Grounding Agents with Graphs

Despite all the use cases and examples of great LLM stuff I come across, I’ve always regressed back to the only two use cases I’m confident for the models:

1. Natural language input

2. Generating likely interpretations from large amounts of text

LLMs by themselves are not great at analyzing your environment. They drift and make shit up despite all the evals, RAG, and RAG evals.

I’m thrilled to see more products are now implementing graphs as a way for agents to work with easy-to-query/traverse/parse data that’s specific for your environment.

With graphs, agent’s don’t need to infer (which is where failures happen) the relationships between entities if they are stated explicitly. So let’s look at some implementations today.

1. Topology Graph

What can reach what?

A Topology Graph maps the structural and logical boundaries of an environment. It outlines direct and transitive dependencies like code call chains, cloud infrastructure hierarchies, or application tool paths. By charting these links, it allows systems to run deterministic reachability analyses. They can stitch together multiple low-severity, isolated flaws chain together across a graph traversal to identify end-to-end vulnerabilities.

Wiz’s Attack path database (which I believe was released pre-agent mania) detects toxic combinations like a misconfiguration + a permissive IAM role + network exposure + sensitive data.

Pillar Security’s Attack graph maps the exploitable surface of an AI agent system, then deploys adversarial agents to traverse it.

Trailmark is an open source project that converts code into graphs, so you get Queryable static representation of code structure.

Context Graph (Live State)

What is true right now?

Serves as a real-time organizational map of an enterprise’s current state. It links active identity registries, operational runtime privileges, and live asset configurations.

Torq's recent acquisition of JIT will make alerts go from "user X" to "user X who's a finance admin with access to customer DBs".

Check Point Software’s Network Knowledge Graph can help agents interpret "block all lateral movement from the guest network to the data center," into hard policies. This is so that the agent is reasoning about a generic network, not the production one. No flat rule database or CMDB can answer "what is the blast radius of changing this rule?" in a multi-vendor, hybrid-cloud environment.

Temporal / Memory Graph

What and when happened?

A Temporal Graph keeps track of all states, not just the live one. It tracks historical system behaviors, human overrides, and past operational context over time. It records the crucial “why” behind historical risk acceptances, triage decisions, and incident resolutions.

Cycode offers a temporal, semantic reasoning substrate for AI agents. Decision traces preserve why a vulnerability was prioritized or accepted, not just that it was.

BigPanda’s Unified IT knowledge layer encodes the knowledge that would leave with a senior engineer (why a rule was written, what a pattern historically meant, which runbook applies) and stores the operational meaning attached to those assets by humans over time.

Mate Security’s graph is dynamically rebuilding and optimizing with each investigation, ownership changes, policy changes, so that decisions are made according to what’s relevant right now.

Federation Graph

What is this entity across systems?

A Federation Graph operates as a decentralized cross-domain ontology to establish semantic entity equivalence. An AI agent can then traverse from an asset flagged under one naming scheme in an infrastructure tool to the equivalent asset named differently in an application logging tool.

Fabrix’s cross-tool semantic federation layer traces a causal chain across tool boundaries (APM → infra → storage) in a single traversal. Without the ontology graph encoding cross-tool entity equivalences, an agent querying Splunk has no idea the VM it found is the same entity flagged in Dynatrace.