Graph-Powered OSINT: Why Knowledge Graphs Are the Missing Layer in Open Source Intelligence
Palantir Gotham is valued at over $60 billion. Its core product — an intelligence platform that fuses hundreds of data sources into a single knowledge graph — has become the de facto standard for Western intelligence agencies. The architecture works. Yet for the open-source intelligence (OSINT) community, the graph-driven approach remains vastly underutilised. Most OSINT practitioners still work in document silos: spreadsheets, PDFs, chat logs, and browser tabs.
This article makes the case that graphs are the natural data model for intelligence analysis, surveys the graph algorithms that directly map to analytical tradecraft, and profiles the open-source tooling now emerging to bring Palantir-grade graph intelligence to anyone.
The OSINT Data Problem
OSINT analysts face a structural challenge that no amount of spreadsheet discipline can solve. A single investigation produces data from dozens of sources:
- WHOIS records, DNS lookups, SSL certificates
- Social media profiles and relationships
- News articles and press releases
- Satellite imagery and geospatial metadata
- Financial disclosures and corporate registries
- Leaked databases and breach data
- Telegram channels, RSS feeds, and forums
Each source contributes entities — people, organisations, domains, IP addresses, locations, events — and the relationships between them. The total number of entities grows roughly linearly with sources, but the number of potential relationships grows quadratically. An investigation tracking 500 entities across 20 sources generates over 120,000 possible pairwise connections.
A flat file or relational database cannot surface these connections efficiently. Every new relationship requires either a JOIN across disparate tables or a manual cross-reference that an analyst must remember to make. This is why Palantir, i2 Analyst's Notebook, and Maltego all converged on the same architectural answer: the knowledge graph.
Graphs as the Natural Data Model for Intelligence
Intelligence data is inherently graph-structured. Entities are nodes. Relationships are edges. Attributes are node and edge properties. This is not an analogy — it is a direct mapping:
| Intelligence Concept | Graph Representation |
|---|---|
| A person of interest | Node with label Person |
| A company they own | Node with label Organization |
| The ownership relationship | Directed edge OWNS |
| A phone call between two people | Edge with property timestamp |
| A meeting location | Node with label Location |
| Temporal confidence | Edge property confidence: 0.85 |
This model supports exactly the operations that intelligence analysts need:
- Traversal: "Find everyone within 2 hops of entity X"
- Filtering: "Show only events after 2026-01-01 with confidence > 0.7"
- Aggregation: "Who has the most connections in this cluster?"
- Temporal slicing: "What did the network look like in March?"
A property graph database like Neo4j models this directly. The Cypher query for a two-hop intelligence trace is succinct:
MATCH (p:Person {name: "Target"})-[r:KNOWS|OWNS|CONTACTS*1..2]-(connected)
RETURN p, connected, r
Compare this to the equivalent SQL, which would require six JOINs across three junction tables and still fail to capture varying path lengths.
Graph Algorithms for Intelligence Analysis
The real power of graph-powered OSINT lies not in storage but in computation. A knowledge graph is queryable by hand, but graph algorithms automate the analytical patterns that intelligence analysts apply manually.
Community Detection: Uncovering Hidden Cells
The most fundamental intelligence question is: who is working with whom? Community detection algorithms partition a graph into clusters where internal connections are dense and external connections sparse. This directly maps to identifying operational cells within a larger network.
The Louvain algorithm — ubiquitous in graph analytics — optimises modularity to find community structure. A landmark study of the Brazilian Federal Police's criminal intelligence network (BFP2013) applied Louvain to a network of 9,887 individuals and found a modularity of Q = 0.96, meaning the network is extraordinarily well-structured into communities. Critically, the study found that Module-Based Attacks (MBA) — removing nodes that bridge communities — fragmented the network after removing only 2% of vertices. Bridge figures (lawyers, accountants, money launderers) were topologically more consequential than hierarchical leaders.
// Louvain community detection in Neo4j GDS
CALL gds.louvain.stream('intel-graph')
YIELD nodeId, communityId, intermediateCommunityIds
RETURN gds.util.asNode(nodeId).name AS entity, communityId
ORDER BY communityId
For OSINT practitioners, this is actionable: community detection can reveal operational boundaries that no document explicitly describes.
