Listening To What Analysts Point At

There is a difference between a score that stands alone and a score that arrives with proof that people are actively converging on the same thing.

Syndu now has that second property.

We added a new analytical layer that listens to what analysts are pointing at on the public report surface, turns that demand into a fresh tactical signal, and feeds it back into the reports, the Risk API, and the MCP investigative flow.

We call that layer queryability.

It is not a vanity metric.

It is not pageview inflation.

It is not "what was popular on the site."

It is a controlled, privacy-bounded signal that answers a more interesting question:

Which risky entities are drawing repeated investigative attention right now, from how many independent requester IPs, and in which recent windows did that attention concentrate?

1. We only listen at the public investigative boundary

The first design rule was privacy.

We do not want customer backoffice behavior leaking into the analytical corpus just because the same person became a signed-in user.

So the queryability layer only listens to:

• public detail-report lookups,
• on the anonymous public report surface,
• for the eight report dimensions,
• before a visitor becomes an identified member inside a workspace.

That means it intentionally excludes:

• account and signup flows,
• social-auth callbacks,
• support routes,
• Access Dashboard operations,
• MCP control-plane traffic,
• PayPal callbacks and subscription endpoints,
• user settings and private workspace interaction,
• websocket-style backoffice operations.

In other words, Syndu is not harvesting "everything the user did."

It is listening to one narrow and useful thing: what the community keeps investigating in public.

That boundary matters, because it turns queryability into a legitimate security and fraud signal rather than a privacy mistake.

2. Queryability runs faster than the report cubes

Most of Syndu's main analytical universe is built in the weekly Luna chain:

• raw access records,
• enriched facts,
• annotations,
• IP truth,
• higher-order cubes,
• contextual vector,
• score.

That is the durable reporting system.

Queryability is different.

It is a fast tactical layer that runs directly over raw access-log flow in ten-minute windows.

The logic is:

1. watch newly loaded public detail-report requests,
2. resolve each request into a canonical report entity,
3. count lookup demand by entity and dimension,
4. count distinct requester IPs around the same entity,
5. compare the newest window against its recent baseline,
6. materialize a spike snapshot,
7. preserve that spike history in weekly partitions so it does not evaporate after one dashboard cycle.

So this layer lives at a different analytical cadence.

It is not waiting for the weekly report-publishing cadence to finish before it becomes visible.

It is meant to tell us, and our users, that something is already floating upward.

3. A spike is not the same thing as raw popularity

We do not treat query volume as risk.

That would be lazy.

What we care about is the shape of demand:

• repeated lookups in a short window,
• multiple requester IPs converging on the same entity,
• recurrence across windows,
• recurrence across days,
• propagation across related dimensions like IP, subnet, ASN, and org.

That is why the new layer does not stop at one number.

For each active entity it keeps a tactical envelope that includes:

• lookups in the last 10 minutes,
• lookups in the last 60 minutes,
• lookups in the last 24 hours,
• distinct requester IPs over the same periods,
• the most recent active query windows,
• the peak window in the last 24 hours,
• longer-lived spike history across recent days.

That combination gives us something much more useful than "this page got traffic."

It tells us whether the entity is:

• suddenly hot,
• steadily recurrent,
• or being revisited by several independent observers at the same time.

That is a real analytical clue for security and fraud work.

4. Requester convergence is the interesting part

The most important refinement in this feature is not the lookup count.

It is the requester convergence.

If an entity gets three lookups from one requester, that may just be one analyst refreshing or drilling around.

If an entity gets those same lookups from several distinct requester IPs in the same short window, the meaning changes.

Now we are seeing shared attention.

That kind of convergence matters because security analysts and fraud operators often discover the same thing independently before formal escalation synchronizes.

The queryability layer lets Syndu capture that pre-escalation signal.

It is one of the few cases where user behavior is not noise around the system.

It is part of the system's intelligence.

5. We persisted it because a tactical signal is only useful if it can be revisited

At first, this could have been a live dashboard feed that disappeared as soon as the next refresh arrived.

That would have made it interesting but weak.

Instead, we gave it its own persistence model.

Every live spike window is now written into a dedicated historical layer, partitioned on weekly boundaries like the rest of our heavy data surfaces.

That means we can distinguish:

• one fresh burst,
• a recurring entity that keeps drawing attention,
• and a durable pattern of analyst concern over time.

This is where the feature starts becoming more than a dashboard toy.

It becomes a real auxiliary analytical surface.

The system can now say:

• this entity is spiking now,
• this entity has been recurrently queried over several recent windows,
• this entity has accumulated multiple spike windows over the last week.

Those are different operational truths.

And they deserve to stay visible.

6. The signal now flows back into the product surfaces

Once the tactical layer existed, it needed to stop being isolated in an internal admin view.

So we pushed it back into the customer-facing surfaces.

In reports

Each report can now show a Community signal smart panel that sits beside the score and the durable report facts.

That panel shows:

• whether the entity is spiking now,
• recent query windows,
• requester convergence,
• short-horizon history,
• and longer-lived spike recurrence.

That matters most on thin or fresh entities.

If an IP has very little published report history yet, the queryability layer can still tell the user:

• people are actively looking at this right now,
• here is when the lookups happened,
• here is whether several requesters converged.

That is already meaningful.

In the Risk API

The score response now carries a community_signal object.

That means an application can make a live decision using not only the contextual score, but also:

• fresh demand intensity,
• requester convergence,
• recent active windows,
• and short-horizon spike history.

That is especially valuable for workflows where "others are investigating this now" is itself a confidence boost for escalation.

In MCP and the agent workflow

The same signal is now included in MCP investigative payloads and risk explanations.

An agent can now say, in effect:

• this entity scores high,
• here are the matched dimensions,
• and there is also fresh community demand converging on it in the current window.

That is exactly the kind of compound clue a strong assistant should surface to an analyst.

7. Why this keeps Syndu out of the "dumb plugin" category

A weak product can wrap an existing score in a plugin and call it agentic.

That is not what is happening here.

Syndu now has:

• a durable report universe,
• a contextual scoring model,
• governed memory,
• shared outcomes,
• and a fast tactical layer that listens to what the community is investigating right now.

That last layer matters because it demonstrates that the product is not just replaying old truth.

It is hearing fresh attention from the field.

And then it is making that signal useful:

• in the dashboard,
• in the reports,
• in the API,
• and in the agent loop.

That is not a wrapper.

That is a living analytical system.

8. The deeper idea

There is a simple way to say what queryability adds to Syndu:

It lets the system hear the point of the finger, not just the object being pointed at.

The report tells us what an entity looks like.

The score tells us how much pressure it carries.

The memory layer tells us what prior analysts concluded.

Queryability adds one more dimension:

who is looking, how many are looking, and whether the attention is arriving now.

That is a small change in data shape.

But it is a very large change in how alive the system feels when an analyst opens the page.