ZDZelDB
ZelDB Command Interface

ZelQL Full Library

ZelQL is the language of ZelDB: a cybersecurity-native command interface for CyberCells, evidence, AI memory, policies, attack paths, blast radius, incident replay, encryption, and defensive action.

Start Reading Back to ZelDB

ZelQL Full Library

ZelQL: The Command Interface for Cybersecurity Reality

Product: ZelDB Suite: Zelfire Author: Haja Mo / Rocheston Use: Website content, documentation, demos, chatbot knowledge base, Aina Intelligence training context, and ZelDB product pages License Positioning: ZelDB is licensed exclusively to RCCE students and authorized Zelfire platform environments.

1. Overview

ZelQL is the native command interface of ZelDB. It is not merely a query language for retrieving rows, logs, or records. It is a cybersecurity-native command language for security reality: risk, trust, evidence, AI memory, policies, attack paths, blast radius, incident replay, encryption context, and defensive action provenance.

Traditional query languages ask: What data matches this filter? ZelQL asks: What happens, what is proven, what can an attacker reach, what can AI safely see, and what action is safe?

SQL
SELECT * FROM logs WHERE severity = 'high';

ZelQL replaces passive search with operational cybersecurity commands:

ZELQL
SIMULATE action "isolate-host"
ON asset "prod-api-07"
SHOW blast_radius, business_impact, rollback_plan, approval_required

ZelQL is built for analysts, AI agents, auditors, incident responders, Aina Intelligence, ZelC, ZelEn, and the Zelfire platform.

2. ZelQL Core Philosophy

In cybersecurity, data is not enough. The database must understand what the data means, whether it is trustworthy, whether it is evidenced, whether it is policy-approved, whether it is safe for AI, and what will happen if an action is taken.

ZelQL is built around these principles:

  • Security objects are not passive records; they are CyberCells with risk, trust, evidence, policy, timeline, and action boundaries.
  • AI memory must be governed like production infrastructure.
  • Evidence must be first-class, not a screenshot or afterthought.
  • Reading data, reasoning over data, recommending action, simulating action, executing action, exporting data, and training AI must be separate permissions.
  • Attack paths and blast radius should be queryable at the database layer.
  • Every serious decision should be explainable with WHY.
  • Every incident should be replayable with REPLAY.
  • Every defensive action should be provable through Kinetic Ledger records.

3. Core ZelQL Verbs

VerbMeaning
FINDSearch CyberCells, evidence, incidents, memories, policies, actions, keys, reports, and relationships.
SHOWDisplay a specific object, graph, timeline, proof, field set, or visual view.
TRACEFollow relationships through the Security Reality Graph.
REPLAYReconstruct an incident, timeline, mutation history, or action sequence.
SIMULATECompute blast radius, business impact, risk delta, rollback, and approvals before action.
VERIFYValidate evidence, proof bundles, actions, encryption, policies, compliance, and AI access.
WHYExplain risk, trust, policy, AI memory, evidence, action blocks, and incident causality.
ASKAsk Aina Intelligence using governed ZelDB context.
QUARANTINEPreserve unsafe memory or objects while blocking unsafe AI/action use.
ANCHORCreate tamper-evident proof anchors for evidence and proof bundles.
COMPARECompare snapshots, states, incidents, policies, actions, or CyberCells.
REPORTGenerate proof-grade reports from ZelDB data.
EXPORTExport results as CSV, JSON, HTML, Markdown, print/PDF, or proof bundle.
CREATECreate CyberCells, policies, memories, evidence, reports, or relationships.
UPDATEModify CyberCell fields, policies, statuses, evidence metadata, or scores.
LINKCreate typed relationships between CyberCells.
UNLINKRemove typed relationships between CyberCells.
SCORERecalculate risk, trust, confidence, evidence, memory safety, or action safety.
SNAPSHOTCapture a point-in-time security state.
WATCHCreate saved queries, alerts, or monitoring rules.
EXPLAINExplain query plan, tenant isolation, safety checks, graph traversal, and evidence weighting.

