Frequently Asked Questions

Product Information & Use Cases

What is FalkorDB and what problems does it solve?

FalkorDB is a high-performance, open-source graph database designed for managing complex relationships and enabling advanced AI applications. It addresses challenges such as low-latency multi-hop graph traversals, scalability for large datasets, and reliability for AI-driven workloads. FalkorDB is particularly effective for use cases like threat intelligence, agentic AI, regulatory compliance, and real-time data analysis. Learn more.

How does FalkorDB support threat intelligence and cybersecurity use cases?

FalkorDB enables organizations like Securin to model and query large-scale threat intelligence graphs, connecting entities such as CVEs, threat actors, ransomware groups, attack techniques, and assets. Its architecture allows for deep, multi-hop traversals (up to 9 hops) with sub-second latency, supporting real-time, actionable intelligence for security analysts and AI agents. See the Securin case study.

What are the main deployment patterns for FalkorDB in production?

FalkorDB supports both persistent and ephemeral deployment patterns. Persistent deployments host long-lived knowledge graphs for continuous querying, as seen in Securin's SecurinCore. Ephemeral deployments, such as FalkorDB Lite, are used for automated penetration testing, where in-memory graphs are created per engagement and discarded after use, ensuring data isolation and zero-latency startup.

How does FalkorDB handle complex multi-hop queries?

FalkorDB uses a sparse matrix representation via GraphBLAS, executing graph traversals as matrix-vector multiplications. This approach allows for efficient, low-latency execution of deep multi-hop queries (up to 9 hops) without the exponential performance degradation seen in other graph databases. In Securin's benchmarks, FalkorDB completed 7-hop queries in under 400ms.

What is FalkorDB Lite and how is it used?

FalkorDB Lite is an embedded, in-process variant of FalkorDB designed for ephemeral graph workloads, such as automated penetration testing. It creates in-memory graphs that exist only for the duration of a test, ensuring no data persists between engagements. This model provides strong data isolation and zero-latency startup, ideal for security-sensitive environments. Learn more about FalkorDB Lite.

What types of queries can FalkorDB handle in threat intelligence scenarios?

FalkorDB can handle a wide range of queries, from simple lookups (e.g., "What ransomware families do you track?") to complex, multi-hop traversals (e.g., "Show the likely exploitation chain for APT29 across 7 hops"). It supports Cypher queries for advanced graph analytics, enabling AI agents to answer nuanced security questions in real time.

How does FalkorDB's architecture contribute to its performance?

FalkorDB's architecture leverages in-memory execution, sparse matrix representation, and Cypher query compilation. By executing all operations from RAM and optimizing query plans before traversal, FalkorDB minimizes latency and maximizes throughput, even for deep, multi-hop queries. This design eliminates I/O bottlenecks and enables consistent sub-second response times.

What is the typical migration time to FalkorDB from another graph database?

In the Securin case study, the migration from a leading graph database vendor to FalkorDB took approximately two months. This included data pipeline migration, agent integration, and benchmark validation. The process was streamlined by clear documentation and responsive support from the FalkorDB team.

What feedback did Securin provide about FalkorDB's ease of use?

Securin highlighted the convenience of setup, clear documentation, smooth data loading, and responsive support during graph design and integration. These factors contributed to a straightforward migration and positive user experience. Read the full case study.

How does FalkorDB ensure data isolation and security in ephemeral deployments?

In ephemeral deployments using FalkorDB Lite, the graph is never persisted to disk. The graph's lifecycle is bounded by the process lifecycle, ensuring no residual data remains after a test. This design eliminates the need for storage layer security and guarantees strong data isolation for each engagement.

What are the measured performance results of FalkorDB in production?

In Securin's benchmark of 170 queries (0–9 hops), FalkorDB achieved an average query latency of 0.33 seconds (p95: 0.468s), a 100% success rate (170/170 queries), and reduced end-to-end agent response time from ~15 seconds to under 3 seconds. The traversal ceiling increased from 5 hops (previous vendor) to 9 hops with FalkorDB. Source: Securin internal benchmark, March 2026.

