RSAC Open Sources Quantickle, an AI-Built Graph Tool That Rethinks How Threat Analysts Work

The most interesting security tools do not always come from venture backed startups or vendor roadmaps. Sometimes they emerge from frustration.

This week, the organization behind the RSA Conference released an open source project called Quantickle, a browser based graphing toolkit designed for analysts who spend their days untangling messy relationships between infrastructure, malware, and campaigns. It is not an enterprise platform and it is not trying to be one. Instead, it is a statement about how security research actually happens and who gets to build the tools that support it.

RSAC published Quantickle through its RSAC Labs initiative, making the code freely available to researchers and independent analysts. What makes the release unusual is not only the tool’s focus, but its origin story. Quantickle was built by a threat analyst who openly says they are not a programmer and relied heavily on AI assisted development to make the project real.

“I am an analyst and reverse engineer and have reconciled myself to that fate,” the creator Snorre Fagerland wrote. “I’m going down with the disassembler.”

When spreadsheets stop working

Threat intelligence rarely fits neatly into rows and columns. While indicators can be standardized, the most valuable leads often involve strange, asymmetric relationships. One domain fans out to dozens of others. A single certificate ties together infrastructure that should not be related. These are patterns that spreadsheets obscure rather than reveal.

Graphs excel at this kind of work, but existing commercial tools often impose rigid data models or focus on automation at the expense of manual investigation. According to the project’s author, that gap is what pushed them to build something new rather than buy yet another product that almost fit.

The result is a tool optimized for human driven research. Quantickle is designed for analysts who want to explore, annotate, and publish relationships, not ingest millions of events or auto generate alerts. Its core philosophy favors clarity over scale and intention over throughput.

Built by vibing, shipped by learning

AI assisted coding, sometimes called vibe coding, has become a flashpoint in developer culture. Critics point to broken builds, subtle vulnerabilities, and novice users shipping code they do not fully understand. The Quantickle project does not deny those risks. It embraces them cautiously.

The initial prototype was built quickly, with an LLM generating code that ingested CSV files and rendered simple node and edge graphs. It worked well enough to justify continuing. Over months of iteration and frequent frustration, the tool evolved into something stable enough to share.

The author is clear eyed about the result. “Is it production quality? I doubt it. But it works. And we’re not selling it; we’re giving it away.”

That honesty matters. Quantickle is not presented as a polished platform, but as a practical artifact of what happens when domain expertise is paired with modern AI tooling.

A graph tool that respects context

Under the hood, Quantickle uses Cytoscape, an open source graph engine originally developed for biological research. That lineage turns out to be a strength. Biology and cybersecurity both deal in complex networks where relationships matter more than individual data points.

One of Quantickle’s more distinctive features is its use of containers, which allow analysts to group nodes visually without forcing explicit connections. Containers can nest within each other, creating sub workspaces inside a graph. This is particularly useful when grouping related samples or infrastructure that share context but no direct linkage.

The tool also supports interlinked graphs, letting analysts break large investigations into navigable chains rather than overwhelming canvases with thousands of nodes. A graph can link to another graph, forming a tree of related cases that can be explored incrementally.

Time is treated as a first class attribute. Nodes can carry timestamps that influence layout or color, making it easier to focus on recent activity or specific windows of interest. For investigations like phishing campaigns or infrastructure rotation, this temporal awareness can surface patterns that static graphs miss.

Local first, open by default

Quantickle runs primarily as client side JavaScript with a lightweight backend. By default, data stays local. Analysts can paste indicators directly into the interface, import CSV files, or save graphs as JSON. For users who want persistence, graphs can be stored in Neo4j.

Exports support common formats like PNG, PDF, HTML, and CSV, reflecting the project’s emphasis on sharing findings rather than locking them into a proprietary system.

External integrations exist, including lookups against VirusTotal, but they are manually triggered. The tool does not phone home by default, an important detail for researchers working with sensitive data.

Quantickle is available now via RSAC Labs on GitHub under a permissive open source license.

A quiet signal about who builds security tools

Quantickle will not replace enterprise threat intelligence platforms, and it does not try to. Its significance lies elsewhere. It shows how AI assisted development can allow subject matter experts to build tools that reflect their actual workflows, even if they do not come from traditional engineering backgrounds.

That does not mean vibe coding is a shortcut to safe or scalable software. It does suggest that the boundary between tool user and tool builder is shifting. In security research, where creativity and intuition often matter as much as code quality, that shift could be meaningful.

If nothing else, Quantickle is a reminder that some of the most useful tools are born not from market analysis, but from an analyst staring at a spreadsheet and thinking, there has to be a better way.