Blueprint: security validation
Pentest agents that leave an auditable evidence trail.
Use RushDB as the shared evidence graph for authorized security testing: ASSESSMENT_RUN scope, TARGET records, FINDING and EVIDENCE entries, LOG_EVENT records tagged by tactic and severity, triage state, and defensive dashboards all stay queryable from one datasource. A finding like finding-017 stays linked to its evidence and to related log events instead of scattering across report drafts.
The authorized pentest and red-team evidence blueprint uses RushDB to store ASSESSMENT_RUN, TARGET, FINDING, EVIDENCE, and LOG_EVENT records from sanctioned sandbox testing in one queryable graph, so security teams can triage, visualize, and report from a single defensive datasource.
Security validation falls apart when findings and logs split.
A pentest agent can produce a useful FINDING like finding-017, but the value disappears once that finding lives in a report draft, its supporting LOG_EVENT data lives in a separate logging system, and red-team replay data becomes a disconnected dashboard nobody reconciles. When severity is high and status is still open, the security team needs one place to see the finding, the evidence backing it, and the related log-884 privilege-misuse events without stitching three tools together during triage.
Before
- Agent notes, screenshots, and logs stored in separate tools
- Findings copied into reports without durable evidence links
- Red-team event views rebuilt from a different datasource
- Triage state tracked outside the testing record
With RushDB
- Authorized sandbox scope, targets, findings, evidence, and logs stored as records
- Findings stay linked to supporting evidence and related log events
- Breach-abuse visualization reads the same RushDB datasource
- Triage dashboards use filters, select, groupBy, and relationship queries
Graph intelligence on ingest
Incoming data becomes queryable graph context.
ASSESSMENT_RUN payloads nest TARGET, FINDING, EVIDENCE, and LOG_EVENT records as sandbox agents produce them. RushDB types severity, status, and tactic on arrival, so a finding like finding-017 stays queryable by severity while its nested EVIDENCE and sibling LOG_EVENT entries remain traversable from the same assessmentRunId.
01
Normalize as data arrives
FINDING, EVIDENCE, and LOG_EVENT records are typed on ingest so severity, status, and tactic are immediately filterable for triage dashboards.
02
Auto-link nested structure
When an ASSESSMENT_RUN payload nests TARGET, FINDING, and LOG_EVENT arrays, those become traversable relationships instead of flat unlinked rows.
03
Enrich scattered sources
Suggested relationship analysis surfaces shared assessmentRunId and targetId keys across FINDING and LOG_EVENT records so triage views can group by tactic and severity.
Suggested relationship analysis requires an LLM configured for the project. Suggestions stay in draft form until you approve them, so inferred domain meaning never mutates the graph silently. You can also add explicit relationships through the SDK or API.
Review suggested relationship patternsData model
One flexible graph for the workflow.
Start with the payload shape your product already produces. RushDB stores it as Records, infers typed properties, and keeps nested or approved domain relationships queryable.
The graph keeps scope, findings, evidence, logs, controls, and triage connected for defensive review.
{
"assessmentRunId": "rt-sandbox-42",
"environment": "sandbox",
"authorizationId": "auth-2026-06",
"TARGET": [{
"targetId": "web-app-sandbox",
"systemType": "training-web-app",
"FINDING": [{
"findingId": "finding-017",
"category": "access-control",
"severity": "high",
"status": "open",
"EVIDENCE": [{ "evidenceId": "ev-017", "kind": "log_summary" }]
}],
"LOG_EVENT": [{ "eventId": "log-884", "tactic": "privilege-misuse", "severity": "high" }]
}]
}Working example
Commit a finding. Visualize the related abuse events.
An authorized sandbox agent records one access-control finding with evidence. The red-team UI reads open findings and groups related log events by tactic and severity.
ASSESSMENT_RUN rt-sandbox-42
TARGET web-app-sandbox
FINDING finding-017 severity: high status: open
EVIDENCE ev-017 kind: log
LOG_EVENT log-884 tactic: privilege-misuse severity: high{
"labels": ["LOG_EVENT"],
"where": {
"ASSESSMENT_RUN": { "assessmentRunId": "rt-sandbox-42" }
},
"select": { "events": { "$count": "$record" } },
"groupBy": ["$record.tactic", "$record.severity"],
"orderBy": { "events": "desc" }
}[
{ "tactic": "privilege-misuse", "severity": "high", "events": 12 },
{ "tactic": "suspicious-session", "severity": "medium", "events": 7 }
]TypeScript SDK
Commit findings and query abuse telemetry from one graph.
