a cyber threat analyst module configured to investigate cyber threat attack incidents, where the cyber threat analyst module is further configured to use a data structure constructed to contain multiple tags to assist in modeling of an expansion of a plurality of disparate events subsumed into an ongoing cyber threat attack incident, during the ongoing cyber threat attack incident, to reflect a lifecycle of the ongoing cyber threat attack incident,

where the data structure includes records of one or more graphs, nodes, edges, and tags, wherein the tags are configured to contain metadata attached to the graphs, nodes, and edges to provide information that is useful in understanding the ongoing cyber threat attack incident during its lifecycle,

where a first tag is assigned to a first node when the first node first appears in a first graph in response to a first disparate event,

where a second tag is assigned to a second node when the second node first appears in the first graph in response to the second disparate event,

where the first node is coupled by a first edge to the second node forming a first group of nodes in the first graph, and where the second node and the first node are connected by the data structure in response to an indication that the cyber threat analyst module has found one or more linking points of information between the first and second disparate events,

where the data structure is configured to maintain the second tag assigned to the second node and the first tag assigned to the first node when the data structure connects both the second node and the first node rather than eliminating or merging at least one of the first tag and the second tag after the data structure connects both,

where a third tag is assigned to a third node when the third node first appears in the first graph in response to a third disparate event,

where the data structure is configured to connect the third node to the first group of nodes when the cyber threat analyst module has found one or more linking points of information between the third disparate event and at least one the first and second disparate events,

where the cyber threat analyst module has a tag assigning module configured to assign the multiple tags including the first tag, the second tag and the third tag when, respectively, the first disparate event is detected, the second disparate event is detected, and the third disparate event is detected, which allows a reporting of the disparate events as well as a visual indication of a scale of the ongoing cyber threat attack incident as they happen,

where the cyber threat analyst module is configured to form and investigate hypotheses on what are a possible set of cyber threats based on data analysis that includes at least one of i) the abnormal behavior, ii) the suspicious activity, and iii) any combination of both, identified through cooperation with the one or more AI models trained with machine learning on the normal pattern of life of entities under the data analysis by examining at least whether a correlation exists between a series of two or more anomalies over a given frame, and

where the cyber threat analyst module is further configured to cooperate with a formatting module to generate both i) alerts on two or more disparate events as they happen and ii) the visual indication of the scale of the ongoing cyber threat attack incident as mapped by the two or more disparate events with linked information using the data structure, which allows the reporting of the disparate events as they happen as well as a display of the visual indication of the scale of the ongoing cyber threat attack incident as mapped by the two or more disparate events with the linked information while the ongoing cyber threat attack incident is still happening, where any software instructions for the cyber threat analyst module are stored in an executable form in one or more non-transitory machine readable storage mediums to be executed by one or more processors.