Session demonstrates modeling agent activity (agents, users, artifacts, actions) as a provenance graph in Neo4j and using a few investigative Cypher queries to surface multi‑hop exfiltration, suspicious delegation or lateral movement. The session shows visualized subgraphs, how to drill into node/context metadata and exporting an explainable evidence package (graph path + artifacts + timestamps) for incident response and regulator review