stop threats before they spread.

Cyber threat analytics enhances security operations by improving visibility, reducing investigation time, and enabling proactive defense strategies. Organizations that apply analytics effectively can detect threats earlier and prevent security incidents with greater accuracy. However, implementing and maintaining a robust cyber threat analytics program comes with its own set of challenges. Managing large volumes of security data, reducing false positives, and integrating intelligence sources are just a few obstacles security teams must overcome.

Challenges in Cyber Threat Analytics

Cyber threat analytics improves threat detection and response, but implementing it effectively comes with challenges. Security teams must deal with large volumes of data, false positives, integration complexities, and evolving threats. Addressing these issues requires the right tools, expertise, and processes.

Data Overload

Organizations generate massive amounts of security data from logs, network traffic, endpoints, and cloud services. Sorting through this data to identify real threats can be overwhelming. Without efficient filtering and correlation, security teams may struggle to focus on high-risk events.

False Positives and Alert Fatigue

Analytics tools can generate alerts for activities that appear suspicious but are not actual threats. Too many false positives lead to alert fatigue, causing security teams to overlook critical warnings. Fine-tuning detection rules and improving correlation methods help reduce unnecessary alerts.

Lack of Skilled Professionals

Cyber threat analytics requires expertise in threat intelligence, security operations, and data analysis. The cybersecurity skills gap makes it difficult for organizations to find and retain professionals capable of interpreting and acting on analytics-driven insights.

Integration Complexity

Many organizations use multiple security tools, each generating its own set of logs and alerts. Integrating cyber threat analytics with existing systems, including SIEM platforms, endpoint detection and response (EDR), and threat intelligence feeds, can be complex and time-consuming. Poor integration leads to fragmented data and blind spots in security monitoring.

Evolving Threat Landscape

Attackers constantly refine their techniques, making it harder to rely on static detection methods. Cyber threat analytics must adapt to new attack patterns, malware variants, and tactics used by advanced persistent threats (APTs). Keeping up with evolving threats requires continuous monitoring and intelligence updates.

Privacy and Compliance Concerns

Security analytics often involves processing sensitive data, which raises privacy and regulatory challenges. Organizations must balance effective threat detection with compliance requirements related to data protection laws such as GDPR and CCPA. Ensuring proper data handling while maintaining strong security can be difficult.

Cost and Resource Constraints

Building and maintaining an effective cyber threat analytics program requires investment in infrastructure, tools, and personnel. Smaller organizations may struggle with budget limitations, making it harder to deploy advanced analytics solutions.

Overcoming these challenges requires a well-structured approach. Organizations must optimize data processing, refine detection techniques, integrate intelligence sources, and invest in skilled personnel to maximize the effectiveness of cyber threat analytics.

Enhance cyber threat analytics with graph analytics

As we have seen, cyber threats rarely occur as isolated events. Attackers establish connections between compromised accounts, infected devices, and external command-and-control (C2) infrastructure. Analyzing these threats requires more than just looking at logs and alerts in isolation. Graph analytics provides a way to map these relationships, helping security teams uncover attack paths, identify hidden connections, and track evolving threats more effectively.

Why Use Graph Analytics?

Graph analytics shifts the focus from individual events to relationships between entities, making it easier to:

  • Expose attack chains by mapping how threats spread across systems.
  • Detect hidden links between compromised assets that may not appear suspicious on their own.
  • Identify anomalies that deviate from normal patterns of interaction.
  • Accelerate investigations by providing a visual and structured representation of threat activity.

How It Works

Security data is transformed into a graph where nodes represent entities like IP addresses, users, and domains, while edges define their interactions. This structure allows security teams to:

  1. Build a network of relationships from security logs and external intelligence sources like Open Threat Exchange (OTX).
  2. Detect patterns that match known attack behaviors or reveal suspicious anomalies.
  3. Investigate threats visually to track an attacker’s movements and determine the full scope of an incident.

By shifting from log-based analysis to a graph-driven approach, security teams gain a clearer picture of complex threats.

Next, we introduce PuppyGraph, a tool designed to simplify cyber threat investigations using graph analytics.

Graph analytics using PuppyGraph

PuppyGraph is the first and only real time, zero-ETL graph query engine in the market, empowering data teams to query existing relational data stores as a unified graph model in under 10 minutes, bypassing traditional graph databases' cost, latency, and maintenance hurdles. 

Figure: Before and After architecture of adopting PuppyGraph

With PuppyGraph, security analysts can model cybersecurity data as a graph, revealing relationships between threats, attack paths, and malicious entities. This approach enhances threat investigations by making it easier to detect patterns, uncover hidden connections, and analyze threats visually.

Next, we’ll walk through a hands-on demo using PuppyGraph to analyze real-world threat intelligence data from Open Threat Exchange (OTX).

Open Threat Exchange (OTX) Demo

This demo showcases real-time threat analysis using data from Open Threat Exchange (OTX), a global threat intelligence-sharing platform. The goal is to transform raw OTX threat intelligence into a graph model and analyze relationships between pulses and indicators of compromise (IOCs). According to the OTX FAQ, pulses provide a summary of the threat, related IOCs, details about targeted software, and other valuable insights that help detect and analyze potential threats.

The demo covers:

  • Downloading threat intelligence data from OTX.
  • Storing the data in PostgreSQL.
  • Modeling the data as a graph in PuppyGraph.
  • Querying relationships using Gremlin and Cypher.

Prerequisites

To follow along, you’ll need:

  • Docker and Docker Compose (for setting up PostgreSQL and PuppyGraph).
  • Python 3 and a virtual environment (for managing dependencies).
  • OTX API KEY (free to sign up)

Setting Up the Environment

Start the Services

Run the following command to start PostgreSQL and PuppyGraph:

docker compose up -d 

This launches the required services, including the PostgreSQL database and the PuppyGraph graph engine.