4. Statement Anatomy

Most ZelQL statements follow one of these patterns:

ZELQL
COMMAND target
WHERE conditions
WITH options
SHOW fields
ORDER BY field DESC
LIMIT number
AS view
ZELQL
FIND cybercells
WHERE risk_score >= 90
AND evidence_status != "verified"
SHOW name, type, owner, risk_score, evidence_status, attack_paths
ORDER BY risk_score DESC
LIMIT 20
AS table
ZELQL
TRACE identity "[email protected]"
TO database "customer-db-primary"
VIA credentials, sessions, network_paths
SHOW path, hops, risk_score, evidence
ZELQL
REPLAY incident "INC-2026-0042"
FROM first_seen
TO contained
SHOW timeline, graph, evidence, ai_decisions, kinetic_actions
AS timeline
ZELQL
SIMULATE action "rotate-credential"
ON credential "svc-payments-token"
WITH max_business_impact = "low"
SHOW risk_delta, affected_services, rollback_plan, approval_required
AS simulation

5. Object References

ZelQL can reference objects using explicit object notation or readable lowercase references.

ZELQL
Asset("prod-api-07")
Identity("[email protected]")
Database("customer-db-primary")
Credential("svc-payments-token")
Incident("INC-2026-0042")
Evidence("EV-7781")
Memory("MEM-9201")
Policy("POL-AI-003")
Action("ACT-1044")
Key("KEY-ZELEN-01")
Agent("Aina SOC Agent")
CrownJewel("Customer Production Database")
BusinessService("Customer Portal")
Tenant("Rocheston Demo")
ZELQL
asset "prod-api-07"
identity "[email protected]"
incident "INC-2026-0042"
evidence "EV-7781"
memory "MEM-9201"
policy "POL-AI-003"

6. Keywords, Comments, Literals, and Operators

6.1 Case Insensitivity

ZelQL keywords are case-insensitive, but the recommended house style is uppercase commands and clauses.

ZELQL
FIND cybercells WHERE risk_score > 80
ZELQL
find cybercells where risk_score > 80

6.2 Comments

ZELQL
-- Find dangerous production CyberCells
FIND cybercells
WHERE risk_score > 85
AND zone = "production"
SHOW evidence, attack_paths, blast_radius
ZELQL
/*
This query identifies AI-visible critical assets
that may require policy tightening.
*/
FIND cybercells
WHERE sensitivity = "critical"
AND ai_visibility = "allowed"
SHOW policy_status, evidence_status

6.3 Literals

ZELQL
"prod-api-07"
"Customer Production Database"
"[email protected]"
94
true
false
["Asset", "Database", "Secret"]
"2026-01-01"
"All Data"

6.4 Operators

Operator GroupOperators
Comparison=, !=, >, >=, <, <=
LogicalAND, OR, NOT
ListIN, NOT IN
RangeBETWEEN, AFTER, BEFORE, SINCE, UNTIL
TextCONTAINS, STARTS_WITH, ENDS_WITH, MATCHES, LIKE
Security predicatesHAS, IS, IS NOT, CAN, CANNOT
ZELQL
FIND cybercells
WHERE risk_score >= 90
AND trust_score < 20
AND type IN ["Asset", "Database", "Secret"]
AND name CONTAINS "prod"
ZELQL
FIND cybercells
WHERE IS critical
AND HAS attack_path TO crown_jewel
SHOW path, evidence, blast_radius

7. Output Views

ZelQL results can be shown as different views inside the ZelQL Console and website demos.

ViewPurpose
AS tableStructured rows for analyst review.
AS cardsRich cards with risk, trust, evidence, and status.
AS graphNodes and relationships in the Security Reality Graph.
AS timelineEvents across time for incident replay and mutation history.
AS simulationBlast radius, before/after state, and action consequences.
AS evidenceHash chains, proof objects, sources, signatures, and verification status.
AS raw_jsonMachine-readable structured output.
AS reportReport-ready formatted output.
ZELQL
FIND attack_paths
WHERE severity = "critical"
SHOW start_node, end_node, hops, risk_score, recommended_containment
AS graph

8. FIND Command

FIND searches ZelDB objects and returns filtered, policy-scoped, tenant-isolated results.

