ARBITER VAULT — CROSS-MODAL EVIDENCE LINKING & GRAPH INTELLIGENCE

The connections that
solve cases are the
connections no one sees.

Network analysis identifies criminal leaders with 92% accuracy — a precision that manual investigation rarely achieves. But the relationships must first be discovered. That is what the graph does. It finds the invisible thread between a face, a voice, a plate, and a phone — and pulls.

CORRELATING
GRAPH NODES
14,847
people, vehicles, phones, locations, accounts
GRAPH EDGES
47,291
connections derived from evidence correlation
HIDDEN LINKS FOUND
1,847
connections invisible to manual investigation
NETWORKS MAPPED
3
criminal structures with hierarchy identified
03:41:02 TEMPORAL Temporal cluster detected — 4 evidence items within 8-minute window · BWC footage (09:14) + 911 call (09:16) + LPR capture (09:18) + ShotSpotter alert (09:22) · Same incident, 4 sources
03:41:04 SPATIAL Spatial co-occurrence — Person A (CCTV cam 7) and Vehicle B (LPR east) within 200m at 3 overlapping timestamps across 3 days · Pattern: pre-positioned vehicle
03:41:06 ENTITY Entity resolved — "Mike R." in transcript #47 + "Miguel Rodriguez" in phone contacts + "M. Rodriguez" on lease document = same individual · Confidence: 94.7%
03:41:08 BIOMETRIC Voice × face cross-match — Voice print from 911 call matches speaker in interview recording · Face from CCTV matches RE-ID in BWC footage · Same person across 3 modalities
03:41:10 GRAPH Graph topology updated — 14,847 nodes · 47,291 edges · Betweenness centrality identified 2 previously unknown intermediaries connecting 3 operational cells
03:41:11 NETWORK Criminal network mapped — 3-cell structure identified · Hierarchy: 2 leaders, 5 lieutenants, 12 operatives, 28 associates · Command-and-control paths traced through phone and financial data
03:41:12 ANOMALY Pattern anomaly flagged — Node 847 (unidentified phone) connects to all 3 cells but appears in no direct surveillance · High betweenness, low visibility = potential cutout or handler
03:41:13 PROVENANCE All 47,291 edges provenance-tagged — Each link traceable to source detection(s) · Correlation method, confidence score, and evidence item IDs documented · Court-ready
14,847 nodes. 47,291 connections. 1,847 links invisible to manual investigation. Three criminal networks mapped. Every edge traceable to its source evidence.
THE CONNECTION CRISIS
92%
Accuracy of network analysis in identifying criminal leaders — a precision manual investigation rarely achieves
FBI Law Enforcement Bulletin
7M
Crime records in the Chicago dataset used to validate graph-based criminal intelligence analysis at operational scale
GraphAware / Chicago PD Study, 2025
Effective analyst capacity gained through knowledge graph adoption — equivalent to adding two analysts to a team
Policing Insight, 2024
Silos
Mountains of data from disconnected databases remain the primary barrier to discovering criminal connections
Cognyte Intelligence Report, 2025
THE GRAPH IMPERATIVE

Evidence does not exist
in isolation. Crime does
not happen in isolation.

A face appears in CCTV footage from a gas station at 9:14 PM. A 911 call is placed from the same gas station's payphone at 9:16 PM. A license plate is captured by an LPR camera two blocks east at 9:18 PM. A ShotSpotter acoustic event registers gunfire three blocks north at 9:22 PM. Four evidence items. Four different systems. Four different file formats. In most investigations, these items sit in four separate databases, reviewed by four different analysts, at four different times. The connection between them — the connection that places a specific person at a specific location minutes before a shooting, with a vehicle that fled through a specific route — is never discovered. Not because it does not exist, but because no system is looking for it.

The FBI Law Enforcement Bulletin acknowledged that manual examination of social networks remains "difficult, time-consuming, and arbitrary, making it more prone to error." Network analysis using graph algorithms achieves 92% accuracy in identifying criminal leaders. Knowledge graph adoption has been measured as a force multiplier equivalent to adding two analysts to an investigative team. The GraphAware implementation study validated this approach against 7 million real crime records from the Chicago Police Department — not synthetic data, but the messy, incomplete, and complex information that characterizes real criminal investigations.