Set Up a Python Virtual Environment

Create and activate a virtual environment, then install the psycopg2-binary package to interact with PostgreSQL:

python3 -m venv myvenv  
source myvenv/bin/activate  
pip install psycopg2-binary 
Install the OTX DirectConnect SDK

Install the OTXv2 Python SDK from the customized repository:

cd ../OTX-Python-SDK  
pip install .  

After installation, navigate back to the demo directory.

Creating Data Tables in PostgreSQL
  • Access the PostgreSQL client:
docker exec -it postgres psql -h postgres -U postgres 

           Enter the password postgres123 when prompted.

  • Run SQL commands in create_tables.sql to define the necessary table structure.
  • Verify table creation:
\d 

Downloading and Importing OTX Data

  • Download Pulse Data:

            Edit data.py to include your API_KEY, then run:

python data.py download  
  • Import Data into PostgreSQL:
python data.py import 
  • Verify the import with:
SELECT * FROM pulse LIMIT 5;

Modeling the Data as a Graph

  • Log into PuppyGraph Web UI at http://localhost:8081 using:
    • Username: puppygraph
    • Password: puppygraph123
  •  Upload the graph schema:
    • Navigate to Upload Graph Schema JSON.
    • Select schema.json and click Upload.
Figure: visualization of the schema graph.

Querying Data with PuppyGraph

Navigate to the Query section in the PuppyGraph Web UI to run Gremlin or Cypher queries. 

  • Use Gremlin Query for Gremlin queries with visualization (Cypher visualization is coming soon).
  • Use Graph Notebook for Gremlin/Cypher queries.
Example Queries

Here are some example queries and you can see more in the repo.

Gremlin

Number of pulses:

g.V().hasLabel("pulse").count()

Max indicators linked to a pulse:

g.V().hasLabel("pulse").local(__.out("pulse_indicator").count()).max()

Top 10 pulses by indicator count:

g.V().hasLabel('pulse').as('p')
    .project('name', 'description', 'indicatorCount')
        .by('name')
        .by('description')
        .by(__.out('pulse_indicator').count())
    .order().by(select('indicatorCount'), desc)
    .limit(10)

Finds all indicator nodes with at least two incoming pulse_indicator edges and returns the corresponding paths as a subgraph:

g.V().hasLabel("indicator")
  .where(__.in("pulse_indicator").count().is(gte(2)))
  .in("pulse_indicator").path()
Figure: Gremlin queries with visualization

Cypher

Number of pulses:

MATCH (n:pulse) RETURN COUNT(n)

Max indicators linked to a pulse:

MATCH (p:pulse)
OPTIONAL MATCH (p)-[:pulse_indicator]->(i)
WITH p, COUNT(i) AS indicatorCount
RETURN max(indicatorCount) AS maxIndicatorCount

Top 10 pulses by indicator count:

MATCH (p:pulse)
OPTIONAL MATCH (p)-[:pulse_indicator]->(i)
WITH p, COUNT(i) AS indicatorCount
RETURN p.name, p.description, indicatorCount
ORDER BY indicatorCount DESC
LIMIT 10

Finds all indicator nodes with at least two incoming pulse_indicator edges and returns the corresponding paths as a subgraph:

MATCH (i:indicator)<-[:pulse_indicator]-(p:pulse)
WITH i, COUNT(p) AS pulseCount
WHERE pulseCount >= 2
MATCH path = (p)-[:pulse_indicator]->(i)
RETURN path
Figure: Cypher queries in Graph Notebook.

Cleanup and Teardown

To stop and remove the containers and networks, run:

 docker compose down -v

Conclusion

Cyber threat analytics helps security teams detect and investigate threats by analyzing relationships between indicators of compromise, attack patterns, and threat actors. Graph analytics enhances this process by mapping connections, revealing hidden threats, and accelerating response times.

Using PuppyGraph, security teams can model OTX threat intelligence as a graph, run queries, and uncover key relationships. This approach provides deeper insights than traditional log-based analysis, improving threat detection and response.

As cyber threats evolve, organizations that adopt graph-based analytics will gain better visibility, detect threats faster, and strengthen their defenses.

To see how PuppyGraph can enhance your cyber threat investigations, download the forever free PuppyGraph Developer Edition, or book a free demo today with our graph expert team.

Sa Wang is a Software Engineer with exceptional math abilities and strong coding skills. He earned his Bachelor's degree in Computer Science from Fudan University and has been studying Mathematical Logic in the Philosophy Department at Fudan University, expecting to receive his Master's degree in Philosophy in June this year. He and his team won a gold medal in the Jilin regional competition of the China Collegiate Programming Contest and received a first-class award in the Shanghai regional competition of the National Student Math Competition.

Join our newsletter

See PuppyGraph
In Action

See PuppyGraph
In Action

Graph Your Data In 10 Minutes.

Get started with PuppyGraph!

PuppyGraph empowers you to seamlessly query one or multiple data stores as a unified graph model.

Dev Edition

Free Download

Enterprise Edition

Developer

$0
/month
  • Forever free
  • Single node
  • Designed for proving your ideas
  • Available via Docker install

Enterprise

$
Based on the Memory and CPU of the server that runs PuppyGraph.
  • 30 day free trial with full features
  • Everything in Developer + Enterprise features
  • Designed for production
  • Available via AWS AMI & Docker install
* No payment required

Developer Edition

  • Forever free
  • Single noded
  • Designed for proving your ideas
  • Available via Docker install

Enterprise Edition

  • 30-day free trial with full features
  • Everything in developer edition & enterprise features
  • Designed for production
  • Available via AWS AMI & Docker install
* No payment required