rola Plots a Faster Path From Noise to Knowledge in Cyber Investigations with Neo4j

In December 2022, German investigators uncovered a terrorist plot to overthrow the federal government — a plan orchestrated by members of the extremist Reichsbürger movement. The Federal Prosecutor’s Office launched the largest raid in the nation’s postwar history, mobilizing over 3,000 security personnel to arrest 25 suspects and dismantle the network before it could act.

Behind this complex investigation, rola’s solutions helped analysts to connect critical intelligence—from seized communication devices to financial transactions—mapping relationships between suspects across Germany. Neo4j is the heart of the rsShadow solution within rola’s integrated software suite, enabling investigators to discover relationships hidden within mountains of unstructured information. These connections prevent attacks and protect citizens.

rola has supported Europe’s law enforcement, military, and intelligence agencies for over 30 years as they face increasingly sophisticated threats. The threat landscape has fundamentally changed over this time. Five years ago, investigators tracked organized crime groups with clear hierarchies. Today, they face decentralized networks that can reorganize overnight. A single threat actor might use dozens of cryptocurrency wallets, hundreds of IP addresses, and constantly evolving tactics. Reuters notes that sabotage and cyber attacks cost German businesses an estimated €267 billion between 2023 and 2024 alone.

Building for today’s investigations, not yesterday’s databases

For rola, graph technology wasn’t just an upgrade—it was essential. The company began developing rsShadow in 2021 after recognizing that traditional approaches couldn’t meet these modern investigation needs.

“Path queries are fundamental to investigations,” explains Gregor Bierhals, rola’s Go-to-Market Manager. “You need to discover how Entity A connects to Entity Z through unknown intermediaries. In a relational database, those multi-hop queries took hours. Sometimes they never finished.”

New attack patterns emerge constantly in cyber threat intelligence. A threat actor might introduce a novel technique, or investigators might discover a previously unknown relationship between entities. Traditional relational databases require extensive schema changes to accommodate these discoveries, often taking weeks or months to implement. 

rola evaluated multiple database approaches, including document stores like MongoDB for unstructured data, time-series databases for temporal analysis, and even other graph databases like ArangoDB, but quickly aligned around Neo4j. The decision came down to several factors:

• Commercial maturity: Unlike newer alternatives, Neo4j offered proven stability at scale
• Cypher query language: More accessible for non-technical analysts than other query languages such as GraphQL 
• Documentation depth: Comprehensive resources for complex implementations
• Market recognition: Neo4j demonstrated credibility with security-conscious customers
  

This recognition mattered, especially in a field where security and credibility aren’t optional. Neo4j’s long-standing reputation and its ability to support evolving data models helped rola deliver a system that customers could rely on.

Neo4j’s flexible graph structure also enables analysts to add new relationship types, create custom entity properties, or model entirely new threat patterns without waiting for database administrators or system downtime. This schema flexibility means investigations can evolve organically as new intelligence emerges.

From documents to decisions in seconds, not hours

Analysts working in rsShadow face a common challenge: connecting pieces of information that aren’t obviously related. A leaked email address. A suspicious IP address. The name of a shell company buried in an old PDF. Alone, those details seem trivial — but when combined, they can reveal the outlines of a looming threat, sometimes ones that endangers lives.

Cyber threat intelligence arrives in a chaotic flood of formats:

• Unstructured PDFs from internal sources
• Structured MISP (Malware Information Sharing Platform) threat feeds 
• Reports from firms like CrowdStrike and Mandiant 
• Dark web leaks and open-source intelligence (OSINT) findings
• CSV files with fragmented clues
• Decades-old internal memos 

rsShadow’s architecture brings order to this complexity, helping human analysts make critical and time-sensitive decisions. Its pipeline includes:

1. Entity Extraction: Advanced language models automatically identify threat actors, victims, tools, TTPs (tactics, techniques, procedures), and the relationships between them
2. Graph Construction: Each extracted entity becomes a node in a dynamic knowledge graph, with Neo4j mapping their relationships as edges
3. Cross-Source Correlation: Neo4j’s property graph model allows unlimited attributes per node, enabling rich context from multiple sources
4. Real-time Analysis: Cypher queries instantly traverse millions of connections that could otherwise remain hidden for weeks

“We’re using Neo4j not just for the visualization layer, but throughout the entire system,” notes Bierhals. “It stores and manages entities, enables rapid queries, and lets us evolve our data model without painful migrations.”

That isn’t just technical performance: it’s operational readiness. That speed can mean identifying a hostile actor before the next breach, or connecting evidence that stops an extremist network before it turns violent. In an industry where every second is critical, time isn’t just money. It’s public safety.

rsShadow is built to meet the demands of government and law enforcement environments, with deployments tailored to strict security requirements:

• On-premise for sensitive government operations
• Air-gapped for environments requiring total network isolation 
• Multi-Cloud flexibility and support including Google Cloud 
• Containerized (Docker-based) for easy installation and control

The system’s architecture balances automation with human oversight.

“In investigations, accuracy matters. You can’t take shortcuts with automation,” Bierhals said. “If our system confuses two different people named ‘Michael K,’ that error could destroy a case in court. We make entity detection fast, but humans make the final connections.”

This approach extends throughout the interface. Expert users can write Cypher queries directly for complex analysis, while other users work through visual graph interfaces. 

Together, that balance of speed, structure, and scrutiny is crucial, especially when the stakes are as high as they were in the Reichsbürger prosecutions. During such investigations, rsShadow’s combination of automated insight and rigorous  documentation gave prosecutors the clarity and legal defensibility they needed to build cases that stood up in court.

What’s next: search, RAG, and secure GenAI

rola is constantly pushing the boundaries of what rsShadow can do, because the threats that analysts face are powerful and evolving, and the consequences are real. Behind every query is a mission to protect lives, defend democracies, and uphold the rule of law. rola is investing in advanced capabilities that put GenAI into the hands of human experts without compromising on accountability or accuracy. These new capabilities include:

• Natural language document chat: Analysts will soon be able to interact with their graph using everyday language: “Show me all connections between this IP address and known APT (Advanced Persistent Threat) groups”
• Vector search with Neo4j: Enables semantic similarity searches across thousands of documents to uncover related threats, even when keywords differ
• Retrieval-augmented generation (RAG): Combining graph traversal with LLMs for automated threat report drafting
• AI-powered query suggestions: Accelerating investigations by proposing relevant queries while maintaining human control

“We’re exploring vector embeddings for documents,” explains Bierhals. “Imagine finding all reports similar to a new threat indicator, even if they don’t share exact keywords. Neo4j’s vector search capabilities make this possible while keeping everything in our trusted graph database.”

These enhancements are making the system smarter – and making analysts and investigators faster, more confident, and more capable in moments where every second counts. “Every team we work with wants to move faster, without sacrificing accuracy,” Bierhals said. “Adding AI in a safe, explainable way helps us meet that goal.”

A recent customer evaluation highlighted Neo4j’s advantages over GraphQL-based alternatives. “They specifically praised how Cypher makes complex queries accessible,” reports Bierhals. “The competing solution required deep technical expertise just to ask basic questions. With Neo4j, our analysts write powerful queries within days, not months.”

rola’s partnership with Neo4j is as mission-driven as it is technical. “We’re proud that Neo4j is part of our story,” Bierhals said. “It helps us bring structure to chaos—and insight to the people who need it most.”

Get in Touch

Curious about what insights you could unlock for your business with graph-powered solutions? Let’s talk — reach out, and we’ll get in touch.