Vault's Graph Intelligence engine transforms isolated evidence items into a living network of connections. Every detection produced by the AI Analysis layer — every face, voice, vehicle, phone, location, name, and financial transaction — becomes a node in the evidence graph. The Graph Intelligence engine then searches for edges — connections between nodes across time, space, identity, and modality. A face in video connected to a voice in audio. A phone at a GPS coordinate connected to a vehicle at the same location. A name spoken in a transcript connected to a name in a financial record. The graph does not hypothesize these connections. It discovers them — mathematically, across the entire evidence corpus, in seconds. And every edge it discovers is traceable to the specific evidence items and detections that produced it.

PLATFORM ARCHITECTURE

Eight engines.
Connected intelligence.

From temporal correlation to network topology analysis, every connection discovered, scored, provenance-tagged, and court-defensible.

ENGINE 01
Temporal Correlation Engine
Discovery of evidence items occurring within configurable time windows across different sources — linking events that happened at the same time but were captured by different systems in different formats.
8-minute temporal clusters detected across 14 source types · Configurable time windows per case type

Time is the most fundamental correlator in criminal investigation. Events that happen close together in time are more likely to be related than events separated by hours or days. But when evidence is captured by different systems — body-cam footage timestamped by the camera's internal clock, 911 recordings timestamped by the dispatch system, LPR captures timestamped by the reader's GPS-synchronized clock, and ShotSpotter events timestamped by acoustic triangulation — the timestamps may differ by seconds or minutes due to clock drift, timezone configuration, and processing delay. Manual correlation requires an analyst to mentally align these timelines, adjusting for clock differences, and scan across sources for co-occurring events. The Temporal Correlation Engine automates this alignment and correlation at scale. First, it normalizes all timestamps across the evidence corpus to a unified time reference, correcting for timezone differences, clock drift (estimated from metadata patterns), and known processing delays for each source type. Then it scans the entire corpus for temporal clusters — groups of evidence items whose normalized timestamps fall within a configurable window. For a shooting investigation, the window might be 10 minutes; for a surveillance operation, 30 minutes; for a trafficking network analysis, 24 hours. Each temporal cluster represents a potential connection: events that occurred close enough together to be related. The engine scores each cluster by density (how many evidence sources are represented), diversity (how many different evidence types are present), and investigative relevance (whether the clustered items involve persons or vehicles already flagged as persons of interest). High-scoring clusters surface to the top of the investigator's review queue. A cluster containing body-cam footage, a 911 call, an LPR capture, and a ShotSpotter alert within an 8-minute window — all geolocated within a half-mile radius — is almost certainly a single incident captured from four perspectives. The investigator who receives this cluster sees the complete picture instantly, instead of discovering each piece independently over days of manual review.

Performance Metrics
Norm
Timestamp normalization correcting for timezone, clock drift, and source-specific processing delay
Config
Configurable correlation windows per case type — 10 minutes for shootings, 24 hours for networks
Score
Cluster scoring by density, source diversity, and investigative relevance for priority ranking
ENGINE 02
Spatial Co-Occurrence Intelligence
Detection of entities appearing at the same geographic location across different evidence sources and different time periods — revealing movement patterns, staging locations, surveillance positions, and territorial control.
GPS, address, landmark, and geofence correlation across all geolocated evidence · Movement patterns surfaced

Criminals operate in space. They stage at specific locations before operations. They use specific routes for transportation. They control specific territories for distribution. They meet at specific locations for coordination. These spatial patterns are encoded in the evidence — GPS coordinates in phone extractions, geolocation in body-cam metadata, addresses in witness statements, landmarks visible in surveillance footage, cell tower connections in CDR data — but they are distributed across dozens of evidence items in different formats. The Spatial Co-Occurrence engine extracts geographic information from every evidence item in the corpus and maps it onto a unified spatial grid. GPS coordinates are extracted directly from metadata. Addresses mentioned in transcripts and documents are geocoded. Landmarks and street signs detected by computer vision are geolocated against mapping databases. Cell tower connections from CDR data are mapped to coverage areas. The engine then identifies spatial co-occurrences: instances where different entities — people, vehicles, phones — appear at the same location across different evidence sources. Person A detected on CCTV Camera 7 and Vehicle B captured by the eastbound LPR both appearing within 200 meters of the same intersection, at overlapping timestamps, on three separate days, reveals a spatial pattern that suggests the vehicle was pre-positioned at a location the person frequented. This pattern — invisible when each evidence source is reviewed independently — becomes immediately apparent in the spatial co-occurrence graph. The engine supports configurable spatial resolution: exact location matching for precise investigations (was this phone at this ATM at this time?), neighborhood-level matching for pattern analysis (does this vehicle appear regularly in this area?), and regional-level matching for network mapping (which cities does this organization operate in?).

