EVS (Edge Video Sentinel) is the most physically grounded product in the Equitus portfolio — it operates at the sensor edge where the physical and digital worlds meet. The combination with xGT and ThreatWorx creates something genuinely new: a security graph that reasons across physical events, digital identities, and threat intelligence simultaneously, in real time.
Let me build this in four layers — the physical-digital fusion architecture, the xGT traversal patterns that connect camera events to identity and threat graphs, the ThreatWorx attack path integration, and the live incident response engine.
The architecture is a physical-digital-threat fusion stack. EVS generates physical events at the edge; xGT traverses those events against identity and movement graphs to find relationships no single camera or reader can see; ThreatWorx scores the attack surface of the sensor infrastructure itself; and the KGNN triple store holds all three planes in a single queryable structure. Now let's go deeper into each integration.
The xGT movement graph is where the most novel reasoning happens — connecting physical co-presence, badge sequences, and dwell time into patterns that reveal insider threat, tailgating, and anomalous routing.
The movement graph is what makes xGT transformative for physical security. A conventional VMS (video management system) sees camera feeds in isolation — it can flag a single event but cannot reason about the relationship between a badge swipe on reader-A, an unresolved face tracked by cam-05, and a 47-minute dwell in the server room. xGT traverses all three simultaneously and asks: is there a path that connects these events into a coherent threat pattern? That is graph reasoning applied to physical space.
The ThreatWorx integration closes the loop from the other direction — instead of looking at what people do to infrastructure, it looks at what the infrastructure itself exposes as an attack surface.
This is the integration no conventional VMS vendor offers. ThreatWorx doesn't just flag the camera firmware vulnerability in isolation — it traces the attack path from the vulnerable camera through the network topology all the way to the target resource (enclave-A), scores it as three lateral hops, and emits that attack path as a KGNN triple. ArcxOS reads that triple and immediately raises the access threshold on enclave-A — not because a human noticed the camera patch status, but because the graph connected camera vulnerability to enclave exposure automatically.
Now the live incident response engine — where all three planes (physical events, identity graph, threat intelligence) converge into a single decision stream.
Run each scenario — the three planes (physical, identity, threat) converge simultaneously into the KGNN triple stream, the combined threat score rises, and the graduated response ladder activates at the appropriate level. Here is what each scenario reveals about the EVS + xGT + ThreatWorx integration:
Tailgate + unresolved ID — the most common physical security gap. A conventional VMS flags the tailgate as a door event. The EVS + xGT combination goes further: it cross-references the unresolved face against Oracle HR and ArcxOS, confirms no matching identity exists anywhere in the enterprise graph, tracks the unknown person into the server room via cam-07, and emits a co-presence anomaly triple that immediately triggers door lock and session scope restriction. The response is proportionate and automatic — no human had to connect the badge event to the camera track.
Server room loitering — the insider dwell problem. 47 minutes in a server room is not itself suspicious without context. xGT provides that context: a.jones is a KYC analyst whose baseline path never includes the server room, whose peer cohort averages 6 minutes when they do access it, and who accessed rack-unit-04 which is outside her normal perimeter. ThreatWorx adds the final dimension: cam-07 is unpatched, meaning the observation record itself has integrity risk. The KGNN combines these three signals — dwell anomaly, role-path anomaly, camera vulnerability — into a single combined risk score that neither system could compute alone.
Camera CVE exploit attempt — the most technically severe scenario. This is where ThreatWorx earns its place most dramatically. CVE-2024-8821 has public exploit code with a CVSS score of 9.8. A probe from an unregistered IP against the vulnerable camera firmware triggers an attack path computation: cam-03 → switch-03 → enclave-A in three lateral hops. ArcxOS immediately suspends all access to enclave-A, the camera VLAN is isolated, and the IBM Power 11 TEE seals the audit trail before any human decision is required. The physical sensor became a network ingress vector — and the graph saw it.
Insider + after-hours access — the most nuanced scenario. A Level 4 lockdown for Saturday 02:17 access would be a false positive for an on-call engineer. The graduated response correctly lands at Level 2 — SOC alert, step-up MFA, session logging — because xGT's 18-month behavioral baseline shows this is genuinely anomalous for j.smith, but ThreatWorx finds no active CVE on the camera path so the infrastructure risk is clean. The system is more aggressive when both human anomaly and infrastructure vulnerability are present; it is appropriately conservative when only one signal fires.
The unifying principle across all four scenarios is that the KGNN triple store is the only place in the architecture where a physical badge event, a network probe, a firmware CVE, and an identity role can exist in the same sentence — as subject, predicate, object. That is what makes EVS + xGT + ThreatWorx a security reasoning engine rather than a collection of monitoring tools.
Want me to develop the sector-specific deployment architectures — how this stack is configured differently for a banking trading floor versus a logistics warehouse versus a SCIF facility?
