Case Study

The Infrastructure Intelligence Graph: From Scattered IOCs to Complete Adversary Operations

The problem every security team knows too well: You start with one suspicious IP. Hours later, you're still pivoting across five tools, reconstructing what turns out to be a coordinated campaign. By the time you connect the dots, the adversary has rotated to fresh infrastructure.

00 min
March 6, 2026

Today, we're excited to introduce the Infrastructure Intelligence Graph—the core intelligence layer that powers VisionHeight's ability to map complete adversary operations in minutes, not days.

The Analyst's Nightmare: Manual Infrastructure Correlation

Security teams don't lack data. They drown in it.

A single phishing campaign might involve:

  • 47 domains across 8 different registrars
  • 23 IP addresses spanning 3 ASNs
  • 5 TLS certificates with subtle variations
  • 2 bulletproof hosting providers
  • Multiple proxy layers masking origin

Traditional threat intelligence gives you fragments:

  • Your SIEM flags one suspicious domain
  • Your threat feed scores an IP as "medium risk" with no explanation
  • Passive DNS shows some related domains—but which ones matter?
  • Certificate transparency logs reveal cert patterns—but what's the significance?
  • Your EDR detects a connection—but to what, exactly?

The result? Analysts spend 60-80% of their time not stopping threats, but assembling context. Pivoting between tools. Validating IOCs. Reconstructing campaigns manually. Building spreadsheets to track relationships.

And adversaries? They operate 2-8 weeks ahead, rotating infrastructure faster than teams can correlate it.

What if infrastructure told its own story?

The Infrastructure Intelligence Graph answers a simple question: What if you could see the complete adversary operation from any starting point—instantly?

Not "here's an IP address and a risk score."

But "here's the entire campaign: 47 domains, 23 IPs, 5 certificates, hosting patterns, temporal relationships, infrastructure churn timeline, and how it correlates with YOUR environment's SIEM alerts and EDR detections."

How it works: Multi-Source Fusion Into One Living Map

The Infrastructure Intelligence Graph fuses external infrastructure intelligence with your internal signals into a unified, continuously updated map of adversarial operations.

External Intelligence Layer:

  • Pulse Sensors™ across 600M+ datacenter IPs capturing proprietary telemetry
  • Global domain intelligence and DNS patterns
  • TLS/PKI certificate monitoring and fingerprinting
  • Honeypot and decoy infrastructure signals
  • Anonymization detection (VPN, proxy, Tor identification)
  • C2 infrastructure and malware delivery patterns

Internal Intelligence Layer:

  • SIEM logs and alert patterns
  • EDR/XDR detections and endpoint signals
  • Network traffic analysis
  • Attack surface exposure data
  • Historical incident patterns

The Result: A living graph that connects:

  • IPsDomainsCertificatesASNsServicesHosting Providers

Updated in real-time as infrastructure changes, campaigns evolve, and new relationships emerge.

From One IOC to Full Campaign in Minutes

Here's what the Infrastructure Intelligence Graph reveals that traditional tools can't:

1. Adversary Infrastructure Mapping

See how infrastructure connects across every dimension. One suspicious IP instantly expands to show:

  • All domains hosted on that IP (past and present)
  • All certificates used across those domains
  • All IPs sharing those certificates
  • ASN and hosting provider patterns
  • Service fingerprints and port configurations
  • Proxy and anonymization layers

Example: Single phishing domain → 47 related domains → 23 IPs → 5 certificates → 2 hosting providers → complete campaign footprint. In 60 seconds.

2. Infrastructure Pivoting

Navigate relationships instantly. Ask questions like:

  • "Show me all infrastructure using this certificate pattern"
  • "What else is hosted on this ASN?"
  • "Which domains share DNS patterns with this one?"
  • "What infrastructure changed in the last 48 hours?"

The graph answers in milliseconds, not hours of manual correlation.

3. Campaign Clustering

The graph automatically connects related infrastructure into unified campaigns based on:

  • Shared certificates and TLS fingerprints
  • Temporal patterns (registered together, changed together)
  • Hosting relationships and provider ecosystems
  • DNS patterns and domain families
  • Behavioral signatures

No manual clustering required. The graph does the heavy lifting.

4. Temporal Intelligence: Infrastructure Over Time

See how campaigns evolve:

  • When was infrastructure registered?
  • When did certificates change?
  • When did hosting shift?
  • What's the build-out timeline?
  • What changed in the last 24/48/72 hours?

Critical insight: Adversaries don't launch on day one. They build over 2-8 weeks. The graph shows you that build-out phase—when blocking costs nothing.

5. Behind-Anonymization Visibility

Traditional tools see VPN/proxy and stop. The graph sees through:

  • VPN exit nodes
  • Residential proxy networks
  • Tor endpoints
  • CDN and shared hosting layers

We don't just detect anonymization—we fingerprint what's behind it. See the origin infrastructure competitors call "unknown."

6. Internal Correlation: What Targets YOU

The graph doesn't just map global threat landscape. It correlates with YOUR environment:

  • Which IPs from this campaign hit your SIEM?
  • Which domains appeared in your DNS logs?
  • Which certificates triggered EDR detections?
  • Which infrastructure probed your attack surface?

