Pivoting Examples
Worked cross-layer traversals — from a domain to the network that routes it, an IP to its jurisdiction, an actor to its techniques. Examples, not an exhaustive list.
Pivoting Examples Documentation
The point of a pre-joined graph is the chain — walking from one layer to the next in a single query. This page collects the pivots you will reach for most, each with the traversal it encodes and a runnable query. These are examples, not the complete set: any two connected labels can be joined, and the Connection Types page is the full menu of edges you can compose your own chains from.
Every pivot below starts from an anchored {name: "..."} lookup. That is what turns a chain into an instant traversal instead of a scan — see Best Practices for why.
Domain → network owner
Who hosts this domain, and on whose network? Resolve the host to an IP, follow the IP to its announced prefix, and follow the prefix to the AS that routes it.
This six-hop chain — HOSTNAME → RESOLVES_TO → IPV4 → ANNOUNCED_BY → ANNOUNCED_PREFIX → ROUTES → ASN — is the single most-run query on the graph. It needs a free key (it crosses more than 2 hops).
IP → jurisdiction
Geolocate an address by chaining its GeoIP city to the city's country.
Anycast and large-CDN IPs often lack a city. When LOCATED_IN returns nothing, read the owning ASN's country instead: (:ASN)-[:HAS_COUNTRY]->(:COUNTRY).
ASN → physical footprint
Where does a network actually sit? A network is present in facilities directly, and reaches more facilities through the exchanges it joins.
The direct form is (:ASN)-[:AS_PRESENT_AT]->(:FACILITY). Both are virtual edges, so anchor the ASN.
Submarine cable → landing → facility
Trace a subsea cable from the sea to the building it terminates in.
Domain → mail servers
NAMESERVER_FOR and MAIL_FOR point server → domain, so traverse them backwards to answer "what serves this domain".
IP → threat feeds → categories
Enrich an indicator: which feeds flagged it, and what categories those feeds belong to.
Bound the feed list with WITH f LIMIT 10 before expanding to categories. The full catalog and taxonomy are on the Threat Feeds & Categories page. For a scored verdict with per-feed evidence in one call, prefer explain() over walking these edges by hand.
Actor → technique → tactic
Map a threat actor to the MITRE ATT&CK techniques it uses, and roll each technique up to its tactic.
ACTOR names are case-sensitive. Group a technique under its tactic with (:ATTACK_PATTERN)-[:USES_TACTIC]->(:ATTACK_PATTERN).
RPKI authorization
Check what a route-origin authorization covers — which AS it authorizes, and for which prefix.
Prefix → cloud region
Place a prefix inside the cloud region that operates it.
Prefix → MOAS conflict
A prefix announced by more than one origin AS is the fingerprint of a hijack or route leak.
Multi-origin state shifts as routes change, so any specific example prefix may settle. The query shape is what stays useful.
Compose your own
These chains are building blocks. Because the layers are pre-joined, you can splice them — resolve a domain to an IP, geolocate the IP, and pull its threat feeds in one query; or pivot from a WHOIS email to every domain it registered to their shared ASNs. Reach past 3 hops and you will need a key; keep each virtual edge as an explicit single hop and anchor the start. The Connection Types reference lists every edge you can chain, and Best Practices covers the rules that keep a deep traversal fast.