Why Awake?

Improve productivity tenfold with our Security Knowledge Graph™ data model
that puts the analyst first, answering the questions they need to do their jobs.


Richard Noguera

CISO at Gap, Inc.

From operations to stores to ecommerce, our digital strategy is transforming our business. And security is foundational to our strategy. We are continuously looking at the latest techniques and technologies for rapid threat detection and response. Our partnership with the Awake team has allowed us to provide our feedback while engaging with world-class investigators and security professionals to help design and build their solution—a truly refreshing approach.

Awake in a nutshell

  • Uses network data to see all the real-world entities (like devices, users and domains) in the environment, not just those covered by log or agent data.
  • Uniquely builds the Security Knowledge Graph™ data model, a high-fidelity, comprehensive map of entities, along with the security profile of each entity—notable characteristics such as software versions, entity behaviors, activities and relationships.
  • Gives not only real-time but also an accumulating historical view of entities and their behaviors.
  • Uses continually-running analytics to automate what expert analysts do, enriching the Security Knowledge Graph:
    • EntityIQ™ surfaces notable entities and behaviors, and identifies related entities with similar behavior
    • ActivityIQ™ automates the task of extracting security-relevant activities for a given entity and building an investigative timeline.
  • Enables analyst workflow through a rich and responsive user interface with queries that can search in seconds, the properties and behaviors of entities or attributes of underlying bulk data, or both; and that anticipates analyst questions to support rapid pivoting and exploration.

Answering questions that others cannot

Awake spans the gap between the low-level data analysts are forced to work with today and the high-level concepts they actually need to focus on. The Security Knowledge Graph data model shows, for example, when devices arrive and leave and how they move around the network, and constantly gathers data to infer their characteristics.

Awake also enables the analyst to move fluidly between low-level data and the high-level view of the related entities. If given an alert containing an IP address, EntityIQ allows the analyst to immediately identify the device and any notable behaviors it exhibited at the time of the alert. The analyst can also dive down and see detailed timelines of these behaviors with the actual network transactions using ActivityIQ. Importantly, Awake allows searches using any combination of the entity data from the Security Knowledge Graph and the low-level raw data points.

To give a concrete example, suppose an analyst has intelligence that devices of a particular operating system version are targeted by a watering hole web site. In Awake, a single query can produce, in seconds, a list of just those devices running that OS version that have also visited the web site. To do this, the system filters devices by the OS version, then collates all historical network sessions from these devices that involved the website. Awake accounts for the fact that each such device may have had many different IP addresses over time and these IP addresses may also have been used by other, irrelevant devices at other times.

Awake Security™: Under the Hood

The Awake Advanced Security Analytics Solution has to ingest raw data at high speeds, extract signal from that data to identify and track the entities in the environment to build the Security Knowledge Graph, then store it all in a way that can be queried flexibly and quickly by analysts. Additionally, it must support analytics like EntityIQ and ActivityIQ that provide deeper insight into the entities’ behavior. The input data can arrive at volumes that exceed traditional solutions like SIEM by an order of magnitude.

awake security under the hood

Awake, therefore, developed a custom-built analytics stack, built on recent innovations in networking, machine learning and data science, to produce a few key components:

In real time, this component processes incoming data, identifying and tracking entities. Thus, this builds the foundation of the Security Knowledge Graph. In addition, it performs pre-correlation, linking each data point with its associated entities, as it is ingested.

This foundational component supports integrated graph, structured and unstructured data, with optimizations for columnar storage and time series. This stores all data flowing into the system, whether raw packets (unstructured), extracted signal (structured), or deduced graph structure such as the Security Knowledge Graph. Because of the Entity Pre-Correlation Engine, the data in the Multi-Model Data Store is already associated with relevant entities.
This uses custom indexing and work sharing technology to support low-latency queries across large multi-model data sets, while providing interactive response and supporting queries for time series and faceted search.

Awake’s continually running analytics (EntityIQ™and ActivityIQ™ in our current version) derive views that integrate graph and pre-correlated bulk data by applying techniques from the field of knowledge discovery and scalable unsupervised machine learning. Because Awake pre-correlates data with entities as it is ingested into the system, it is possible to build analytics, like EntityIQ and ActivityIQ, that look at all the data associated with given entities to draw broader or even organization-wide conclusions, which previous approaches could not achieve.

Awake extracts the full set of signals used by expert investigators to deduce attributes like software versions, user behavior, hardware characteristics and business function, among many others. Existing solutions that parse network traffic do not extract the full range of signals, and those based on log or endpoint data have the disadvantage of incomplete sources.


Existing solutions cannot integrate graph and structured sources, limiting the queries analysts can formulate. These solutions also only perform correlation among data points and the relevant entities at query time, which makes the queries slow and sometimes requires the analyst to create individual sub-queries. The entire process can take hours for queries that return in seconds with Awake.

Awake can do this, supporting a full range of queries with interactive response, because of the custom-built analytics stack as described above. The stack is tuned to run with high performance on a single node, while also based on an architecture that supports scale-out across multiple nodes to accommodate future growth.

Devices not IP addresses

People not packets

Data not protocols

Activities not sessions

Ready to try Awake?

Detect, investigate and hunt for insider attacks, lateral movement, corporate espionage and data exfiltration, benefiting from Awake's 2+ years of research with hundreds of security professionals.