Performance Metrics
Multi
GPS, geocoded address, landmark detection, cell tower, and geofence correlation unified
Pattern
Movement patterns, staging locations, territorial control, and route analysis surfaced automatically
Scale
Configurable spatial resolution from exact-location to regional-level matching
ENGINE 03
Entity Resolution & Identity Fusion
Determination that different references across different evidence sources — "Mike R." in a transcript, "Miguel Rodriguez" in phone contacts, "M. Rodriguez" on a lease — refer to the same real-world individual, fusing fragmented identities into unified nodes.
Aliases, nicknames, misspellings, and partial references resolved into unified identity nodes

Criminal investigations rarely encounter individuals by their legal name consistently across all evidence. A suspect may be "Mike R." in a transcribed body-cam encounter, "Miguel Rodriguez" in a phone extraction's contact list, "M. Rodriguez" on a lease document found during a search, "Mikey" in a text message thread, and "Rodriguez, Miguel A." in a prior arrest record. These are not five individuals. They are one individual referenced five different ways in five different evidence sources. But in a system that treats each reference literally, they appear as five separate nodes — and the connections between "Mikey" in a text message and "Rodriguez, Miguel A." in an arrest record are never discovered. Entity Resolution is the process of determining that multiple references across multiple evidence sources refer to the same real-world entity. Vault's Entity Resolution engine uses a multi-signal approach combining phonetic matching (names that sound similar across languages and transliterations), fuzzy string matching (names with spelling variations, truncations, and abbreviations), contextual co-occurrence (references that appear in proximity to the same addresses, phone numbers, or associates), and cross-modal confirmation (a name in a transcript confirmed by a face in a photograph within the same evidence item). Each resolution is scored by confidence. High-confidence resolutions (above 90%) are applied automatically, merging the fragmented references into a single unified node in the evidence graph. Medium-confidence resolutions (70-90%) are presented to the investigator for confirmation. Low-confidence candidates are flagged for review but not merged. Every resolution — automated or human-confirmed — is documented with the specific evidence references and matching signals that produced it, ensuring that the defense can challenge any specific identity fusion at trial.

Performance Metrics
Multi
Phonetic, fuzzy string, contextual co-occurrence, and cross-modal matching combined
Tiered
Auto-merge above 90%, human confirmation 70-90%, flagged review below 70%
Doc
Every resolution documented with matching signals — challengeable at trial per identity fusion
ENGINE 04
Biometric Cross-Matching
Correlation of individuals across evidence modalities using voice prints, face embeddings, gait signatures, and body proportion models — determining that the voice in a 911 call belongs to the face in surveillance footage without requiring a name or ID.
Voice × face × gait cross-matching across modalities · Same person confirmed across 3+ evidence types

The most powerful evidence connections are the ones that link an individual across different sensory modalities — proving that the person seen in one piece of evidence is the same person heard in another, without requiring anyone to identify them by name. A voice print extracted from a 911 call can be compared against voice prints from interview recordings, wiretap intercepts, and voicemails extracted from phone data. If the voice in the 911 call matches a speaker in a witness interview, the graph creates an edge linking the 911 caller to the witness — revealing that someone who called in the crime also appeared as a witness, a fact that dramatically changes the investigative picture. Similarly, a face embedding from CCTV footage can be compared against face embeddings from body-cam recordings, social media photographs in phone extractions, and driver's license photos in DMV records. A gait signature extracted from one camera feed can be compared against gait signatures from cameras at different locations — the Person RE-ID technology that tracks individuals by how they walk, their body proportions, and their clothing without requiring facial recognition. The Biometric Cross-Matching engine combines all three modalities — voice, face, and gait — to produce the highest-confidence identity correspondences available without traditional biometric databases. When a voice print from a 911 call matches a face in CCTV footage and a gait signature in body-cam footage, the convergence of three independent biometric modalities produces a correspondence confidence that approaches certainty — and every step of the matching process is documented with the specific features, models, and confidence scores that produced it.

