Hunters maintains a Graph Database which holds all the security-related data that is extracted in earlier stages of the pipeline, i.e. Leads and their related Entities, extracted in the Detection and Investigation stages. Leads are connected on the graph when they have the same entity, allowing:

  1. Several-step non-trivial correlations between different attack signals.

  2. Research of security-related high friction entities that take part in a high number of signals.


A story is a collection of signals (Leads), both from common security products and from Hunters-dedicated detections, that are strongly related and likely to be a part of the same attack flow. Each story is a sub-graph of the Graph, which is restricted in time and other correlation considerations.

There are several viewing options for a Story:

  1. The default Story view presents all leads in a chronological order, including the main and important details per a group of leads.

  2. The Network view shows distinct leads and entities in a nodes & edges graph, allowing getting further information on the correlations.

  3. The Raw Network view shows the raw Graph (with duplicate entities), allowing an in-depth analysis of the raw data for the story.

Each story has its own score, which depends on the associated leads’ scores and the number of distinct detections. A Hot Story is a story that passes a certain threshold, and is considered

A story has versions, which represent changes in related Leads and Entities over time, allowing to view a timeline for the story. Each version can be assigned a Tag (e.g. True-Positive, Pentest) and a Status (WIP, Done).