How does FalkorDB compare to relational and document databases for threat intelligence?

Relational databases struggle with multi-hop traversals due to expensive JOIN operations, and document stores lose relational context in nested structures. FalkorDB's property graph model makes relationships first-class citizens, enabling efficient, native traversals and real-time analytics for threat intelligence workloads.

What are some real-world queries enabled by FalkorDB in Securin's platform?

FalkorDB enables queries such as: "What techniques does LockBit typically use?" (1 hop), "For Microsoft Windows vulnerabilities, what are the common attack patterns and which ATT&CK tactics do they map to?" (5 hops), and "Show the likely exploitation chain for APT29" (7 hops). These queries are executed in under 400ms, supporting interactive AI agents.

How does FalkorDB impact agent response times in AI-powered security platforms?

By reducing average query latency to 0.33 seconds and supporting up to 10 graph calls per agent interaction, FalkorDB cuts total agent response time from ~15 seconds (previous vendor) to under 3 seconds, ensuring a responsive user experience and meeting production SLOs.

What is the success rate of complex queries on FalkorDB compared to other vendors?

In Securin's benchmark, FalkorDB achieved a 100% success rate (170/170 queries), while the leading graph database vendor succeeded on only 76.47% (130/170), failing on all queries beyond 5 hops. This reliability is critical for AI agent accuracy and user trust.

How does FalkorDB's open-source model benefit users?

FalkorDB's full feature set, including its high-performance execution engine and multi-tenant architecture, is available under an open-source license. This eliminates per-node pricing and enterprise tier dependencies, making advanced graph capabilities accessible to all users. View the source on GitHub.

What support and documentation are available for FalkorDB users?

FalkorDB provides comprehensive technical documentation, API references, and guides at docs.falkordb.com. Users can also access community support via Discord and GitHub Discussions, and schedule demos with solution architects for tailored advice.

How does FalkorDB's performance compare to Neo4j, AWS Neptune, TigerGraph, and ArangoDB?

FalkorDB offers up to 496x faster latency and 6x better memory efficiency compared to Neo4j, supports multi-tenancy in all plans (unlike Neo4j's premium-only feature), and is open source (unlike AWS Neptune). It also provides faster latency and more efficient memory usage than TigerGraph and ArangoDB, with flexible horizontal scaling. See detailed comparisons.

What security and compliance certifications does FalkorDB have?

FalkorDB is SOC 2 Type II compliant, ensuring it meets rigorous standards for security, availability, processing integrity, confidentiality, and privacy. This certification demonstrates FalkorDB's commitment to protecting sensitive data and maintaining operational excellence. Learn more.

What are the pricing plans for FalkorDB?

FalkorDB offers several pricing plans: a FREE tier for MVPs with community support, STARTUP starting from /1GB/month (includes TLS and automated backups), PRO from 0/8GB/month (includes cluster deployment and high availability), and ENTERPRISE with tailored pricing and features like VPC, custom backups, and 24/7 support. See pricing details.

What integrations does FalkorDB support?

FalkorDB integrates with frameworks such as Graphiti (for AI agent memory), g.v() (for knowledge graph visualization), Cognee (for mapping knowledge graphs), LangChain and LlamaIndex (for LLM integration and advanced knowledge graph applications). FalkorDB is open to new integrations—contact the team to discuss your needs. Learn more.

Does FalkorDB provide an API and technical documentation?

Yes, FalkorDB provides a comprehensive API and technical documentation, including setup guides, advanced configuration, and integration references. Access the official documentation at docs.falkordb.com.

Who are some of FalkorDB's customers?

FalkorDB is trusted by organizations such as Securin (cybersecurity intelligence), AdaptX (healthcare analytics), XR.Voyage (media and entertainment), and Virtuous AI (ethical AI development). See all case studies.