ZELQL
FIND object_type
WHERE conditions
SHOW fields
ORDER BY field ASC|DESC
LIMIT number
AS view

Find all CyberCells

ZELQL
FIND cybercells
SHOW name, type, risk_score, trust_score

Find high-risk CyberCells

ZELQL
FIND cybercells
WHERE risk_score > 85
SHOW name, type, owner, zone, evidence_status
ORDER BY risk_score DESC

Find critical production assets

ZELQL
FIND cybercells
WHERE type = "Asset"
AND zone = "production"
AND sensitivity = "critical"
SHOW risk_score, trust_score, encryption_status, policy_status

Find low-trust identities

ZELQL
FIND identities
WHERE trust_score < 30
SHOW owner, risk_score, recent_sessions, attack_paths

Find unencrypted sensitive databases

ZELQL
FIND cybercells
WHERE type = "Database"
AND sensitivity IN ["high", "critical"]
AND encryption_status = "unencrypted"
SHOW owner, business_service, risk_score, evidence_status

Find AI-visible secrets

ZELQL
FIND cybercells
WHERE type = "Secret"
AND ai_visibility = "allowed"
SHOW owner, policy_status, evidence_status, risk_score

Find policy violations

ZELQL
FIND cybercells
WHERE policy_status = "violation"
SHOW name, type, policy_status, risk_score, owner
ORDER BY risk_score DESC

Find evidence-missing objects

ZELQL
FIND cybercells
WHERE evidence_status IN ["missing", "partial"]
SHOW name, type, risk_score, evidence_status

Find stale memories

ZELQL
FIND memories
WHERE freshness_score < 40
SHOW title, source, trust_score, evidence_score, action_eligible

Find quarantined memory

ZELQL
FIND memories
WHERE status = "quarantined"
SHOW title, poisoning_risk, prompt_injection_risk, evidence_score

Find active incidents

ZELQL
FIND incidents
WHERE status IN ["open", "investigating", "contained"]
SHOW incident_key, severity, phase, owner, risk_score

Find critical attack paths

ZELQL
FIND attack_paths
WHERE severity = "critical"
SHOW start_node, end_node, hops, risk_score, recommended_containment

Find failed kinetic actions

ZELQL
FIND kinetic_actions
WHERE proof_status != "verified"
OR rollback_status = "failed"
SHOW action_type, target, risk_before, risk_after, actual_impact

9. SHOW Command

SHOW displays a specific object or view with requested sections.

ZELQL
SHOW object_type "object-name"
WITH sections
AS view

CyberCell detail

ZELQL
SHOW cybercell "prod-api-07"
WITH overview, risk, trust, evidence, policies, relationships

Attack paths for an asset

ZELQL
SHOW attack_paths
FOR asset "prod-api-07"
AS graph

Evidence for an incident

ZELQL
SHOW evidence
FOR incident "INC-2026-0042"
AS evidence

Memory safety for an agent

ZELQL
SHOW memory_safety
FOR agent "Aina SOC Agent"
WITH trusted, quarantined, action_eligible, blocked

Policy bindings

ZELQL
SHOW policies
FOR cybercell "customer-db-primary"
WITH conditions, allowed_actions, forbidden_actions

Encryption state

ZELQL
SHOW encryption
FOR cybercell "customer-db-primary"
WITH key, rotation, decryption_events, violations

Proof bundle

ZELQL
SHOW proof_bundle "PB-INC-2026-0042"
WITH evidence, hashes, approvals, timeline, actions

10. TRACE Command

TRACE follows relationships through the Security Reality Graph.

ZELQL
TRACE source_type "source"
TO target_type "target"
VIA relationship_types
WHERE constraints
SHOW result_fields

Trace identity to database

ZELQL
TRACE identity "[email protected]"
TO database "customer-db-primary"
SHOW path, credentials, sessions, evidence

Trace compromised host to crown jewel

ZELQL
TRACE asset "prod-api-07"
TO crown_jewel "Customer Production Database"
SHOW path, hops, vulnerabilities, attack_techniques, evidence

Trace credential exposure

ZELQL
TRACE credential "svc-payments-token"
TO business_service "Customer Portal"
SHOW reachable_assets, databases, secrets, risk_score

Trace lateral movement

ZELQL
TRACE asset "workstation-22"
TO zone "production"
VIA sessions, credentials, network_paths
SHOW path, risk_score, cut_points

