The Observers And The Observed Inside Queryability

There is a kind of intelligence that does not live in the object alone.

It lives in the field around the object.

Who keeps looking at it. How many distinct observers independently converge on it. Whether the attention arrives as one isolated touch or as a sudden shared burst.

That is the idea behind Syndu's queryability layer.

This week, I ran the first serious exploratory data analysis pass over that field on the live production system and asked a simple question:

What kind of information object is queryability, really?

1. The field is real, and it is large

For one 24-hour production read ending on April 3, 2026, Syndu's live queryability tables contained:

• 405,998 public detail-report lookup hits
• 242,369 distinct observed entities
• 261,517 distinct observer IPs
• 8,938 entities with more than two hits
• 350 entities active in three or more windows
• 7 entities peaking at five or more hits in a single ten-minute window

That matters immediately.

This is not a tiny side-channel. It is already a large analytical surface.

And more importantly, it is not a surface we manufactured through artificial instrumentation.

It emerges from a narrow public boundary:

• anonymous public report-detail requests,
• across the eight report dimensions,
• before a visitor becomes a signed-in workspace member,
• while private backoffice, support, auth, billing, MCP control, and websocket flows stay outside the boundary.

So what we are seeing is not "everything users did."

We are seeing what the public investigative edge of the system keeps pointing at.

2. The observed side is overwhelmingly IP-shaped

The first major pattern is that the field is still led by concrete technical indicators.

In the same 24-hour read:

• ipaddress: 368,704 hits across 214,766 entities
• subnet: 27,925 hits across 20,711 entities
• org: 3,425 hits across 2,597 entities
• asn: 2,525 hits across 1,845 entities
• the higher-order geographic and provider layers are smaller still

This is the right shape.

It means queryability is not drifting into a vague popularity score.

It is still rooted in the same investigative sequence we see everywhere else in the product:

1. a concrete risky indicator draws attention,
2. the enclosing subnet, ASN, organization, or location becomes explanatory context,
3. the field starts to reveal whether that attention is local, repeated, or communal.

That is exactly the type of behavior we want to listen to.

3. The field is broad, not monopolized

One of the most important questions in a signal like this is whether it is secretly dominated by a handful of watchers or a handful of targets.

The answer, at least in this first production pass, is no.

The concentration metrics came back strikingly low:

• top observer share: 0.1406%
• top five observers together: 0.6961%
• top observed entity share: 0.0030%
• top five observed entities together: 0.0123%

That means queryability is not behaving like a headline feed where one thing dominates everyone's view.

It behaves like a wide distributed attention surface.

That is analytically useful because it suggests the system is hearing a large number of small investigative motions rather than one overwhelming central narrative.

4. The observer side is even more interesting than the observed side

If the observed side tells us what is being looked up, the observer side tells us how collective the looking really is.

And here the structure is not uniform at all.

Across the same 24-hour read:

• 90.5% of observer IPs made exactly one lookup
• 6.5% made between two and five lookups
• 2.7% made between six and twenty lookups
• only 0.37% made more than twenty lookups

So the observer field is dominated by a huge one-touch tail.

That means most observers are not "power analysts" sitting inside one long research session.

Most are better understood as isolated points of attention, while a very small minority behave like wide-sweep actors.

That split is crucial.

It means queryability is not one simple metric.

It contains at least two different regimes:

• the one-touch field, where large numbers of isolated observers reveal broad but shallow interest
• the wide-sweep field, where a small minority of requesters traverse many entities and kinds

Those are different behaviors, and eventually they should not be modeled the same way.

5. Convergence is where the field becomes communal

The most important statistical question is not raw volume.

It is convergence.

How often do multiple distinct observers independently land on the same entity in the same day?

This is where queryability gets sharp.

Across the 24-hour read:

• entities with 2+ distinct requesters: 149,823
• entities with 3+ distinct requesters: 8,732
• entities with 5+ distinct requesters: 184
• entities with 10+ distinct requesters: 1

That tells us something very clean:

• two-requester convergence is common
• three-requester convergence is already selective
• five-requester convergence is rare
• ten-requester convergence is exceptional

In other words, the more communal the attention becomes, the more selective the field gets.

That is exactly what makes it valuable.

If a risky entity is being revisited by multiple distinct requesters in a short horizon, that is not just "engagement."

It is validation by independent attention.

6. The strongest signals are not always the most obvious ones

One of the best surprises in the first read was that the strongest convergent entity in the window was not an IP.

It was a city-level entity.

That matters because it suggests there are at least two families of attention targets in the field:

Volume attractors

Concrete things that accumulate direct repeated attention.

These are often IP addresses or subnets.

Convergence attractors

Higher-order entities that multiple observers independently arrive at from different starting points.

These can be locations, ASNs, organizations, or other explanatory surfaces.

That is a strong clue for how the signal should evolve.

Queryability probably does not want to remain one scalar.

It wants at least:

• burst: is attention suddenly spiking now?
• convergence: how many distinct observers are independently pointing at the same thing?
• persistence: does the entity keep floating up across windows and days?

That is a richer and more faithful representation of the field.

7. Busy hours and interesting hours are not the same thing

Another useful separation in the first pass was temporal.

The hour with the highest raw attention was 05:00 local, with 27,265 hits.

But the hour with the strongest spike intensity was 20:00 local, where the peak spike score reached 160.32.

That is a subtle but important distinction.

It means a field can be busy without being especially interesting, and it can become especially interesting without being the busiest hour overall.

So if we only track lookup volume, we miss the difference between:

• baseline throughput,
• sudden escalation,
• and shared synchronization.

That is why the ten-minute cadence matters.

The faster tactical layer is not trying to replace the slower report cubes.

It is trying to notice when attention changes shape before the slower system finishes its larger rollups.

8. Queryability is not raw risk, but it is real context

The most disciplined conclusion from this EDA is not "high lookup volume means high risk."

That would be a mistake.

What the field really gives us is contextual pressure:

• this entity is being pointed at now,
• this entity is being pointed at by more than one observer,
• this entity is being revisited over multiple windows,
• this entity is floating upward faster than its recent baseline.

That is a different category from the score itself.

It does not replace contextual scoring.

It changes the quality of the explanation around the score.

That is why it belongs:

• in the report smart panels,
• in the Risk API response,
• and in the MCP investigation flow returned to agents.

An analyst does not just want to know that an entity scores high.

They want to know whether the wider field is pressing against it too.

9. The field still needs observer typing

The first EDA pass also revealed the next important refinement.

Some of the strongest observer cohorts behave more like crawler-like or programmatic sweeps than like ordinary human case work.

That does not make their signal useless.

But it does mean the field is mixed.

So the next serious step is to separate observers into at least rough typologies:

• likely one-touch public investigators
• likely recurring analysts
• likely wide-sweep automated observers
• likely trusted internal or product-side operational observers

That separation will make queryability safer and stronger when we eventually use it more directly in modeling.

10. What this says about Syndu

There is a bigger product point hiding in all of this.

Syndu is not just publishing reports and then waiting for people to consume them.

It is listening back to the field.

It is hearing:

• what the community keeps checking,
• what multiple observers converge on,
• what is suddenly being revisited,
• and which entities float upward before formal consensus arrives.

That is a very different kind of system from a static threat database.

It is a living analytical loop.

The report tells us what an entity looks like.

The score tells us how much pressure it carries.

The memory layer tells us what prior operators concluded.

And queryability now adds one more dimension:

who is looking, how many are looking, and whether the attention itself is changing shape right now.

That is the beginning of a serious observer-aware risk intelligence surface.