What industries are represented in FalkorDB's case studies?

FalkorDB is used in industries including cybersecurity (Securin), healthcare (AdaptX), media and entertainment (XR.Voyage), and artificial intelligence/ethical AI (Virtuous AI). Explore industry case studies.

How easy is it to get started with FalkorDB?

FalkorDB is designed for rapid deployment. Users can sign up for FalkorDB Cloud, try a free instance, run locally with Docker, or schedule a demo. Comprehensive documentation and community support are available to help you get started quickly. Get started here.

Who is the target audience for FalkorDB?

FalkorDB is designed for developers, data scientists, engineers, and security analysts working in enterprises, SaaS providers, and organizations managing complex, interconnected data in real-time or interactive environments.

What pain points does FalkorDB address for its customers?

FalkorDB addresses pain points such as trust and reliability in LLM-based applications, scalability and data management for large datasets, alert fatigue in cybersecurity, performance limitations of other graph databases, and the need for interactive, real-time data analysis.

What business impact can customers expect from using FalkorDB?

Customers can expect improved scalability, enhanced trust and reliability, reduced alert fatigue, faster time-to-market, better user experience, regulatory compliance, and support for advanced AI applications. These outcomes empower organizations to unlock the full potential of their data and achieve strategic goals. Learn more.

FalkorDB Header Menu
Back to all posts

How Securin Runs 7-Hop Threat Intelligence Queries in Under 350ms with FalkorDB

How Securin Scaled Beyond Limits to Achieve 0.3s Responses on 7-Hop Graph Traversals with FalkorDB

FalkorDB vs the leading graph database vendor

Head-to-head query performance across all queries.

Success Rate % of queries completed
Leading graph database vendor
76.47%
FalkorDB
100%
Average Mean response time
Leading graph database vendor
1.430 s
FalkorDB
0.326 s
Median p50 response time
Leading graph database vendor
1.320 s
FalkorDB
0.312 s
95th Percentile p95 tail latency
Leading graph database vendor
2.052 s
FalkorDB
0.468 s
Minimum Best single query
Leading graph database vendor
1.265 s
FalkorDB
0.297 s
Maximum Worst single query
Leading graph database vendor
2.771 s
FalkorDB
0.571 s

Internal benchmark, 170 queries (0–9 hops), same hardware, same dataset.

Securin‘s AI security agents query a large vulnerability knowledge graph 5 to 10 times per user interaction. Each query traverses up to 7 hops across interconnected CVEs, threat actors, ransomware families, attack techniques, and assets. 

Their previous graph database averaged 1.43 seconds per query and timed out completely on any traversal beyond 5 hops, a hard ceiling that made their most analytically valuable queries impossible to execute in production. 

After migrating to FalkorDB, Securin reduced average query latency to 0.33 seconds, hit 100% success across 170 benchmark queries spanning 1 to 9 hops, and cut end-to-end agent response time from ~15 seconds to under 3 seconds, clearing their 5-second production SLO with room to spare.

About Securin's Threat Intelligence Database

Continuous Attack Surface Discovery by SecurinCore
Credit: Securin.io

Securin is a cybersecurity intelligence company focused on vulnerability management, threat prioritization, and risk reduction. One of its core offerings, Securin Core, is a large-scale knowledge graph that models the relationships between CVEs, threat actors, ransomware groups, ATT&CK techniques, MITRE mitigations, products, and customer asset inventories. Security analysts and enterprise customers interact with Securin Core through AI-powered CoPilot agents, which are conversational interfaces that translate natural language security questions into multi-hop graph queries and return prioritized, actionable intelligence.

Graph Depth Were Not Optional for Cyber Threat Intelligence

Most (up-to-two JOINS) relational database performance problems are straightforward: a query is slow, you add an index, and it gets faster. Securin’s problem was structural, not indexing-related. Their intelligence questions require the agent to traverse relationships across multiple entity types in a single query. These are not exploratory queries, but the core product.
Consider the following progression of real queries Securin executes against Securin Core, ordered by hop depth:

Query Complexity

Sample Queries

Real-world graph queries ranked by traversal depth. As hop count grows, query complexity rises — and the leading graph database vendor starts failing.