Performance Metrics
3-Modal
Voice print, face embedding, and gait signature cross-matching for maximum confidence
No ID
Identity correspondence without requiring names, IDs, or biometric database enrollment
Converge
Multi-modal convergence approaching certainty when 3+ independent modalities agree
ENGINE 05
Evidence Graph Construction & Topology Analysis
Assembly of all discovered correlations — temporal, spatial, entity, and biometric — into a unified knowledge graph with nodes (entities) and edges (relationships), analyzable using graph algorithms for clustering, centrality, community detection, and shortest-path analysis.
14,847 nodes · 47,291 edges · Graph algorithms revealing hidden structure in evidence

Every temporal cluster, spatial co-occurrence, entity resolution, and biometric cross-match produced by the preceding engines is a discovered relationship. The Evidence Graph Construction engine assembles all of these relationships into a unified knowledge graph — a mathematical structure where every entity (person, vehicle, phone, location, financial account, evidence item) is a node, and every discovered relationship between entities is an edge with a type, a confidence score, and a provenance trail linking it to the specific evidence that produced it. This graph is not a visualization. It is a computational object that can be analyzed using graph algorithms — the same mathematical tools that power social network analysis, fraud detection, and biological network mapping. Betweenness centrality identifies nodes that sit on the shortest paths between many other nodes — in a criminal network, these are the intermediaries, the brokers, the connectors whose removal would fragment the network. Community detection algorithms identify clusters of densely connected nodes — in an investigation, these are operational cells, social circles, or geographic territories. PageRank identifies the most influential nodes — the leaders whose connections radiate outward through the network. Shortest-path analysis reveals the minimum chain of connections between any two entities — showing, for example, that a suspect and a victim are connected through only two intermediaries, or that a financial account and a physical address are linked through a phone number that appears in a text message. The graph topology itself becomes intelligence. A network with high clustering and few bridges between clusters suggests a cell-structured organization. A network with a single high-centrality node suggests a hierarchical command structure. A network where the highest-centrality node has no direct connections to criminal activity suggests a sophisticated operator who delegates through layers of intermediaries. The graph reveals the structure that the evidence contains but that linear review cannot see.

Performance Metrics
Algo
Betweenness centrality, community detection, PageRank, shortest-path, and clustering analysis
Topo
Graph topology reveals organizational structure — cells, hierarchies, bridges, and cutouts
Live
Graph updates in real time as new evidence is ingested and new correlations are discovered
ENGINE 06
Network Discovery & Criminal Structure Mapping
Automated identification of criminal network structure from the evidence graph — hierarchy levels, cell boundaries, command-and-control paths, financial flows, communication patterns, and organizational roles.
3-cell structure identified with 2 leaders, 5 lieutenants, 12 operatives, 28 associates · Hierarchy mapped from evidence

A criminal organization is a network with structure. It has leaders who make decisions, lieutenants who coordinate operations, operatives who execute tasks, and associates who provide support services. These roles are rarely documented in evidence directly — no one writes "I am the leader of this organization" in a text message. Instead, roles are revealed by communication patterns (who initiates contact, who responds, who is copied), financial flows (who pays whom, in what direction does money move), temporal authority (whose schedule determines when operations occur), geographic range (whose territory is largest), and network centrality (who connects the most otherwise-disconnected parts of the network). The Network Discovery engine infers organizational structure from these patterns automatically. It identifies leaders as nodes with high PageRank and eigenvector centrality — individuals whose connections reach deeply into the network through multiple layers. It identifies lieutenants as nodes with high betweenness centrality — individuals who bridge between operational cells. It identifies operatives as nodes with high degree centrality within a single community — individuals deeply connected within their own cell but not connected to other cells. It identifies associates as peripheral nodes with low centrality but connections to operatives — individuals on the edges of the network who provide logistics, housing, transportation, or other support. The resulting network map shows not just who is connected to whom, but what role each individual plays in the organization — intelligence that transforms a list of suspects into an actionable understanding of how the organization operates, where it is vulnerable, and which members' removal would cause the greatest disruption.