Outcome: Distinguish campaigns targeting the broader internet from campaigns targeting YOU specifically.

Real Investigation, Real Speed

Scenario: Credential Harvesting Campaign

WITHOUT Infrastructure Intelligence Graph:

  • Hour 1-3: Analyst starts with suspicious domain, manually queries passive DNS, finds 12 related domains
  • Hour 4-6: Pivots to certificate transparency logs, discovers shared cert pattern
  • Day 2: Network team checks firewall logs for related IPs manually
  • Day 3: SIEM analyst correlates alerts across tools, builds spreadsheet tracking relationships
  • Day 4-5: Security team debates scope, decides to block known infrastructure
  • Week 2: Adversary rotates to fresh infrastructure using same patterns. Repeat.

Cost: 5+ days to map partial campaign. Adversary already rotated. Lateral movement established.

WITH Infrastructure Intelligence Graph:

  • Minute 1: Alert fires on suspicious domain
  • Minute 2: Graph instantly reveals:
    • 47 related domains
    • 23 IPs across 3 ASNs
    • 5 certificates with matching patterns
    • 2 bulletproof hosting providers
    • 12-day infrastructure build-out timeline
  • Minute 5: Internal correlation shows:
    • 3 IPs attempted SSO logins to your environment last week
    • 1 domain appeared in DNS logs (blocked by existing policy)
    • Similar cert pattern seen in EDR connection attempts
  • Minute 10: Full campaign narrative complete (internal + external context)
  • Minute 15: Decision Sync enforces blocks across entire stack
  • Minute 20: Graph flags new infrastructure rotation via shared cert patterns
  • Day 1-30: Continuous monitoring of campaign evolution with automated alerts on infrastructure changes

Cost: 20 minutes to complete campaign disruption. Proactive blocking of rotation attempts. Zero lateral movement.

Evidence-Backed, Explainable, Audit-Ready

Every relationship in the graph comes with:

  • Reason codes: Why are these entities related?
  • Confidence scores: How certain are we?
  • Temporal context: When did this relationship form?
  • Evidence trails: What signals support this connection?

Not black-box correlations. Defensible intelligence teams can trust, automate, and defend to leadership.

AI-Guided Investigation

Ask questions in natural language:

  • "Show me all infrastructure registered in the last 7 days using bulletproof hosting"
  • "Which campaigns are targeting financial services this month?"
  • "What infrastructure is building around our key vendor domains?"
  • "Generate a hunt query for this certificate pattern"

The graph generates pivots, hunt paths, and briefings anchored to evidence—in seconds.

Built for Speed, Scale, and Action

Real-Time Updates Infrastructure changes constantly. The graph updates as adversaries rotate, domains resolve, certificates change, hosting shifts.

Global Coverage 600M+ datacenter IPs, millions of domains, certificate ecosystems, ASN relationships. Internet-scale visibility with local correlation.

Enforcement-Ready The graph doesn't just map campaigns—it powers enforcement. Decision Sync propagates blocks from any graph entity (IP, domain, cert, ASN) across your entire stack in seconds.

What This Means for Your Security Operations

For SOC Analysts: Stop pivoting between tools. Start with complete campaign context. Triage in minutes, not hours.

For Threat Intel Teams: Stop chasing isolated IOCs. Hunt at campaign level. Discover relationships competitors miss.

For Incident Response: Stop reconstructing timelines manually. See complete attack infrastructure, lateral movement paths, and infrastructure rotation instantly.

For Security Leadership: Stop explaining breaches in hindsight. Demonstrate proactive disruption of campaigns weeks before they launch.

The Vision: Autonomous Infrastructure Intelligence

The Infrastructure Intelligence Graph is the foundation for everything VisionHeight does:

  • Pre-Attack Intelligence™ uses the graph to detect infrastructure during build-out, 2-8 weeks before weaponization
  • Explainable Risk Engine™ uses graph relationships to generate evidence-backed risk scores with reason codes
  • Autonomous Defense Enforcement™ uses the graph to propagate policies from single IOCs to complete campaign clusters

One intelligence layer. Complete visibility. Instant action.

What's Next

The Infrastructure Intelligence Graph is available now to all VisionHeight customers and is continuously evolving with:

  • Expanded coverage of infrastructure types and anonymization layers
  • Deeper temporal analysis and predictive campaign modeling
  • Enhanced AI-guided investigation and automated hunt generation
  • Broader integration with SIEM, SOAR, and threat intelligence platforms

Want to see the graph in action?

We'll show you infrastructure building toward your organization right now—threats your current tools report "no data" for.

Book a Demo and watch us map a live campaign targeting your industry in minutes.

Stop reconstructing campaigns manually. Start seeing complete adversary operations instantly.

The Infrastructure Intelligence Graph: From scattered indicators to unified intelligence.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Stop reacting.
Start preventing.

Predict malicious infrastructure
Explain decisions with full lineage
Enforce across your stack autonomously
SEE IT IN ACTION