  1. hops: 0

    "What ransomware families do you track in the dataset?"

  2. hops: 1

    "What techniques does LockBit typically use?"

  3. hops: 2

    "How do I mitigate LockBit — what mitigations should I prioritize?"

  4. hops: 3

    "If LockBit is active, which vendors should I prioritize patching first (based on products impacted by CVEs LockBit exploits)?"

  5. hops: 4

    "Give me Sigma rules to detect threat actors going after Microsoft Windows."

  6. hops: 5

    "For Microsoft Windows vulnerabilities, what are the common attack patterns and which ATT&CK tactics do they map to?"

  1. hops: 6

    "For Windows CVEs, recommend defense tactics and specific defensive techniques (including parent techniques) that protect what attackers go after."

  2. hops: 7

    "Show me the likely exploitation chain for APT29: what they exploit, the weakness types behind it, and the higher-level technique families/tactics involved."

  3. hops: 8

    "For a given product category (e.g., 'Endpoint Security'), show how products in that category get attacked (patterns → techniques), what artifacts are involved, and what defense tactics/techniques help."

  4. hops: 9

    "For that same product category, expand to adjacent/related artifacts too — then tell me which defensive techniques cover that broader set."

FalkorDB handles every query — from simple look-ups to 9-hop traversals — without timeouts.

A Cypher representation of the 7-hop APT29 exploitation chain query (hops 7) could look structurally like this:

MATCH (actor:ThreatActor {name: "APT29"}) -[:USES]->(technique:Technique) -[:EXPLOITS]->(cve:CVE) -[:HAS_WEAKNESS]->(cwe:CWE) -[:BELONGS_TO]->(pattern:AttackPattern) -[:MAPS_TO]->(tactic:Tactic) -[:COVERED_BY]->(mitigation:Mitigation) RETURN actor.name, technique.name, cve.id, cwe.id, pattern.name, tactic.name, mitigation.name

Each hop resolves a new entity type. The query cannot be decomposed into smaller, shallower calls without losing the relational context that makes the answer useful. The agent needs the full traversal in a single round trip, and it needs it fast, because this is one of 5 to 10 calls it makes per user interaction.

“Users would wait 15 to 20 seconds with no response, or receive explicit error messages that the agent could not retrieve information,” said Kiran Chinnagangannagari, CTO and Co-Founder of Securin. “That directly undermined trust in the AI features and had a direct negative impact on our users and business.”

Selecting the Right Database for the Objective

When Securin identified that relational databases could not model the Securin Core graph natively, they moved to a major graph db player, which is purpose-built for connected data.


The chosen graph database is a reasonable choice for many graph workloads. It handles moderate-depth traversals and eliminates database operational overhead. For Securin’s specific workload — high-frequency, deep multi-hop queries driven by an AI agent calling the database 5 to 10 times per user interaction — the graph solution hit three concrete limits:

  1. Baseline latency too high for agent-driven access patterns

    The leading graph database vendor's average query execution time was 1.43 s (p50: 1.32 s, p95: 2.05 s). A single-query latency in that range is acceptable for many use cases. For Securin's agents, which stack 5 to 10 calls per user interaction, it produces 7 to 14+ seconds of database-induced latency alone — before LLM generation time is added. The cumulative effect consistently pushed agent response times past 15 seconds.

    1.43 s Avg query time
    5–10 Calls per interaction
    > 15 s Total agent latency

  2. Hard timeout failures at 5+ hops

    The leading graph database vendor begins to experience timeout failures at queries requiring more than 5 hops. In Securin's workload, the 6‑hop through 9‑hop queries — the ones that deliver the most analytically meaningful intelligence — would simply not return. The leading graph database vendor returned no result and no partial answer; it returned a failure. The agent surfaced this as "No information found," destroying user trust.