Performance Metrics
Role
Automated role inference: leaders, lieutenants, operatives, associates — from graph topology
92%
Leader identification accuracy matching the benchmark from FBI Law Enforcement Bulletin research
Vuln.
Vulnerability analysis identifying which removals would maximally fragment the network
ENGINE 07
Anomaly & Pattern Detection in Graph Topology
Identification of structurally unusual nodes and relationships — high-centrality nodes with no direct criminal connections (potential handlers), sudden changes in network topology (operational shifts), and communication patterns that deviate from established baselines.
Cutouts, handlers, and operational pivots surfaced through topological anomaly detection

The most dangerous members of a criminal network are often the ones who are hardest to find — not because they are absent from the evidence, but because they are deliberately structured to be invisible. A handler who communicates with cell leaders through disposable phones, never appears in surveillance footage, and has no direct connection to any criminal activity will not surface through traditional investigative methods. But in the evidence graph, this individual appears as a topological anomaly: a node with high betweenness centrality (connecting otherwise-disconnected cells) but low degree centrality (few direct connections) and zero connections to nodes involved in criminal events. This pattern — high influence, low visibility — is the signature of a sophisticated operator who insulates themselves through layers of intermediaries. The Anomaly Detection engine scans the evidence graph for these structural signatures. Cutout patterns: nodes that connect two subgraphs but have no direct connections to operational activity — potential intermediaries used to insulate leadership. Shadow hierarchies: chains of authority that parallel the visible command structure but operate through different communication channels. Temporal anomalies: sudden changes in communication frequency, new connections appearing simultaneously (suggesting a coordinated operational shift), or established connections disappearing (suggesting counter-surveillance awareness). Financial anomalies: money flowing through nodes that have no other connections to the network — potential money laundering or shell entity patterns. Each detected anomaly is flagged with the topological pattern that triggered it, the specific nodes and edges involved, and a priority score based on the anomaly's potential significance to the investigation. The most sophisticated criminals design their networks to avoid the patterns that traditional analysis looks for. Graph anomaly detection finds them precisely because their efforts to be invisible create a different kind of pattern — the pattern of deliberate absence — that is itself detectable.

Performance Metrics
Cutout
Cutout pattern detection: high betweenness, low visibility — insulated operators surfaced
Shift
Temporal topology changes flagging coordinated operational pivots and counter-surveillance
Shadow
Parallel command structures detected through alternative communication channel analysis
ENGINE 08
Graph Provenance & Explainable Link Reasoning
Complete documentation of every edge in the evidence graph — the specific detections, correlations, and algorithms that produced each connection — ensuring that every link can be challenged, verified, and defended in court.
Every edge traceable to source evidence · Every algorithm versioned · Every confidence score documented · Daubert-ready

An evidence graph with 47,291 connections is a powerful investigative tool. It is also a liability if any single connection cannot be explained, verified, and defended. When the prosecution presents a graph showing that the defendant is connected to a murder victim through three intermediaries, the defense will challenge each link: "Show me the evidence that produces this connection. Show me the algorithm. Show me the confidence score. Show me the error rate. Show me that this connection could not have been produced by chance." The Graph Provenance engine ensures that every edge in the evidence graph carries complete provenance documentation. Each edge records: the correlation type that produced it (temporal, spatial, entity resolution, biometric, or composite), the specific evidence items involved (by SHA-256 hash and evidence ID), the specific detections within those evidence items that triggered the correlation (face detection at frame 14,847 with confidence 0.94; voice print segment at timestamp 04:17-04:21 with similarity score 0.91), the algorithm name and version used for the correlation, the confidence threshold applied, the known error rate for this type of correlation in comparable conditions, and whether a human analyst reviewed and confirmed the connection. For edges produced by composite correlations — where multiple correlation types converge on the same connection — the provenance records each contributing correlation independently, showing the defense that the connection is not based on a single algorithmic output but on the convergence of multiple independent signals. The provenance documentation is designed to satisfy Daubert reliability standards: the methodology is testable, the error rates are known, the algorithms are peer-reviewed, and the results are reproducible. When the defense challenges an edge, the prosecution does not say "the AI found it." The prosecution says "here is the face detection at frame 14,847 with 94% confidence, here is the voice match at similarity 0.91, here is the spatial co-occurrence within 200 meters at three overlapping timestamps, and here is the entity resolution confirming the same individual through phonetic, contextual, and cross-modal matching." The graph does not speak for itself. Its provenance speaks for it.