Centrality: Finding Key Actors
Once communities are identified, the next question is who matters most? Centrality measures provide a ranked answer:
| Algorithm | What It Measures | Intelligence Application |
|---|---|---|
| Degree Centrality | Number of direct connections | Hub identification — money mules, coordinators |
| Betweenness Centrality | Frequency of lying on shortest paths | Bridge figures — intermediaries connecting otherwise separate groups |
| Eigenvector Centrality | Quality of connections (connected to well-connected nodes) | Leadership identification — core network members |
| PageRank | Influence propagation through the graph | Ultimate beneficiaries in money laundering networks |
The 'Ndrangheta study analysed 254 mafia members and found that betweenness centrality was the single best predictor of "boss" status — 15 times higher for bosses than for non-bosses. The zP-score (a combined measure of within-community connectivity and inter-community bridging) matched betweenness in predictive power, confirming that criminal leaders are simultaneously central to their own group and bridges to others.
Path Finding: Link Analysis
How is entity A connected to entity B? This is the canonical OSINT question. Shortest-path algorithms automate what analysts do manually with whiteboards and string.
// Find shortest path between two entities
MATCH (a:Person {name: "SuspectA"}), (b:Organization {name: "ShellCorp"})
CALL gds.shortestPath.dijkstra.stream('intel-graph', {
sourceNode: id(a),
targetNode: id(b),
relationshipWeightProperty: 'communication_frequency'
})
YIELD nodeIds, costs
RETURN [nodeId IN nodeIds | gds.util.asNode(nodeId).name] AS path, costs
In intelligence contexts, all-paths analysis is often more useful than a single shortest path, because criminals deliberately create multiple redundant communication channels. The K-shortest paths variant reveals these alternative routes, each representing a potential investigative lead.
Temporal Analysis: Tracking Entity Evolution
Intelligence is never static. Organisations restructure. Personnel change. Communication patterns shift. Temporal graph analysis captures this:
- Entity mention frequency over time reveals when an actor becomes active (or goes silent)
- Community membership change over time indicates organisational restructuring
- Anomaly detection on edge creation rates flags unusual activity spikes
The OSINT-NEXUS system uses a 30-day exponential decay on edge weights in its Neo4j temporal knowledge graph. Edges that are not reinforced by new evidence weaken over time, ensuring the graph reflects current operational reality rather than historical noise.
Risk Propagation: Blast Radius Analysis
When a threat actor or compromised entity is identified, the immediate question is who else is affected? Risk propagation treats the graph as a diffusion network:
// BFS risk propagation with decay
MATCH (start:Entity {name: "CompromisedAsset"})
CALL gds.bfs.stream('intel-graph', {
sourceNode: id(start),
maxDepth: 4
})
YIELD path
RETURN path
The AEGIS system implements this with exponential decay across 18 weighted relationship types. A compromised endpoint connected to a server, which is administered by a person, who also manages other servers, produces a ranked blast radius list — directly actionable for incident response.
The Open Source OSINT Graph Ecosystem
A remarkable shift has occurred in 2025–2026: multiple open-source projects now implement production-grade graph-based OSINT, directly inspired by Palantir Gotham's architecture.
OGI (Open Graph Intelligence)
OGI is a self-hosted visual link analysis framework combining a Python/FastAPI backend with a React frontend using Sigma.js for graph visualisation. It ships with 20+ built-in OSINT transforms (DNS, WHOIS, SSL, geolocation, email, hash lookups) and a transform hub for community extensions.
What sets OGI apart is its graph analysis engine: centrality, community detection, and shortest-path algorithms run directly on the investigation graph. An "AI Investigator" mode uses LLMs to autonomously plan transform runs, stream results, and summarise findings. OGI stores data locally via SQLite (zero-config) or PostgreSQL for team deployments, making it the most accessible entry point for graph-based OSINT.
OSINT-NEXUS
OSINT-NEXUS is an autonomous all-source fusion system that ingests RSS news, Telegram channels, ADS-B flight tracking, AIS maritime signals, and civil defence alerts into a Neo4j temporal knowledge graph. At time of writing, its production deployment contains 760+ nodes with 6 relationship types.