    5 hops Failure threshold
    6–9 hops Queries that fail
    0 Partial results returned

  3. 23.5% query failure rate in benchmark testing

    In an internal benchmark of 170 queries run on the same hardware under identical conditions, the leading graph database vendor succeeded on 130 and failed on 40 — a success rate of 76.47%. Running a database in production with a one‑in‑four failure rate on complex queries is not a reliability trade‑off — it is an architectural constraint that caps what the product can deliver.

    170 Queries tested
    40 Failed
    76.47% Success rate

Why Graph is the Right Model for Threat Intelligence

Before examining FalkorDB’s architecture, it is worth being explicit about why a graph database is the correct choice for this workload,  and why the hop-depth problem is inherent to the domain, not an artifact of poor data modeling.

Cyber threat intelligence is fundamentally relational. A CVE does not exist in isolation: it has a severity score, it is exploited by specific threat actors, those actors use specific ATT&CK techniques, those techniques require specific system artifacts to execute, those artifacts are present in specific product versions, and those product versions exist in specific customer environments. Answering “Is my organization at risk from APT29 right now?” requires connecting all of those facts. In a relational model, this becomes a series of expensive JOINs across large tables.

In a document store, it collapses the context into nested structures that break traversal. A property graph model makes these relationships first-class citizens of the data structure, enabling Cypher queries to traverse them natively.

The challenge is that not every graph database handles this traversal pattern with equal efficiency, particularly at the latency requirements imposed by an interactive AI agent.

FalkorDB's Architecture: Why Traversal Performance Differs

FalkorDB’s performance on deep multi-hop traversals follows directly from its internal architecture.

Sparse matrix representation via GraphBLAS

FalkorDB represents the graph as sparse adjacency matrices using the GraphBLAS linear algebra library. Graph traversals are executed as sparse matrix operations (matrix-vector multiplications) rather than as pointer-following or index lookups. Multi-hop traversal maps directly to repeated matrix multiplications, which GraphBLAS executes using highly optimized, BLAS-standard linear algebra operations. This means that adding hops to a query does not dramatically increase execution cost the way it does in systems that traverse edges one at a time through memory indirection.

In-memory execution model

FalkorDB holds the full graph in memory and executes all operations from RAM. There is no network round-trip to a storage layer per traversal step. Majority of other graph databases introduce I/O between the compute tier and the storage engine for each traversal. At the latencies Securin requires, this I/O overhead is not negligible, it contributes directly to 1.43-second/query latency on average and its inability to complete deep traversals within timeout thresholds.

Cypher query compilation

FalkorDB compiles Cypher queries into an execution plan that operates over the matrix representation. The planner optimizes traversal order and pushes filters down before the traversal begins, reducing the working set at each hop. The compiled plan is then executed in a single pass through the graph, without re-parsing or re-planning between hops.

falkordb-sparse-matrix-multiplication
Example of matrix-vector multiplications

Two Deployment Patterns: Persistent Intelligence Graph and Ephemeral Pen Test Graphs

Securin runs FalkorDB in two distinct configurations, each serving a different product requirement.

Persistent Graph: SecurinCore Knowledge Base

The primary deployment is a persistent FalkorDB instance hosting the full SecurinCore knowledge graph. This graph contains all vulnerability intelligence data: CVEs, threat actor profiles, ransomware family relationships, ATT&CK techniques, mitigations, MITRE patterns, Sigma rules, and customer asset mappings. The AI CoPilot agents query this graph continuously during user sessions.

A representative Cypher query for a 4-hop Sigma rule lookup looks like this:

MATCH (actor:ThreatActor) -[:USES]->(technique:Technique) -[:TARGETS]->(product:Product {name: "Microsoft Windows"}) -[:HAS_CVE]->(cve:CVE) -[:DETECTED_BY]->(sigma:SigmaRule) RETURN actor.name, technique.name, cve.id, sigma.rule_name, sigma.content ORDER BY actor.name

The persistent graph is updated as new threat intelligence data is ingested, and the agents query it live. Latency on this graph directly determines whether the product meets its SLO.

