Torgen market analysis implies that because the data is public/unstructured, extracting it into a graph creates advantage. That is true only if you solve the hard parts:
Entity resolution: vendor aliases, subsidiaries, acquired entities, law firm names, breach-notice processors, healthcare provider names, BA vs covered entity ambiguity.
Custody confidence: public sources often prove “affected by” or “reported by,” but not always “had custody of this specific customer’s PHI.” You need confidence levels: confirmed, inferred, alleged, vendor-claimed, regulator-confirmed.
Evidence provenance: every edge needs source, quote span or extracted field, date, extraction method, confidence, and contradiction handling.
Temporal modeling: breach discovered date, occurrence window, notice date, OCR submission date, SEC filing date, lawsuit date, leak-site post date, remediation date.
Actionability: the graph must produce remediation questions: “Do we use this product?”, “Which vendors process this data class?”, “Do we have a BAA?”, “Are MOVEit-like MFT exposures present?”, “What compensating control should be verified?”
Integration: buyers will still need exports/API hooks into GRC, vendor inventory, ticketing, SIEM/SOAR, and board reporting. Mobile-first can be the front door, but enterprise workflow cannot live only on mobile.