Today we’re officially rolling out Early Access to the upgraded Doppel Threat Graph. Security teams can now move beyond alert-level correlation to see the full picture: cross-surface infrastructure, and linked campaigns, automatically connected in real time. This new feature represents a new way of thinking about social engineering defense, and we’re just getting started. Stay tuned for more capabilities for deeper insight, faster disruption, and additional protection across your ecosystem. This feature is available upon request for current Doppel Vision customers. Please contact your CSM for more information.
When we set out to build the Threat Graph at Doppel, we weren’t just creating another visualization. We were building an engine. An intelligence engine designed to make sense of the most fragmented, dynamic, and increasingly weaponized corner of the internet: social engineering threats.
This wasn’t an incremental feature for Doppel; it was an ambitious shift in how security teams understand and act on threats. The Threat Graph maps not just alerts, but the intent and infrastructure behind them. This post takes you inside how we made it happen, from the perspective of Doppel engineers: Tejal Reddy and Ixa Gani.
The Problem: Endless Alerts, No Story
Before Threat Graph (opens in new tab), Doppel’s platform ingested thousands of threat signals a day – from fake social media profiles to malicious domains and scammy ads. We could detect them. We could see them across tactics and channels and customers. We could quickly take them down and we could use learnings to become faster and smarter in general. Though we knew alerts were connected, they remained isolated incidents.
What was missing was context: an understanding of how these threats were connected, what broader attack campaigns they belonged to, and how a single threat actor might be operating across multiple brands and platforms.
“We were doing a lot of work, but we couldn’t see the full picture,” said Tejal. “Once an alert was resolved, it was out of sight, out of mind. There was no linked evidence so we were treating symptoms, not the root cause. We had no way to understand how it connected to something bigger.”
In other words, we weren’t just missing data – we were missing the narrative. A campaign isn’t a single incident; it’s a coordinated plan where attackers reuse the same tools, try different tricks, and change tactics as they go. If those pieces aren’t connected, security teams end up reacting to alerts one by one, instead of stopping the bigger campaign driving them.
The Vision: Map the Threat Actor’s Network
That gap sparked the idea of visualizing linked threats not just for Doppel, but for our customers. The idea evolved into what we now call the Threat Graph: a constantly evolving map of threat actor infrastructure and behavior, visualized as a web of threats.
“Think of it like a spiderweb,” said Ixa. “Every alert enters the system and our engine checks if it belongs on the web. But we’re not just building the web; we’re also maintaining it. Some threads get cut; others get reinforced. Our engine decides what’s worth keeping and what’s just noise.”
The Technology: A Living, Breathing Graph Engine
Built atop Doppel’s Graph-Driven Defense architecture, the Threat Graph engine ingests entities (like domains, ads, accounts, and phone numbers), parses them for indicators of compromise (IOC’s), and automatically links them based on known patterns like shared infrastructure, behavior, or even HTML hashing.
“It’s not just a drawing,” said Tejal. “This is a live system. Every new threat we detect runs through the graph to find connections. And what’s more, it learns. We’re constantly enriching it with threat intel, analyst input, and feedback from our takedown success.”
The system focuses on delivering actionable intelligence, not just visuals. By assigning weight to connections and filtering noisy nodes, it surfaces meaningful paths that reveal true campaigns, not false positives.
What Makes This Different: Scale, Speed, and Story
Unlike other “threat intelligence graphs” that are often static or manually curated, Doppel’s Threat Graph is automated at scale. Because it’s purpose-built for social engineering threats and leverages the innovation at the core of Doppel's platform, it’s attuned to the nuances of impersonation, credential phishing, and misinformation campaigns across the open and dark web.
The impact?
- Reduced L1 analyst workload through automated triage and resolution
- Real-time visibility into threat actor infrastructure and behavior
- Customer-facing views that show the full narrative, not just a list of alerts
- Accelerated incident response by exposing the scope of attacks earlier
- Continuous learning loop between detection and intelligence, in which every alert strengthens the graph
“We realized that the problem wasn’t just detection,” said Tejal. “It was context. Once we started linking alerts, we discovered that many threats we thought were isolated were actually deeply interconnected.”
Looking Ahead: Ripples, Not Just Dots
Ixa describes the Threat Graph as more than a backend system: it’s a philosophical shift. “A threat actor isn’t a dot. They’re a ripple. Every action they take sends signals outward. Our goal is to catch those ripples and trace them back to the source before they become waves.”
As we expand the Threat Graph’s capabilities, adding cross-org views, predictive analytics, and industry-wide threat campaigns, we’re building more than just a graph. We’re building a shared security network for the good guys.
Why It Matters
Most security platforms show you threats. Doppel shows you how they’re connected, what they mean, and what to do about them automatically.
That’s the power of engineering at Doppel. It’s what makes our Threat Graph not just visual, but visionary.