Ephemeral Graphs: Automated Penetration Testing

The second deployment uses FalkorDB Lite, FalkorDB’s embedded, in-process variant. For automated penetration testing, Securin builds a temporary graph of a specific customer environment (network topology, asset inventory, exposed services) at the start of each engagement. The graph exists only in memory for the duration of the operation. When the test completes, the process terminates and the graph is scraped. No customer environment data is written to disk and no data persists between engagements.

Why It Matters

Two Properties That Define the Security Posture

This pattern delivers two specific properties that matter for Securin's security posture.

  1. Data Isolation by Design

    Because the graph is never persisted, there is no storage layer to secure, no snapshot to audit, and no residual data to manage. The graph lifecycle is bounded by the process lifecycle.

  2. Zero-Latency Startup

    FalkorDB Lite initializes the in-memory graph from ingested environment data at the start of each test run. There is no remote connection to establish, no cluster to provision, and no cold-start delay waiting for a managed service.

For automated penetration testing, where each engagement operates against a distinct customer environment and customer data must not commingle or persist, this ephemeral graph model is architecturally correct in a way that a persistent managed graph service cannot replicate.

From Decision to Production

The migration from the previous graph database to FalkorDB took approximately two months. This included data pipeline migration, , agent integration, and benchmark validation.

“The convenience of just setting it up and running it stood out,” said Aviral Verma, Head of Research and Threat Intelligence at Securin. “Clear documentation, smooth data loading, and responsive support from the FalkorDB team during graph design and integration made the process straightforward.”

Securin also noted that FalkorDB’s full feature set is available under an open-source license. Features that are gated behind commercial licenses in some graph databases, including the performance-critical execution engine and multitenant architecture, are available to Securin without per-node pricing or enterprise tier dependencies.

Measured Results

170 queries, 0–9 hop depths, production workload.

1.43 s 0.33 s 4.4x

Query Latency

Average drops from 1.430 s to 0.326 s. p95 is 0.468 s. At 10 graph calls per agent interaction, cumulative p95 latency is ~4.7 s versus the leading graph database vendor's ~20.5 s — a 15-second difference at the tail.

5 hops 9 hops +4

Traversal Ceiling

The leading graph database vendor timed out at 5+ hops, blocking 6–9 hop queries entirely — exploitation chain analysis, cross-product defense mapping, full ATT&CK tactic coverage. FalkorDB runs all of them with a flat latency profile. The 7-hop APT29 chain completes in under 400 ms.

76.47% 100% 0 failures

Query Success Rate

Leading graph database vendor: 130/170 succeeded, 40 failed. FalkorDB: 170/170 succeeded, 0 failed. Eliminating the failure rate removed the primary source of agent hallucination and "no information found" errors in production.

~15 s ~3 s 5x

Agent Response Time (E2E)

10 calls × 1.43 s = ~14.3 s graph time on the leading graph database vendor. 10 calls × 0.33 s = ~3.3 s on FalkorDB. Total agent response drops from ~15 s to ~3 s, clearing the 5-second production SLO.

This case study is based on an internal benchmark conducted by Securin on the same hardware, using the same dataset and query set to evaluate FalkorDB.

Picture of Roi Lipman

Roi Lipman

Roi Lipman serves as CTO at FalkorDB, leading the development of ultra-low-latency graph database platforms for generative AI and retrieval-augmented generation (RAG) workflows. He brings over 20 years of database engineering expertise from roles at Forter, StreamRail, Maglan, AVG and the Israel Intelligence Corps. As creator and lead architect of RedisGraph for the past eight years, he optimized Cypher-based knowledge graph performance for enterprise-scale AI applications.