Security Researchers & Academics

Bulk infrastructure surveys, dataset extraction, longitudinal studies, and reproducible research queries.

Updated May 2026recipes Integration

Security Researchers & Academics Documentation

You're studying internet topology, deployment trends, and ecosystem characteristics at scale.

Schema Exploration

Explore the Graph Schema

Understand what node types and relationship types exist in the graph.

-- All node labels with counts
CALL db.labels()

Sample output (first 5 of 18):

[
  {"label": "HOSTNAME", "count": 2631997144},
  {"label": "IPV4", "count": 618914961},
  {"label": "EMAIL", "count": 237065663},
  {"label": "ORGANIZATION", "count": 119189847},
  {"label": "PHONE", "count": 60194142}
]

-- All edge types with counts
CALL db.relationshipTypes()

Sample output (first 5 of 20):

[
  {"type": "LINKS_TO", "count": 10851011448},
  {"type": "NAMESERVER_FOR", "count": 8881831888},
  {"type": "RESOLVES_TO", "count": 2919321504},
  {"type": "CHILD_OF", "count": 2338085185},
  {"type": "REGISTERED_BY", "count": 916255242}
]

Tip: These procedures return O(1) histogram lookups — they're instantaneous even on billion-scale data. Use them to plan query strategies before diving into traversals.

Threat Feed Catalog

List all 40 threat intelligence feeds indexed in the graph.

-- Complete threat feed catalog
MATCH (f:FEED_SOURCE) RETURN f.name ORDER BY f.name

Sample output (first 10 of 40):

[
  {"f.name": "AlienVault Reputation"},
  {"f.name": "Binary Defense Banlist"},
  {"f.name": "Blocklist.de All"},
  {"f.name": "Blocklist.de Mail"},
  {"f.name": "Blocklist.de SSH"},
  {"f.name": "Botvrij Domains"},
  {"f.name": "Botvrij Dst IPs"},
  {"f.name": "Brute Force Blocker"},
  {"f.name": "C2 Intel 30d"},
  {"f.name": "C2 Tracker"}
]

The full feed list also includes: Cert.pl Domains, CINS Score, Cloudflare Radar Top 1M, DNS RD Abuse, Dan Tor Exit, ET Compromised IPs, Feodo Tracker, FireHOL Abusers 1d, FireHOL Anonymous, FireHOL Level 1-3, FireHOL WebClient, GreenSnow Blacklist, Hagezi Light, Hagezi Pro, IPsum, InterServer RBL, MalwareBazaar Recent, OpenPhish Feed, SSH Client Attacks, SSH Password Auth, SSL IP Blacklist, Spamhaus DROP, Spamhaus EDROP, StevenBlack Hosts, ThreatFox IOCs, Tor Exit Nodes, Tranco Top 1M, URLhaus Recent.

Threat Category Taxonomy

Explore the 18-category threat taxonomy used across feeds.

-- All threat categories
MATCH (c:CATEGORY) RETURN c.name ORDER BY c.name

Sample output:

[
  {"c.name": "Ad/Tracking Blocklists"},
  {"c.name": "Anonymization Infrastructure"},
  {"c.name": "Attack Sources"},
  {"c.name": "Brute Force"},
  {"c.name": "C2 Servers"},
  {"c.name": "General Blacklists"},
  {"c.name": "Malicious Domains"},
  {"c.name": "Malicious Infrastructure"},
  {"c.name": "Malware Distribution"},
  {"c.name": "Phishing"},
  {"c.name": "Popularity/Trust"},
  {"c.name": "Proxies"},
  {"c.name": "Reference Data"},
  {"c.name": "Reputation"},
  {"c.name": "Spam"},
  {"c.name": "TOR Network"},
  {"c.name": "Threat Intelligence"},
  {"c.name": "VPNs"}
]

Research Queries

DNSSEC Algorithm Reference

List all DNSSEC signing algorithm types indexed in the graph schema.

-- All DNSSEC signing algorithm types in the schema
MATCH (algo:DNSSEC_ALGORITHM) RETURN collect(algo.name) AS algorithms

Sample output:

[{"algorithms": ["ECDSAP256SHA256", "ECDSAP384SHA384", "ED25519", "ED448", "RSASHA1", "RSASHA1-NSEC3-SHA1", "RSASHA256", "RSASHA512"]}]

Tip: The graph recognizes 8 DNSSEC algorithm types. To check whether a specific domain has DNSSEC signing data, query OPTIONAL MATCH (h:HOSTNAME {name: "example.com"})-[:SIGNED_WITH]->(algo:DNSSEC_ALGORITHM) RETURN collect(algo.name). An empty list indicates no DNSSEC data is currently available for that domain.

ASN Peering Degree Analysis

Study the degree distribution of ASN peering relationships.

-- Peering degree for a set of well-known networks
UNWIND ["AS13335", "AS3356", "AS15169"] AS asn_name
MATCH (a:ASN {name: asn_name})-[:PEERS_WITH]->(peer:ASN)
RETURN asn_name, count(peer) AS peer_count

Sample output:

[
  {"asn_name": "AS13335", "peer_count": 1304},
  {"asn_name": "AS3356", "peer_count": 6525},
  {"asn_name": "AS15169", "peer_count": 137}
]

Tip: AS3356 (Lumen) is a Tier-1 carrier and has far more peers than AS15169 (Google), which is primarily a content network. This illustrates the structural difference between transit and content ASNs.

Web Graph Analysis: Outbound Link Degree

Measure the number of outbound hyperlinks from a known domain.

-- Outbound link count from a domain
MATCH (h:HOSTNAME {name: "github.com"})-[:LINKS_TO]->(target:HOSTNAME)
RETURN count(target) AS outbound_links

Tip: The LINKS_TO graph contains over 10 billion edges, making it one of the largest datasets in the graph. Queries without an anchored starting node will time out.

Shortest Path Between Two Domains

Find the minimum number of hops between two domains in the graph.

-- Shortest path between two domains
MATCH p = shortestPath(
  (h:HOSTNAME {name: "cloudflare.com"})-[*1..6]-(target:HOSTNAME {name: "google.com"})
)
RETURN [n IN nodes(p) | n.name] AS path

Sample output:

[{"path": ["cloudflare.com", "google.com"]}]

Tip: These two domains link directly to each other. For less directly connected domains, paths of 3-5 hops are typical through the web link graph.

PreviousLaw Enforcement & CybercrimeNextCross-Cutting Recipes