The system applies ICD 203 confidence levels (HIGH / MODERATE / LOW / VERY LOW) to every analytic product and NATO 2×6 source reliability scoring (A–F source reliability × 1–6 claim credibility) to each event. Its LLM reasoning chain produces structured SITREPs with causal chain analysis, contradiction detection, and ranked priority actions. The architecture — PostgreSQL for raw events, Neo4j for graph fusion, and an LLM for reasoning — defines a replicable pattern for production OSINT.
Estorides
Estorides is a pure open-source re-imagining of the Palantir toolchain, supporting 99+ free OSINT sources with an async fanout architecture. It stores its knowledge graph in Kùzu, an embedded columnar graph DBMS that supports Cypher queries, and exports to GraphML for analysis in Gephi.
Its ontology engine cross-references observations against the OFAC SDN sanctions list and auto-tags MITRE ATT&CK techniques. A fuzzy entity clustering layer (using Python's difflib.SequenceMatcher at a 0.85 threshold) merges aliases across sources. Estorides is the most architecturally ambitious of the open-source tools, implementing a five-surface plugin system for parsers, LLM backends, relationship inferers, real-time feeds, and encrypted exporters.
Basset Hound
Inspired by BloodHound's Active Directory graph analysis but adapted for general OSINT, Basset Hound is an API-first Neo4j entity relationship engine. It supports 26 relationship types, path finding, cluster detection, centrality analysis, and an MCP (Model Context Protocol) server exposing 119 tools for AI agent integration.
Basset Hound introduces a novel concept: orphan data. Unlinked identifiers (emails, phone numbers, addresses) are stored in a holding pool until the system finds connections, at which point it suggests linking with a confidence score (50–100%). This reflects the reality that OSINT investigations often accumulate fragments before the full picture emerges.
NEXUS (Multi-INT Fusion Platform)
NEXUS is a desktop OSINT application (Electron + React) backed by Neo4j with the GDS (Graph Data Science) library, giving it access to Louvain community detection, betweenness and PageRank centrality, and shortest-path analysis. It defines 24 entity types and 20+ relationship types in its POLE schema (Person, Organization, Location, Event).
NEXUS implements a two-tier data model: streaming data stays in Redis (with TTL), while high-value intelligence (risk score ≥ 6, tracked aircraft, significant earthquakes) is selectively persisted to Neo4j. This hot/warm/cold data architecture is directly relevant to any OSINT system dealing with high-velocity public data.
The Palantir Pattern: Ontology-Driven Intelligence
All these tools converge on an architectural pattern that Palantir formalised: the ontology-driven knowledge graph. The ontology defines:
- Object types: Actor, Event, Location, Asset, Organization, Document
- Link types: CONTROLS, LOCATED_IN, OCCURRED_AT, SANCTIONED_BY, LINKED_TO, USED_IN
- Property constraints: temporal ranges, confidence scores, classification levels
- Validation rules: mandatory properties, permitted relationship targets
A Palantir-inspired OSINT platform (open-source, Neo4j-based) defines this ontology:
Object Types:
Actor: state, non-state, individual
Event: conflict, sanction, strike, movement
Location: country, region, coordinates, facility
Asset: weapon system, vessel, aircraft, facility
Organization: military unit, NGO, company, network
Document: report, cable, intercept, publication
Link Types:
Actor ──[CONTROLS]──► Asset
Actor ──[LOCATED_IN]──► Location
Event ──[OCCURRED_AT]── Location
Actor ──[SANCTIONED_BY]─ Organization
Actor ──[LINKED_TO]──── Actor
Asset ──[USED_IN]────── Event
The ontology is not merely a schema — it is an analytical constraint that prevents meaningless connections and guides analysts toward productive lines of inquiry. Without an ontology, a knowledge graph becomes a dense, noisy web where everything connects to everything and nothing is actionable.
GraphRAG for OSINT
The convergence of knowledge graphs and large language models has produced GraphRAG, which is particularly well-suited to OSINT. A 2025 paper introduced a multi-agent OSINT architecture with GraphRAG that replaces separate graph and vector stores with a unified hybrid retrieval layer. The system achieved 82% accuracy on people profiling and 95% accuracy on event summarisation across OSINT tasks.
