The stronger white space is: Nobody appears to own the PHI-specific, evidence-linked, breach-forensics-to-custody graph: covered entity → business associate → product/service → subprocessor/fourth party → vulnerability/campaign/TTP → PHI data class → affected population → legal/regulatory evidence → remediation opportunity.
The moat is the curated ontology, extraction quality, entity resolution, confidence scoring, evidence chain, and PHI-specific relationship model. A mobile feed is valuable when it answers: “Why does this matter to me, what evidence supports it, who is affected, and what should I do next?” A mobile force-directed graph alone will not be enough.
Internal security graphs / CNAPP: Wiz, Orca, Microsoft, Uptycs, Check Point ecosystem integrations. They map internal/cloud/code/identity/data exposure.
TPRM / cyber ratings: Bitsight, SecurityScorecard, Black Kite, UpGuard, Panorays, ProcessUnity, Prevalent. They rate vendors, monitor external posture, and increasingly add breach/threat/dark-web signals.
Threat intelligence / dark web / breach intelligence: Recorded Future, Flashpoint, SOCRadar, ZeroFox, ReliaQuest-style providers. They surface threat activity, leaked credentials, extortion posts, indicators, and actor/campaign context.
Healthcare TPRM / GRC: Censinet, CORL, Clearwater, Meditology-type services. They are closer to HIPAA, BAAs, questionnaires, vendor onboarding, and healthcare compliance workflows.
Your white space: PHI breach-event intelligence graph: public/unstructured breach forensics → custody graph → vendor/product/campaign/control/remediation relationships → evidence-linked mobile and API experience.
Differentiators
Your market analysis implies that because the data is public/unstructured, extracting it into a graph creates advantage. That is true only if you solve the hard parts:
Entity resolution: vendor aliases, subsidiaries, acquired entities, law firm names, breach-notice processors, healthcare provider names, BA vs covered entity ambiguity.
Custody confidence: public sources often prove “affected by” or “reported by,” but not always “had custody of this specific customer’s PHI.” You need confidence levels: confirmed, inferred, alleged, vendor-claimed, regulator-confirmed.
Evidence provenance: every edge needs source, quote span or extracted field, date, extraction method, confidence, and contradiction handling.
Temporal modeling: breach discovered date, occurrence window, notice date, OCR submission date, SEC filing date, lawsuit date, leak-site post date, remediation date.
Actionability: the graph must produce remediation questions: “Do we use this product?”, “Which vendors process this data class?”, “Do we have a BAA?”, “Are MOVEit-like MFT exposures present?”, “What compensating control should be verified?”
Integration: buyers will still need exports/API hooks into GRC, vendor inventory, ticketing, SIEM/SOAR, and board reporting. Mobile-first can be the front door, but enterprise workflow cannot live only on mobile.