Knogin
[Developers]

Analysis

An investigator has built a working hypothesis: the suspect is the sole orchestrator of a fraud network. Before taking that theory to a supervisor, she wants to stress-test it. The Analysis module's counterfactual engine

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsaireal-timecompliance

Overview#

An investigator has built a working hypothesis: the suspect is the sole orchestrator of a fraud network. Before taking that theory to a supervisor, she wants to stress-test it. The Analysis module's counterfactual engine generates three alternative scenarios that could explain the same evidence without the suspect's involvement. Two fall apart under scrutiny. The third reveals a gap in the evidence, a gap the team had not noticed. The investigation becomes sharper.

That is analysis working as it should: not just confirming what analysts already believe, but actively challenging their assumptions and finding paths through complex evidence that human review alone would miss. The Analysis module orchestrates the full spectrum of analytical methods, clustering, correlation, anomaly detection, network pathfinding, and counterfactual reasoning, as a coordinated, asynchronous analytical framework.

Key Features#

  • Multi-Method Analysis: Support for diverse analytical methodologies including summarisation, pattern detection, clustering, correlation, anomaly detection, sentiment analysis, threat modelling, and graph analysis.
  • Asynchronous Job Processing: Long-running analysis tasks execute asynchronously with real-time progress tracking (0-100%), enabling analysts to monitor complex operations without blocking.
  • Granular Result Management: Each analysis job can produce multiple typed results (clusters, insights, anomalies, summaries, predictions, recommendations) with confidence scores for drill-down investigation.
  • Counterfactual Analysis: AI-powered "Devil's Advocate" hypothesis testing generates alternative scenarios that could invalidate investigative hypotheses, preventing confirmation bias and strengthening analytical rigour.
  • Risk-Aware Pathfinding: Discover investigation paths through entity relationship graphs with integrated risk and opportunity scoring, prioritising paths that balance operational safety with evidence collection potential.
  • AI-Powered Narratives: Automatically generate human-readable narratives explaining the significance of discovered paths, highlighting risks, opportunities, and recommended approaches.
  • Organization-Scoped Security: All analysis operations enforce multi-tenant isolation, ensuring organisations can only access their own jobs and results.
  • Programmable API Access: Full API support for creating analysis jobs, updating progress, storing results, discovering investigation paths, and generating counterfactual scenarios.

Analysis Types#

  • Summarisation: AI-powered evidence and investigation summarisation for rapid situational awareness.
  • Pattern Detection: Behavioural pattern identification across transactions, communications, and entity interactions using algorithms such as HDBSCAN.
  • Clustering: Entity and event grouping to identify related items and network structures.
  • Correlation: Multi-source data correlation to uncover connected events across different data streams.
  • Anomaly Detection: Statistical outlier detection for fraud investigation, insider threat identification, and quality assurance.
  • Sentiment Analysis: Natural language processing for extracting sentiment from text evidence.
  • Threat Modelling: Threat actor behaviour prediction and vulnerability assessment.
  • Graph Analysis: Network analysis and community detection across entity relationship graphs.

Use Cases#

Intelligence analysts run multi-method analysis jobs on collected evidence to identify patterns, anomalies, and connections that manual review would miss, with AI-generated insights and recommendations accelerating the analytical process.

Law enforcement investigators use counterfactual analysis to stress-test hypotheses before committing resources to a specific line of inquiry, surfacing contradictory evidence before it becomes a court problem.

Financial crime units apply risk-aware pathfinding to discover the most promising routes through complex shell company networks, with risk and opportunity scores helping analysts prioritise leads that offer the best evidence collection potential.

Threat intelligence teams combine anomaly detection, correlation analysis, and threat modelling to build comprehensive threat assessments against critical infrastructure, with confidence-scored predictions and actionable recommendations.

Integration#

The Analysis module integrates deeply with other Argus modules:

  • Analysis Jobs: The analysis jobs tracking system monitors and reports on all running analysis operations.
  • Entity Management: Graph-based pathfinding and network analysis operate on the entity knowledge graph.
  • Evidence Management: Analysis jobs reference evidence items and produce results that become part of the investigative record.
  • Case Management: Analysis results and counterfactual scenarios feed into case assessments and investigation planning.
  • AI Partners: AI-powered summarisation, hypothesis testing, and narrative generation use the platform's AI provider infrastructure.
  • Audit Trail: All analysis operations are logged with user attribution for compliance and chain of custody.

Open Standards#

  • GraphQL (June 2018 specification): All analysis jobs, results, counterfactual scenarios, and pathfinding operations are exposed through a typed GraphQL API with queries, mutations, and subscriptions for real-time progress tracking.
  • W3C PROV-DM / PROV-JSON: Analysis operations generate provenance records that map directly to the W3C PROV-DM core concepts (prov:Entity, prov:Activity, prov:Agent), with PROV-JSON serialisation available for export and chain-of-custody audit.
  • ISO 8601 / RFC 3339: All job creation, update, and result timestamps are serialised in ISO 8601 format, ensuring consistent chronological ordering across asynchronous analysis pipelines.
  • JSON (RFC 8259): Analysis job parameters, result content, AI-generated narratives, and counterfactual scenario data are all stored and exchanged as JSON, using PostgreSQL JSONB columns for indexed, schema-flexible payloads.
  • JSON Web Token (RFC 7519): Every analysis API operation is gated behind RS256 JWT verification via a JWKS endpoint; the JWT subject and organisation claim enforce per-tenant data isolation across all jobs and results.
  • RFC 4122 (UUID): Analysis jobs, results, counterfactual scenarios, and assumption monitors are each identified by version-4 UUIDs, providing collision-resistant, globally unique identifiers across distributed components.
  • HDBSCAN (Hierarchical Density-Based Spatial Clustering of Applications with Noise): The pattern detection method named in the module is HDBSCAN, a published density-based clustering algorithm used to group entity and event data into variable-density clusters without requiring a preset number of clusters.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.