The GraphRAG pattern for OSINT works as follows:
- Ingest — crawl public sources, extract entities via NER
- Graph — store entities and relationships in Neo4j
- Embed — vector-encode entity descriptions for semantic retrieval
- Retrieve — on query, perform hybrid search (lexical + semantic + graph traversal)
- Generate — LLM synthesises findings with graph-derived context
This architecture eliminates the fundamental limitation of document-based RAG for OSINT: vector similarity finds text that means the same thing, but it cannot traverse entities that are connected. A knowledge graph does both.
Building Your Own OSINT Knowledge Graph
For practitioners who want to deploy graph-powered OSINT today, the architecture pattern that emerges from these projects is consistent:
flowchart LR
subgraph Sources["Data Sources"]
RSS["RSS/News"]
TG["Telegram"]
WEB["Web Scraping"]
API["Public APIs"]
CERT["SSL/Certificates"]
end
subgraph Ingest["Ingestion Layer"]
COLL["Collectors"]
PARSE["Parsers"]
NER["Entity Extraction<br/>(GLiNER/LLM)"]
end
subgraph Graph["Graph Layer"]
NEO["Neo4j / Kùzu<br/>Knowledge Graph"]
RES["Entity Resolution<br/>Fuzzy Matching"]
TEMP["Temporal Index<br/>Edge Decay"]
end
subgraph Analysis["Analysis Layer"]
COM["Community Detection<br/>(Louvain)"]
CENT["Centrality<br/>(PageRank/Betweenness)"]
PATH["Path Finding<br/>(Shortest Path)"]
end
subgraph Output["Presentation"]
VIS["Visualisation<br/>(Sigma.js/D3)"]
RAG["GraphRAG<br/>LLM Analysis"]
EXP["Export<br/>(GraphML/STIX)"]
end
Sources --> Ingest
Ingest --> Graph
Graph --> Analysis
Analysis --> Output
Graph --> Output
Technology Stack Recommendations
| Layer | Production Choice | Lightweight Alternative |
|---|---|---|
| Graph DB | Neo4j 5 + GDS | Kùzu (embedded, columnar) |
| Entity Resolution | GLiNER + difflib | Dedupe (Python) |
| Graph Algorithms | Neo4j GDS | NetworkX (in-memory) |
| Visualisation | Sigma.js (graphology) | D3.js force layout |
| LLM Integration | Graphiti + Neo4j | LangChain + NetworkX |
| Source Connectors | Custom async collectors | Estorides registry (99+ sources) |
Critical Design Decisions
Confidence scoring every assertion. An intelligence graph without confidence metadata is not analysis — it is gossip. Implement the ICD 203 four-level scale (HIGH / MODERATE / LOW / VERY LOW) or the NATO 2×6 system on every edge.
Temporal awareness as a first-class property. Every relationship needs valid_from and valid_to timestamps. Edges that expire should decay or be pruned. Without temporal metadata, the graph represents a timeless fiction that intelligence analysis cannot rely on.
Entity resolution before graph construction. The same person appears as "John Smith", "J. Smith", and "Johnny Smith" across different sources. Fuzzy matching (sequence matching at 0.85 threshold, as Estorides implements) and cross-referencing against Wikidata/OFAC prevent duplicate nodes that fragment the analytical picture.
Bidirectional source attribution. Every edge must be traceable to its originating source document. A graph without provenance is useless for intelligence: analysts must be able to verify and challenge any connection.
Conclusion
The OSINT community is undergoing a structural shift comparable to the move from paper files to digital databases in the 1990s. Knowledge graphs are not a nice-to-have enhancement to existing OSINT tooling — they are the architectural foundation that makes intelligence analysis tractable at scale.
The open-source ecosystem has matured past the proof-of-concept stage. OGI, OSINT-NEXUS, Estorides, Basset Hound, and NEXUS are production-grade systems that implement the same architectural patterns as Palantir Gotham, but at a fraction of the cost and with full source code transparency. The knowledge graph — with its native support for traversal, community detection, centrality analysis, and temporal reasoning — is the analytical engine that transforms OSINT from a document retrieval task into a true intelligence discipline.
The tools are ready. The algorithms are proven. The question is no longer whether to use graphs for OSINT, but how quickly the community can adopt them.