The agent writes only authorized sandbox observations. The same RushDB records power evidence review, red-team event visualization, and defensive reporting.
from rushdb import RushDB
db = RushDB('RUSHDB_API_KEY')
db.records.import_json({
'label': 'ASSESSMENT_RUN',
'data': {
'assessmentRunId': 'rt-sandbox-42',
'environment': 'sandbox',
'authorizationId': 'auth-2026-06',
'TARGET': [{
'targetId': 'web-app-sandbox',
'systemType': 'training-web-app',
'FINDING': [{
'findingId': 'finding-017',
'severity': 'high',
'category': 'access-control',
'status': 'open',
'summary': 'Test principal reached an admin-only workflow in the sandbox.',
'EVIDENCE': [{'evidenceId': 'ev-017', 'kind': 'log', 'summary': 'Correlated sandbox logs and UI state.'}],
}],
'LOG_EVENT': [{'eventId': 'log-884', 'tactic': 'privilege-misuse', 'severity': 'high'}],
}],
},
})
open_findings = db.records.find({
'labels': ['FINDING'],
'where': {'ASSESSMENT_RUN': {'assessmentRunId': 'rt-sandbox-42'}, 'status': 'open'},
'limit': 50,
})Implementation blueprint
Build the authorized security-validation path.
Use this sequence to keep pentest findings, evidence, triage, and red-team visualization grounded in one defensive datasource.
- 01Define authorized ASSESSMENT_RUN scope and sandbox targets
- 02Import TARGET, FINDING, EVIDENCE, LOG_EVENT, CONTROL, and TRIAGE records
- 03Attach findings to evidence and related log events
- 04Group breach-abuse events by tactic, severity, target, and control
- 05Render the UI from RushDB queries over the same records used for reporting
Build path
- Restrict ingestion to authorized sandbox assessments and approved red-team exercises.
- Keep FINDING records linked to EVIDENCE and LOG_EVENT records.
- Use dashboards for defensive triage, control validation, and reporting.
- Do not store exploit payloads or operational abuse instructions in the public workflow.
Relevant docs
Read the exact primitives behind this pattern.
These links point to the RushDB docs pages that map directly to this blueprint: ingestion, labels, properties, values, SearchQuery, relationships, semantic search, MCP, or deployment.
Relationships API
Attach findings to evidence, controls, targets, triage records, and related log events.
Open docsSelect expressions
Aggregate defensive telemetry by tactic, severity, target, control coverage, or triage status.
Open docsSuggested relationship patterns
Review relationship suggestions for scattered security data without silently mutating graph meaning.
Open docsHow it works
Build the smallest useful workflow first.
01
Record authorized scope
Store assessment authorization, sandbox boundaries, targets, and allowed test windows before any agent writes findings.
02
Commit evidence as records
Write findings, evidence summaries, triage state, controls, and log events as connected records instead of scattered report notes.
03
Visualize from the same graph
Use one datasource for breach-abuse timelines, severity breakdowns, affected targets, and remediation status.
Know where it fits.
Authorized defensive scope only
This pattern is for sanctioned sandbox testing, red-team exercises, control validation, and defensive reporting. It does not describe exploit execution or unauthorized activity.
Evidence beats agent prose
The useful output is not a confident agent paragraph. It is a finding linked to evidence, logs, affected targets, triage state, and a remediation owner.
Questions developers ask.
Next step
Start with one focused workflow.
Related use cases
Explore all use casesVulnerability and asset risk graph
Connect assets, CVEs, and patch status so security teams can query which critical vulnerabilities touch internet-facing systems.
Explore the risk graphAgentic automation
Run resumable workflows with durable goals, steps, approvals, and tool output.
Explore agentic automationMulti-agent incident response
Coordinate a live SaaS incident through shared, durable graph memory.
Explore the incident war room