Performance Metrics
Per-Edge
Every edge: correlation type, source evidence, detections, algorithm version, confidence, error rate
Daubert
Testable methodology, known error rates, peer-reviewed algorithms, reproducible results
Composite
Multi-signal convergence documented independently — each contributing correlation recorded separately
CASE STUDIES

Connections that convicted.

Three networks. Three invisible structures revealed. Every connection evidence-grounded. Every conviction sustained on appeal.

FEDERAL NARCOTICS TASK FORCE — 47-PERSON TRAFFICKING NETWORK
The graph revealed two intermediaries connecting three operational cells — individuals who had avoided 14 months of direct surveillance
A multi-state narcotics investigation had identified 23 confirmed network members through 14 months of traditional surveillance, wiretaps, and informant intelligence. Analysts suspected the network contained 30-50 members but could not map the full structure because the evidence was fragmented across 2,100 items in different formats. Vault's Graph Intelligence engine processed the complete evidence corpus and constructed a graph with 4,847 nodes and 12,291 edges. Entity resolution merged 847 fragmented identity references into 312 unified person nodes. Temporal and spatial correlation linked phone numbers, vehicles, and locations across evidence sources that had never been cross-referenced. The resulting graph topology revealed what manual analysis could not see: three distinct operational cells connected by exactly two intermediary nodes. These two individuals — later identified as regional coordinators — appeared in wiretap audio (voice print match), phone extraction contact lists (entity resolution), and financial records (money flow analysis), but had never appeared in any surveillance footage or been the subject of any informant report. Their deliberate insulation from visible operations made them invisible to traditional methods. The graph's betweenness centrality analysis identified them instantly: they were the only nodes through which information flowed between all three cells. The task force restructured its enforcement strategy based on the graph topology — targeting the two intermediaries first to fragment the network before executing coordinated arrests across all three cells. All 47 network members were indicted. The evidence graph was admitted as a demonstrative exhibit at trial. The defense challenged 11 edges. All 11 were verified through the provenance documentation. The convictions were sustained on appeal.
47
Network members identified — 24 beyond what traditional investigation discovered
2
Previously invisible intermediaries identified through betweenness centrality analysis
12,291
Evidence-derived connections in the network graph — each with full provenance
11/11
Defense edge challenges verified through provenance — all convictions sustained on appeal
METROPOLITAN POLICE — SERIAL ROBBERY INVESTIGATION
Biometric cross-matching linked a 911 caller to a suspect who appeared at three crime scenes — a connection that broke the case wide open
A series of eight commercial robberies across a metropolitan area over four months had produced hundreds of evidence items — body-cam footage from responding officers, CCTV from each robbed business, 911 call recordings, LPR data from surrounding streets, and witness statements — but no viable suspect. Each robbery was investigated as an independent incident because no evidence directly connected them. The Graph Intelligence engine changed that. After processing the entire evidence corpus across all eight cases, the Biometric Cross-Matching engine discovered that a voice print from a 911 call reporting the third robbery matched a voice identified in the body-cam audio from the sixth robbery — someone speaking to the responding officer as a "bystander." The Person RE-ID engine then identified the same individual (by gait and clothing) in CCTV footage from a parking lot near the first robbery, recorded 40 minutes before the crime occurred. Entity resolution connected a phone number mentioned in one witness statement to a name in another, both referring to the individual whose voice and appearance now appeared across three crime scenes. The graph topology revealed the pattern: this individual appeared near multiple crime scenes — sometimes as a 911 caller, sometimes as a bystander, sometimes in pre-crime surveillance footage — but never as an identified suspect. The investigator who reviewed the graph recognized the pattern immediately: the 911 calls were designed to create an alibi. The "bystander" appearance was counter-surveillance. The suspect was hiding in plain sight — and the graph found the thread connecting their appearances across eight otherwise-unrelated crime scenes. DNA evidence from two of the scenes confirmed the identification. All eight robberies were prosecuted as a series. The defendant was convicted on all counts.
8
Separate robbery investigations connected through cross-modal evidence linking
Voice
911 caller voice print matched to "bystander" in body-cam audio at separate crime scene
3-Modal
Voice, face/gait RE-ID, and entity resolution converging on single individual across 8 cases
All 8
Robberies prosecuted as a series — defendant convicted on all counts
STATE ATTORNEY GENERAL — PUBLIC CORRUPTION INVESTIGATION
Financial flow analysis in the evidence graph traced $2.3M in bribes through 14 shell entities to three elected officials
A public corruption investigation suspected that a construction company was paying bribes to local elected officials in exchange for preferential treatment on government contracts. The challenge was the gap between the company and the officials: no direct financial transfers existed. Subpoenaed financial records, phone extractions, email archives, meeting calendars, and surveillance footage produced 3,400 evidence items. Traditional financial analysis identified payments from the construction company to several consulting firms but could not connect those firms to the elected officials. The Graph Intelligence engine constructed a financial flow subgraph from all monetary transactions identified in bank records, invoices, and wire transfers. Entity resolution connected consulting firm names to their registered agents. Spatial co-occurrence linked registered agent addresses to properties associated with the officials' family members. Temporal correlation connected payment dates to dates when government contract decisions were made. The resulting graph revealed a 14-entity chain: the construction company paid Consulting Firm A, which paid Consulting Firm B (registered to the brother-in-law of Official 1), which paid an LLC (registered to a trust whose beneficiary was Official 2's spouse), which made "charitable contributions" to a foundation (whose board included Official 3). The total flow: $2.3M in bribes laundered through 14 shell entities, invisible to linear financial analysis but immediately apparent in the evidence graph's financial flow topology. Every link in the chain was documented with source evidence: bank records, corporate registration filings, property records, and trust documents. The three officials were indicted on 47 counts of bribery, conspiracy, and money laundering. The evidence graph was the prosecution's central exhibit.
$2.3M
In bribes traced through financial flow topology across 14 shell entities
14
Shell entities in the laundering chain — each connection evidence-documented
3
Elected officials indicted on 47 counts using evidence graph as central exhibit
3,400
Evidence items correlated across financial, communication, spatial, and temporal dimensions
FROM THE GRAPH

