Blueprint: security validation

Pentest agents that leave an auditable evidence trail.

Use RushDB as the shared evidence graph for authorized security testing: ASSESSMENT_RUN scope, TARGET records, FINDING and EVIDENCE entries, LOG_EVENT records tagged by tactic and severity, triage state, and defensive dashboards all stay queryable from one datasource. A finding like finding-017 stays linked to its evidence and to related log events instead of scattering across report drafts.

The authorized pentest and red-team evidence blueprint uses RushDB to store ASSESSMENT_RUN, TARGET, FINDING, EVIDENCE, and LOG_EVENT records from sanctioned sandbox testing in one queryable graph, so security teams can triage, visualize, and report from a single defensive datasource.

Security validation falls apart when findings and logs split.

A pentest agent can produce a useful FINDING like finding-017, but the value disappears once that finding lives in a report draft, its supporting LOG_EVENT data lives in a separate logging system, and red-team replay data becomes a disconnected dashboard nobody reconciles. When severity is high and status is still open, the security team needs one place to see the finding, the evidence backing it, and the related log-884 privilege-misuse events without stitching three tools together during triage.

Before

  • Agent notes, screenshots, and logs stored in separate tools
  • Findings copied into reports without durable evidence links
  • Red-team event views rebuilt from a different datasource
  • Triage state tracked outside the testing record

With RushDB

  • Authorized sandbox scope, targets, findings, evidence, and logs stored as records
  • Findings stay linked to supporting evidence and related log events
  • Breach-abuse visualization reads the same RushDB datasource
  • Triage dashboards use filters, select, groupBy, and relationship queries

Graph intelligence on ingest

Incoming data becomes queryable graph context.

ASSESSMENT_RUN payloads nest TARGET, FINDING, EVIDENCE, and LOG_EVENT records as sandbox agents produce them. RushDB types severity, status, and tactic on arrival, so a finding like finding-017 stays queryable by severity while its nested EVIDENCE and sibling LOG_EVENT entries remain traversable from the same assessmentRunId.

01

Normalize as data arrives

FINDING, EVIDENCE, and LOG_EVENT records are typed on ingest so severity, status, and tactic are immediately filterable for triage dashboards.

02

Auto-link nested structure

When an ASSESSMENT_RUN payload nests TARGET, FINDING, and LOG_EVENT arrays, those become traversable relationships instead of flat unlinked rows.

03

Enrich scattered sources

Suggested relationship analysis surfaces shared assessmentRunId and targetId keys across FINDING and LOG_EVENT records so triage views can group by tactic and severity.

Suggested relationship analysis requires an LLM configured for the project. Suggestions stay in draft form until you approve them, so inferred domain meaning never mutates the graph silently. You can also add explicit relationships through the SDK or API.

Review suggested relationship patterns

Data model

One flexible graph for the workflow.

Start with the payload shape your product already produces. RushDB stores it as Records, infers typed properties, and keeps nested or approved domain relationships queryable.

Schema sketch
Authorized assessment payload

The graph keeps scope, findings, evidence, logs, controls, and triage connected for defensive review.

{
  "assessmentRunId": "rt-sandbox-42",
  "environment": "sandbox",
  "authorizationId": "auth-2026-06",
  "TARGET": [{
    "targetId": "web-app-sandbox",
    "systemType": "training-web-app",
    "FINDING": [{
      "findingId": "finding-017",
      "category": "access-control",
      "severity": "high",
      "status": "open",
      "EVIDENCE": [{ "evidenceId": "ev-017", "kind": "log_summary" }]
    }],
    "LOG_EVENT": [{ "eventId": "log-884", "tactic": "privilege-misuse", "severity": "high" }]
  }]
}

Working example

Commit a finding. Visualize the related abuse events.

An authorized sandbox agent records one access-control finding with evidence. The red-team UI reads open findings and groups related log events by tactic and severity.

Input
ASSESSMENT_RUN rt-sandbox-42
  TARGET web-app-sandbox
  FINDING finding-017 severity: high status: open
  EVIDENCE ev-017 kind: log
  LOG_EVENT log-884 tactic: privilege-misuse severity: high
Query
{
  "labels": ["LOG_EVENT"],
  "where": {
    "ASSESSMENT_RUN": { "assessmentRunId": "rt-sandbox-42" }
  },
  "select": { "events": { "$count": "$record" } },
  "groupBy": ["$record.tactic", "$record.severity"],
  "orderBy": { "events": "desc" }
}
Result
[
  { "tactic": "privilege-misuse", "severity": "high", "events": 12 },
  { "tactic": "suspicious-session", "severity": "medium", "events": 7 }
]

TypeScript SDK

Commit findings and query abuse telemetry from one graph.

The agent writes only authorized sandbox observations. The same RushDB records power evidence review, red-team event visualization, and defensive reporting.

from rushdb import RushDB

db = RushDB('RUSHDB_API_KEY')

db.records.import_json({
    'label': 'ASSESSMENT_RUN',
    'data': {
        'assessmentRunId': 'rt-sandbox-42',
        'environment': 'sandbox',
        'authorizationId': 'auth-2026-06',
        'TARGET': [{
            'targetId': 'web-app-sandbox',
            'systemType': 'training-web-app',
            'FINDING': [{
                'findingId': 'finding-017',
                'severity': 'high',
                'category': 'access-control',
                'status': 'open',
                'summary': 'Test principal reached an admin-only workflow in the sandbox.',
                'EVIDENCE': [{'evidenceId': 'ev-017', 'kind': 'log', 'summary': 'Correlated sandbox logs and UI state.'}],
            }],
            'LOG_EVENT': [{'eventId': 'log-884', 'tactic': 'privilege-misuse', 'severity': 'high'}],
        }],
    },
})

open_findings = db.records.find({
    'labels': ['FINDING'],
    'where': {'ASSESSMENT_RUN': {'assessmentRunId': 'rt-sandbox-42'}, 'status': 'open'},
    'limit': 50,
})

Implementation blueprint

Build the authorized security-validation path.

Use this sequence to keep pentest findings, evidence, triage, and red-team visualization grounded in one defensive datasource.

  1. 01Define authorized ASSESSMENT_RUN scope and sandbox targets
  2. 02Import TARGET, FINDING, EVIDENCE, LOG_EVENT, CONTROL, and TRIAGE records
  3. 03Attach findings to evidence and related log events
  4. 04Group breach-abuse events by tactic, severity, target, and control
  5. 05Render the UI from RushDB queries over the same records used for reporting

Build path

  • Restrict ingestion to authorized sandbox assessments and approved red-team exercises.
  • Keep FINDING records linked to EVIDENCE and LOG_EVENT records.
  • Use dashboards for defensive triage, control validation, and reporting.
  • Do not store exploit payloads or operational abuse instructions in the public workflow.

How it works

Build the smallest useful workflow first.

01

Record authorized scope

Store assessment authorization, sandbox boundaries, targets, and allowed test windows before any agent writes findings.

02

Commit evidence as records

Write findings, evidence summaries, triage state, controls, and log events as connected records instead of scattered report notes.

03

Visualize from the same graph

Use one datasource for breach-abuse timelines, severity breakdowns, affected targets, and remediation status.

Know where it fits.

Authorized defensive scope only

This pattern is for sanctioned sandbox testing, red-team exercises, control validation, and defensive reporting. It does not describe exploit execution or unauthorized activity.

Evidence beats agent prose

The useful output is not a confident agent paragraph. It is a finding linked to evidence, logs, affected targets, triage state, and a remediation owner.

Questions developers ask.