Webinar: From Alert Overload to Automated Triage

Register Now
Get a Demo




D3 Security · Security Operations Glossary

What Is the Cybersecurity Triage Reasoning Graph?

A standalone glossary definition, part of the D3 Security Operations Glossary.

Definition

D3 Security’s domain-specific reasoning architecture for SOC investigation. Developed over 24 months by 60 specialists in red teaming, data science, AI engineering, and SOC operations. The graph is independent of any specific LLM: the graph is the moat, the LLM is interchangeable.

What the Reasoning Graph Is

Morpheus runs on a domain-specific reasoning architecture for SOC investigation: the Cybersecurity Triage Reasoning Graph. The graph encodes how attacks propagate, how telemetry should be interpreted, and how SOC decisions should be made. An LLM enters the graph at bounded moments and reasons within the graph’s constraints — not free-running, not emergent.

This distinction matters. A foundation model is a depreciating asset. New models ship every six to twelve months; the previous generation depreciates against them. A domain-specific reasoning architecture is an appreciating asset. Every customer engagement, every red-team exercise, every new attack technique deepens the architecture. When someone asks whether Morpheus is behind GPT-5 or Claude Opus, they are asking the wrong question. The reasoning architecture is the moat. The underlying LLM is a swappable component.

How the Graph Works

The Cybersecurity Triage Reasoning Graph defines what the LLM sees and how it reasons. The LLM does the inference. The graph does the governing.

In practice, when Morpheus processes an alert, the graph wraps each LLM reasoning step: it defines what the model is allowed to see, what context it receives, and what kind of answer it can return. Classify this alert. Extract this field. Summarize this incident. Generate this parameter. One question in, one structured answer out. The graph makes the answer correct. The LLM is interchangeable; the graph is the moat.

This architecture sits inside D3’s deterministic governance layer. The reasoning layer operates only within bounds the architecture defines. The governance layer ensures every action is predictable, ordered, and recordable. Bounded agentic reasoning inside deterministic governance. One audit trail per incident.

Pre-Trained and Self-Trained

The Cybersecurity Triage Reasoning Graph ships pre-trained on day one — 24 months of red-team, data-science, AI-engineering, and SOC-analyst work built into the architecture. From there, the graph self-tunes to your environment: your alerts, your assets, your patterns. Speed and fit, not speed or fit.

Your learnings stay in your tenant. The graph weights and edges that adapt to your environment live in your tenant — not pooled into a central model trained on everyone else’s data. If a confidence score feels wrong, your analyst can see why the graph scored it that way and override it.

Also see:
Bounded Agentic Reasoning
Autonomous SOC

Frequently asked questions

What is the Cybersecurity Triage Reasoning Graph?
The Cybersecurity Triage Reasoning Graph is D3 Security’s domain-specific reasoning architecture for SOC investigation. It encodes how attacks propagate, how telemetry should be interpreted, and how SOC decisions should be made. An LLM operates inside the graph’s constraints — not free-running. Built over 24 months by 60 specialists including red teamers, data scientists, AI engineers, and SOC analysts.

How is the Reasoning Graph different from a general-purpose LLM?
A general-purpose LLM has no native understanding of attack paths, MITRE ATT&CK technique IDs, or SOC operating procedures. The Cybersecurity Triage Reasoning Graph encodes all of that domain knowledge structurally. The LLM reasons within the graph’s constraints rather than generating answers from general training data. This eliminates the hallucination and prompt-engineering overhead that comes with wrapping a general-purpose model in a security context.

What does “the graph is the moat” mean?
Foundation models are depreciating assets — new models ship every six to twelve months, and each generation supersedes the last. A domain-specific reasoning architecture is an appreciating asset. Every new attack technique, every customer engagement, every red-team exercise deepens the graph’s value. When the underlying LLM is swappable, the architecture becomes the durable competitive advantage, not the model version.

Which LLM does the Reasoning Graph use?
The Cybersecurity Triage Reasoning Graph is LLM-agnostic. The graph defines the reasoning constraints; the LLM that executes within them is interchangeable. This means Morpheus is not dependent on any single foundation model provider and can adopt improvements in underlying models without changing the reasoning architecture.

How long did it take to build?
24 months, with 60 specialists across red teaming, data science, AI engineering, and SOC operations. The result is a reasoning architecture trained on cybersecurity-specific corpora and operational SOC patterns — not a general-purpose model with a security prompt layer on top.

Does the Reasoning Graph learn from my environment?
Yes. The graph ships pre-trained on day one and self-tunes to your environment from first use. Graph weights and edges adapt to your tenant’s alerts, assets, and patterns. Critically, your learnings stay in your tenant — they are not pooled into a central model trained on data from other organizations.

What is “bounded reasoning inside deterministic governance”?
Bounded reasoning means the LLM operates only within limits defined by the Cybersecurity Triage Reasoning Graph — it cannot generate arbitrary outputs or take unsanctioned actions. Deterministic governance means Morpheus’s playbook engine beneath the AI layer ensures every action is predictable, ordered, and recorded. The combination gives regulated enterprises AI-speed investigation with audit-ready accountability.

How does the Reasoning Graph relate to Attack Path Discovery?
Attack Path Discovery is Morpheus’s autonomous investigation engine — the capability that reconstructs full attack timelines across 800+ connected tools and 90 days of telemetry. The Cybersecurity Triage Reasoning Graph is the underlying reasoning architecture that makes APD’s conclusions correct and auditable. The graph governs what the LLM reasons about; APD governs what data the investigation reaches.

Related terms

Bounded Agentic Reasoning — AI reasoning constrained to specific decision boundaries defined by deterministic governance.

Attack Path Discovery — D3 Morpheus’s autonomous investigation engine that reconstructs full attack timelines before any analyst intervention.

Autonomous SOC — A security operations center in which AI systems perform alert triage, investigation, and response without requiring analyst intervention for routine cases.

Agentic SOC — A SOC architecture in which AI agents perform investigation and response tasks autonomously.

Unified Intelligence Model — D3’s architectural principle of running all AI reasoning through a single engine with one audit trail.

Further reading

Security Operations Glossary

Last updated: May 2026