Grapl is built first and foremost as a pluggable platform. Grapl runs on AWS, which means you can easily spin up new resources, such as SQL databases or KV stores, to augment your analytics.


Grapl’s Plugin system allows you to add your own graph constructs to Grapl, extending Grapl to clean any of the data you provide to it, and build out powerful new analytics on top.

Plugins like Grapl’s Inter-Process Communication or OS User plugins can be used easily to create new, powerful analyzers and investigation tools.


Here you can see the IPC plugin at work, detecting a suspicious communication to ssh-agent, indicating an agent hijacking attack.

Using Plugins is a first class experience - here you can see the query used to find non-ssh IPC to ssh-agent or sshd