Overview#
An investigation may touch dozens of entity types: persons, organisations, IP addresses, domains, vehicles, and threat actors. Running a separate query for each type wastes time. The Profile domain provides a single abstraction layer over 20+ specialised profile types, enabling cross-entity search, bulk creation from unstructured text, AI-powered enrichment, and graph-based relationship queries without requiring investigators to know which type they are looking for in advance.
Key Features#
- Universal profile access across 20+ types including person, organisation, IP address, domain, email, and threat entities
- Advanced search with full-text matching, profile type filtering, and fuzzy relevance scoring
- Pagination and sorting with configurable limits and multiple sort options
- AI-powered profile enrichment from multiple external data providers
- Bulk profile creation from unstructured text using large language models
- Profile timeline and activity tracking with event history
- Relationship management integrated with graph-based entity connections
- Faceted search with dynamic filter options for profile types, threat levels, countries, and tags
- Partial profile updates with property-level mutation support
- Enrichment scoring (0-100) with provider metadata tracking
Use Cases#
Relevant sectors include law enforcement, intelligence agencies, and financial crime investigation.
- Searching across all profile types to find entities matching investigation criteria
- Enriching profiles with external intelligence from multiple data providers simultaneously
- Bulk-creating entity profiles from investigation notes or intelligence reports using AI extraction
- Visualising entity relationships through graph-based connection queries
Integration#
The Profile domain connects with specialised profile domains (person, organisation, IP address), investigation management, graph visualisation, and intelligence analysis. It integrates with external enrichment providers for data enhancement.
Open Standards#
- GraphQL (June 2018 specification): The entire profile API is exposed as a GraphQL schema, using typed queries, mutations, union types, faceted filtering, and batch retrieval via the GraphQL query language.
- MITRE ATT&CK: Attack-pattern profiles carry a
mitre_attack_idfield (e.g. T1003) that maps directly to MITRE ATT&CK technique identifiers, enabling TTP-based threat-actor profiling. - CAPEC (Common Attack Pattern Enumeration and Classification): Attack-pattern profiles document their relationship to CAPEC, as noted in the profile model's description of associated attack patterns.
- CVE / CVSS: Vulnerability profiles store the CVE identifier (e.g. CVE-2021-44228) and a CVSS score (0.0, 10.0), allowing severity-ranked vulnerability tracking within the unified profile abstraction.
- STIX 2.1 / TAXII 2.1 (OASIS): Threat-intelligence profile types (threat actor, malware, indicator, attack pattern, campaign, report) align with STIX 2.1 Structured Threat Information Expression domain objects, and the platform provides a dedicated STIX/TAXII service for ingest and export of those entities.
- OAuth 2.0 / JWT (RFC 7519, RS256): Every profile query and mutation is gated behind an
IsAuthenticatedpermission that verifies an RS256-signed JSON Web Token retrieved from a JWKS endpoint, conforming to the JWT and OAuth 2.0 Bearer Token standards. - Wikidata linked-data identifiers: Entity and person profiles expose a
linked_wikidata_qidcanonical field for cross-referencing subjects against the Wikidata knowledge graph, a Wikimedia Foundation open-data standard. - IMO / MMSI (International Maritime Organization): Vessel profiles store the IMO ship identification number and MMSI radio-call identifier, the two principal open standards for maritime vessel identity.
Last Reviewed: 2026-02-05 Last Updated: 2026-04-14