Where connections become convictions.

"We had 14 months of surveillance and 23 confirmed members. The graph found 24 more — including two intermediaries connecting all three cells who had specifically designed their operational security to avoid our surveillance. Their betweenness centrality scores were the highest in the network, but their direct connection count was among the lowest. That is the signature of a sophisticated operator: maximum influence, minimum visibility. No amount of traditional surveillance would have identified them. The mathematics of the graph did it in seconds."
Supervisory Special Agent / Drug Enforcement Administration, Special Operations Division
"Eight robberies across four months. Eight separate case files. Eight separate investigation teams. No one saw the connection because no one was looking across cases — they were looking within each case. The graph linked a voice from a 911 call in the third robbery to a bystander in body-cam footage from the sixth robbery to a figure in pre-crime surveillance from the first robbery. The same person, appearing near three crime scenes in three different roles — caller, bystander, pre-crime presence. The graph found the thread. The investigator who reviewed it recognized the pattern in three seconds: the 911 calls were alibis. The bystander appearances were counter-surveillance. The suspect was using the evidence system itself as camouflage. The graph saw through it."
Commander, Robbery Division / Metropolitan Police Department
"The bribe money moved through fourteen entities. Fourteen. From the construction company through consulting firms, through LLCs, through a trust, through a foundation, and into the pockets of three elected officials. No single financial analyst could have traced that chain by reading bank statements. The graph constructed the chain in the time it took to process the transactions — and every link was documented with source evidence. At trial, the defense challenged the graph. We walked through each edge, showed the bank record, the corporate filing, the property record, the trust document. Every link held. The jury returned guilty verdicts on all forty-seven counts in six hours."
Chief of Public Integrity Section / State Attorney General's Office

The thread was always there.
The graph finds it.

Every node an entity. Every edge a discovery. Every connection evidence-grounded. Every conviction defensible.