London / Dubai – 30 June 2025
Cywift, a cybersecurity product company focused on AI-driven risk intelligence, has announced the development and enterprise deployment of what is believed to be the first Graph-RAG (Graph Retrieval-Augmented Generation) implementation designed specifically for enterprise cybersecurity environments.
The innovation represents a significant advancement in how organisations reason about cyber risk, moving beyond static compliance mapping and alert aggregation toward dynamic, context-rich, AI-driven risk reasoning at scale.
Developed under the leadership of Cywift CEO – Abuzar Ghafari and led by Cybersecurity Product Architect – Mansoor Ahmad Khan, the Graph-RAG module introduces a new intelligence layer capable of continuously analysing relationships between identities, assets, controls, vulnerabilities, compliance frameworks, and threat telemetry in real time.
Why Cybersecurity Reasoning Hit a Ceiling
For all the progress made in cybersecurity tooling over the past decade, one limitation has remained largely unresolved. Security platforms generate vast volumes of telemetry; logs, alerts, identities, vulnerabilities, policies, and compliance artefacts. Yet most organisations still reason about risk using static models.
Controls are mapped to frameworks. Evidence is collected periodically. Risk is assessed at fixed points in time. Even advanced GRC and SIEM platforms largely operate as repositories rather than reasoning engines.
As environments became cloud-native, multi-vendor, and API-driven, this static approach began to fail. Security leaders could see symptoms, but struggled to answer higher-order questions such as:
- Which controls are actually effective right now?
- How does a change in identity posture affect downstream risk?
- Which risks matter most in the current operational context?
The industry lacked a mechanism for contextual, real-time reasoning across interconnected security data.
Addressing a Structural Gap in Cybersecurity
Despite the proliferation of security tooling, most enterprises continue to assess cyber risk using periodic audits, static frameworks, and manual evidence collection. This approach has struggled to keep pace with modern cloud-native, multi-vendor environments where risk conditions change continuously.
Cywift approached this limitation from a fundamentally different angle. Cywift’s Graph-RAG implementation addresses this limitation by modelling cybersecurity as a living knowledge graph, rather than a collection of disconnected data sources.
The system ingests live telemetry from over 80 security tools across identity and access management, SIEM, SaaS security, vulnerability management, and cloud platforms. This data is normalised into a security-native graph structure that captures not only individual control states, but also their dependencies and downstream impact. Rather than treating security telemetry as isolated data streams, the company modelled cybersecurity as a connected system of entities and relationships. Users, identities, devices, controls, vulnerabilities, policies, frameworks, and threats do not exist independently; they form a graph.
Under the product leadership of Mansoor Khan, Cywift initiated the development of what is now regarded as the first Graph-RAG (Graph Retrieval-Augmented Generation) implementation designed specifically for enterprise cybersecurity.
From Static Reporting to Real-Time Risk Reasoning
Unlike traditional RAG systems that retrieve unstructured documents, Cywift’s Graph-RAG retrieves contextual relationships from the knowledge graph and applies AI reasoning to explain risk in operational terms.
This enables enterprises to answer questions such as:
- Which controls are actually effective right now
- How changes in identity posture affect compliance exposure
- Which risks carry the highest business impact in the current context
Risk assessment shifts from checklist validation to continuous verification, allowing organisations to detect control degradation, compliance gaps, and exposure pathways as they emerge.
What Makes Graph-RAG Different in Cybersecurity
Traditional RAG systems retrieve documents. Cywift’s implementation retrieves relationships.
The Graph-RAG module ingests live telemetry from IAM platforms, SIEM systems, SaaS vulnerability scanners, cloud security tools, and compliance engines. This data is normalised into a security knowledge graph where each node and edge represents a meaningful security concept and its dependency.
When a query is issued, the system does not search text. It traverses the graph, retrieves the relevant sub-graph, and applies AI-driven reasoning on top of structured relationships. Early enterprise deployments across critical infrastructure and regulated environments delivered measurable outcomes:
- Material reduction in audit preparation effort, driven by continuous evidence validation
- Faster prioritisation of remediation actions, based on contextual risk impact rather than alert volume
- Improved executive and regulator visibility, through explainable, traceable risk narratives
Security leaders reported that Graph-RAG reduced weeks of manual correlation and reporting work to minutes, while improving confidence in risk decisions.
Why This Is Considered an Industry First
While knowledge graphs and RAG techniques exist independently, their application in enterprise cybersecurity at this depth is unprecedented. Three elements distinguish Cywift’s implementation as an industry first:
- Security-Native Graph Design
The graph schema was designed specifically for cybersecurity constructs, not retrofitted from generic knowledge graph models. This allows accurate representation of control dependencies, threat propagation paths, and compliance relationships. - Live Telemetry Integration
The graph ingests real-time data from over 80 security tools across identity, endpoint, cloud, application, and governance layers. The reasoning layer reflects the current state of the environment, not historical snapshots. - AI-Driven Risk Explanation
Graph-RAG enables explainable AI. Every risk conclusion can be traced through the graph, showing how evidence, controls, and relationships led to the outcome. This transparency is critical for executive trust and regulatory acceptance.
Industry forums and enterprise CISOs report no comparable system currently operating at this intersection of graph intelligence, AI reasoning, and live security telemetry.
Historically, risk reasoning relied on static framework mappings. Controls were assumed effective if documentation existed. Evidence was assumed valid until the next audit. Cywift’s Graph-RAG module replaces this assumption-based model with continuous verification.
Controls are evaluated based on live telemetry. Their effectiveness is inferred through graph relationships. If an identity control weakens, the system immediately recalculates downstream exposure across assets, applications, and compliance obligations.
Risk becomes dynamic.
This capability enables enterprises to move from checklist compliance toward context-rich, real-time risk intelligence.
Executive Relevance: Speaking the Language of Decisions
One of the most significant outcomes of the Graph-RAG implementation is its impact on executive communication. CISOs no longer present abstract risk scores. They present contextual narratives grounded in live system relationships.
Executives see how a change in identity governance affects regulatory exposure. Boards see how technical gaps translate into business risk. Regulators see traceable, explainable assurance. Graph-RAG turns cybersecurity from a reporting function into a decision support system.
The launch comes amid growing regulatory emphasis on outcome-based assurance, including frameworks such as DORA, NIS2, and the UK NCSC Cyber Assessment Framework, all of which require demonstrable, measurable control effectiveness.
As organisations increasingly demand real-time visibility, explainable AI, and business-aligned risk intelligence, Cywift’s Graph-RAG architecture is positioned to support the next generation of cybersecurity platforms.
A Shift in How Cybersecurity Thinks
Cywift’s Graph-RAG implementation represents a structural shift in enterprise cybersecurity.
By transforming static telemetry into a living knowledge graph and applying AI reasoning to real-time relationships, the platform introduces a new way of understanding risk.
This is not incremental improvement. It is a change in how cybersecurity reasons, explains, and supports decision-making.
As enterprises navigate increasingly complex digital environments, such intelligence-driven architectures are likely to define the next generation of cyber platforms.
About Cywift
Cywift is a UK-based Cybersecurity technology company developing AI-driven platforms for cyber risk intelligence, compliance automation, and executive-level security decision support. The company operates across the UK and the Middle East, serving regulated enterprises in energy, telecom, finance, and critical infrastructure sectors.