Typing The Observers: A Second Look At Queryability

When we first published the queryability layer, the main question was whether the field was real.

It was.

The system was clearly hearing something useful in public investigative behavior:

• repeated lookups,
• convergence on the same entities,
• recent attention windows,
• and fresh tactical bursts that had not yet settled into the slower report universe.

But that first pass left an obvious scientific question open:

Who exactly is producing this field?

That question matters because a communal signal is only as trustworthy as the kinds of observers contributing to it.

So I ran a second production EDA pass, this time not over the observed entities alone, but over the observer side of the graph.

The result is a much clearer picture of what queryability is becoming.

1. The observer field is not uniform at all

In the last 24 hours of live production queryability data, observers separated into five distinct behavioral classes:

• one-touch public: 95.93%
• focused investigator: 0.65%
• analyst-like: 0.45%
• mixed / programmatic: 2.90%
• crawler-like: 0.06%

That distribution matters more than it may first appear.

It says that the public field is not mostly deep individual case work.

It is mostly made of light isolated touches, with a much smaller layer of genuinely targeted investigation, and an even smaller crawler layer that can still matter because of its throughput.

That is a very different conclusion from simply saying "people are looking this up."

It gives the field structure.

2. Crawler-like observers are tiny in count, but large in force

The crawler-like class is only 0.06% of observers.

That sounds almost negligible until you look at how they behave.

In this same 24-hour read:

• crawler-like observers averaged 135.45 entities each
• mixed/programmatic observers averaged 14.04
• analyst-like observers averaged 4.52
• focused investigators averaged 3.02
• one-touch public observers averaged 1.06

That is the second big lesson of the queryability field:

minority actors can still disproportionately shape raw demand.

So if we were to feed raw community demand into the score without separating observer types first, we would risk over-crediting wide-sweep machine behavior as communal validation.

That would be a modeling mistake.

3. The trusted communal field is much smaller than the raw communal field

The most useful number in the second pass is not volume.

It is selectivity.

Once we ask for entities that show analyst-like convergence, meaning more than one requester from the focused-investigator or analyst-like layers, the field becomes very selective:

• only 0.26% of observed entities showed analyst-like convergence of 2+ requesters

By contrast:

• 1.47% of entities were crawler-dominated by the same threshold

That means raw communal-looking activity is not yet safe to trust at face value.

But it also means something more encouraging:

when analyst-like convergence does appear, it is rare enough to be valuable.

This is exactly the kind of signal we want:

• scarce,
• interpretable,
• and much harder to fake by mere throughput.

4. The strongest communal targets survive the typing pass

The strongest analyst-like convergence target in this production read was:

• 105.67.131.31
• kind: IP address
• 4 analyst-like requesters
• 4 total requesters

That is a strong result because it means all observed convergence on that entity came from the more trusted side of the current typology.

Other strong analyst-like targets were still mostly indicator-led:

• IPs
• subnets

That keeps the signal grounded.

It suggests the most trustworthy communal layer is not abstract popularity on higher-order entities. It is still concrete investigative motion on real technical indicators.

5. Not every dimension carries the same observer risk

The second pass also made one asymmetry much clearer.

Higher-order dimensions are more vulnerable to crawler-shaped communal pressure than low-level indicator dimensions.

Crawler-dominated share by kind in the read looked roughly like this:

• ISP: 21.74%
• city: 18.24%
• region: 18.05%
• organization: 11.3%
• ASN: 2.1%
• ipaddress: 1.25%
• subnet: 0.36%

That is a very strong modeling clue.

It says that typed queryability should not be folded into the score as if every dimension were equally trustworthy.

If communal attention is rising on an IP or subnet, that is one kind of story.

If communal attention is rising on a city or ISP, that may require much heavier discounting unless other parts of the evidence graph support it.

This is exactly why observer typing is not a cosmetic addition.

It changes how we should mathematically treat the field.

6. Queryability is now splitting into two layers

After this pass, I no longer think of q as one thing.

It now looks like two related but distinct surfaces:

The raw attention field

This tells us:

• what the world is pointing at,
• what is spiking now,
• and what is floating upward in public.

It is useful for freshness.

The typed communal field

This tells us:

• which entities are being revisited by more trusted observer shapes,
• whether the convergence survives crawler discounting,
• and which entities have the beginnings of analyst-like validation.

It is useful for safer scoring and stronger explanation.

That split is important because it lets us keep the raw field alive and expressive without pretending it is already purified into trust.

7. What this means for the score

The first queryability post argued that the signal was real enough to expose in reports, the API, and MCP.

This second pass sharpens the rule for how it should eventually influence the score:

not as raw popularity, but as typed communal validation.

The right future features now look much clearer:

• analyst-like convergence count
• focused-investigator reinforcement
• crawler-dominance discount
• persistence across windows
• dimension-sensitive weighting

That is a much safer path than simply saying "more lookups means more risk."

It also creates a better explanation for users and agents:

• this entity is being widely touched
• but much of that is crawler-shaped

or:

• this entity is not just busy
• it is attracting repeated attention from a smaller, more trustworthy layer of observers

Those are very different statements.

And the difference matters.

8. The bigger lesson

There is a simple way to summarize what this second pass changed.

At first, queryability told us:

what the community is pointing at.

Now it also tells us:

what kind of community is doing the pointing.

That is a significant step.

It moves the signal away from mere public demand and closer to a real social-analytical surface.

The field is still young.

The typology is still heuristic.

But the direction is now much more scientifically grounded.

Syndu does not just hear the object being pointed at.

It is beginning to hear the shape of the pointing itself.