Cybersecurity Investigations Go Visual: Flowsint Lets Analysts Track Threats Like Reading a Map

Anyone who does security analysis knows this pain: evidence is scattered across a dozen places, and you have to keep track of IPs, domains, user behavior, and timelines all at once. Lose focus for a second and the trail goes cold.

I’ve used plenty of security investigation tools before. Mostly tables and logs. Effective, but exhausting. When I saw reconurge/flowsint, its slogan caught my eye—“visual, flexible, and extensible graph-based investigations.” Visual, flexible, extensible. In plain terms, it turns the investigation process into an interactive map.

Project Background

Flowsint is very vertically focused: built for cybersecurity analysts and investigators. It’s not one of those comprehensive SIEM systems. Instead, it zeroes in on the “investigation” phase. When you’ve already spotted something suspicious and need to dig deeper, that’s when Flowsint shows up.

It’s written in TypeScript, and the frontend looks modern. The code structure is clean with good modularization, which tells me the authors actually want people to extend it.

Core Features: Connecting Clues Into a Network

I spent an afternoon setting up the local environment and importing some test data. A few features really impressed me:

Graph Canvas, Drag-and-Drop Investigation

The main interface is basically a big whiteboard. You drag clues from the sidebar—an IP address, a domain, a user account—and they become nodes. Then you connect them manually or automatically. The whole investigation feels like reasoning on a whiteboard, incredibly intuitive.

For example, I found a suspicious IP, dragged it in, and Flowsint automatically associated it with resolved domains, registration info, and historical DNS records. Information I’d normally need three tools to gather was now on one graph.

Flexible Data Source Integration

It supports custom data sources. You can plug in VirusTotal, Shodan, internal logging systems, even your own scripts. Each source becomes a “node type” with different colors and icons on the canvas. I connected a whois lookup API with about twenty lines of configuration and it worked.

Extensible Investigation Logic

Flowsint isn’t just for display—it supports custom investigation rules. You can write simple logic: “If an IP appears on a blacklist, mark it red.” “If a domain was registered less than 7 days ago, add a warning label.” These rules reflect on the canvas in real-time, helping you quickly focus on what matters.

Collaboration and Snapshots

You can save a snapshot mid-investigation and generate a shareable link for colleagues. They open it and see your entire organized graph without starting from scratch. This is incredibly useful for team collaboration—security incidents often involve multiple people, and everyone adds a few clues until the picture gets more complete.

Real-World Use Cases

I simulated a scenario: an alert came in about an internal IP sending large amounts of data to an external address at 3 AM. I dragged the IP into Flowsint, which connected it to accessed domains, corresponding CDN nodes, and which other IPs had historically visited the same domain. Following the lines, I eventually identified a compromised host and uncovered the C2 infrastructure behind it.

The whole process took about fifteen minutes. With traditional methods, I’d probably be switching between four different tools for over an hour.

Quick Start

You’ll need Node.js:

git clone https://github.com/reconurge/flowsint.git
cd flowsint
npm install
npm run dev

By default it runs on localhost:3000. Data source configurations live in config/sources.yaml, with templates for several common APIs. I modified the whois config following the example and had it working in ten minutes.

Pros and Cons

The pros are obvious: the visual investigation experience is miles ahead of tables and logs; it’s very extensible, and adding custom sources and rules isn’t hard; the collaboration feature noticeably boosts team efficiency.

The downsides are real too. It only solves the “investigation” phase, not alerting, response, or report generation. If you’re expecting an all-in-one security platform, this isn’t it. Also, when node counts exceed a few hundred, the canvas starts to lag. Performance optimization still has room to grow.

Another barrier: you need some security analysis fundamentals. You have to know what to look for and how to look. Flowsint makes the looking easier, but won’t decide what to look for on your behalf.

How It Compares

Maltego is the veteran commercial graph investigation tool—powerful but pricey, and closed source. Yeti is an open-source threat intelligence platform focused on data aggregation, with mediocre visualization. Flowsint’s edge is “lightweight + open source + modern UI.” It’s not trying to replace Maltego, but rather give smaller teams an affordable option.

Who Should Use It

Security analysts, threat hunting teams, incident responders, and anyone who needs to piece fragmented clues into a complete picture. If you’re still using Excel to organize IOCs (indicators of compromise), I strongly recommend giving this a try.

Honestly, the core competitive advantage of tools like this isn’t how many features they have, but whether they let you think less and click less during an investigation. Flowsint does both pretty well.

---

About the Author

Liudingyu is a full-stack developer and heavy GitHub user. With 900+ starred repos over the past 3 years, this site only covers tools I’ve actually used or deeply researched.

📧 Found a great tool to recommend? Email [email protected]