Trace privilege escalation

ZELQL
TRACE identity "[email protected]"
TO role "cloud-admin"
VIA iam_policies, groups, service_accounts
SHOW path, policy_gaps, recommended_fix

Trace AI agent data reach

ZELQL
TRACE agent "Aina SOC Agent"
TO sensitivity "restricted"
SHOW memories, cybercells, policies, blocked_paths

Trace all paths to crown jewels

ZELQL
TRACE all
TO crown_jewel
WHERE risk_score > 70
SHOW start_node, end_node, hops, evidence_count, recommended_cut_point
AS graph

Trace shortest path

ZELQL
TRACE shortest
FROM identity "[email protected]"
TO database "customer-db-primary"
SHOW path, hops, risk_score

Trace safest containment point

ZELQL
TRACE attack_paths
TO crown_jewel "Customer Production Database"
SHOW cut_points, risk_reduction, business_impact
ORDER BY risk_reduction DESC

11. REPLAY Command

REPLAY reconstructs time and causality.

ZELQL
REPLAY object_type "object-id"
FROM start_point
TO end_point
SHOW sections
AS timeline

Replay an incident

ZELQL
REPLAY incident "INC-2026-0042"
FROM first_seen
TO contained
SHOW timeline, graph, evidence, ai_decisions, actions

Replay a CyberCell mutation history

ZELQL
REPLAY cybercell "prod-api-07"
FROM created
TO now
SHOW risk_changes, policy_changes, evidence_changes, relationships

Replay an attack path

ZELQL
REPLAY attack_path "AP-018"
SHOW stages, lateral_movement, privilege_escalation, evidence
AS timeline

Replay containment

ZELQL
REPLAY action "ACT-1044"
SHOW requested_by, approved_by, executed_by, before_state, after_state, proof

Replay identity behavior

ZELQL
REPLAY identity "[email protected]"
FROM "2026-01-01"
TO "2026-05-01"
SHOW logins, sessions, privileges, anomalies, evidence

Replay AI decision

ZELQL
REPLAY ai_decision "AID-2026-0091"
SHOW prompt_context, evidence_used, policy_constraints, recommendation, human_response

Replay ransomware-style incident

ZELQL
REPLAY incident "INC-RANSOM-2026-01"
SHOW initial_access, execution, credential_access, lateral_movement, containment, recovery

12. SIMULATE Command

SIMULATE computes consequences before action.

ZELQL
SIMULATE action "action-name"
ON object_type "object-name"
WITH constraints
SHOW outputs
AS simulation

Simulate host isolation

ZELQL
SIMULATE action "isolate-host"
ON asset "prod-api-07"
SHOW blast_radius, business_impact, risk_delta, rollback_plan, approval_required

Simulate credential rotation

ZELQL
SIMULATE action "rotate-credential"
ON credential "svc-payments-token"
SHOW affected_services, risk_reduction, downtime_estimate, rollback_plan

Simulate disabling a user

ZELQL
SIMULATE action "disable-user"
ON identity "[email protected]"
SHOW active_sessions, business_impact, approval_required, rollback_plan

Simulate token revocation

ZELQL
SIMULATE action "revoke-token"
ON credential "api-token-prod-17"
SHOW services_impacted, attack_paths_removed, trust_delta

Simulate blocking an IP

ZELQL
SIMULATE action "block-ip"
ON indicator "185.44.12.9"
SHOW affected_connections, false_positive_risk, evidence_support

Simulate database isolation

ZELQL
SIMULATE action "isolate-database"
ON database "customer-db-primary"
SHOW affected_users, affected_services, revenue_impact, approval_required

Simulate cloud key leak

ZELQL
SIMULATE scenario "cloud-key-leak"
ON credential "aws-prod-admin-key"
SHOW reachable_assets, crown_jewel_exposure, recommended_actions

Simulate ransomware spread

ZELQL
SIMULATE scenario "ransomware-spread"
FROM asset "workstation-22"
SHOW reachable_hosts, backup_exposure, containment_options

Simulate AI agent action

ZELQL
SIMULATE action "run-containment-playbook"
ON agent "Aina SOC Agent"
WITH target = "prod-api-07"
SHOW allowed_actions, blocked_actions, policy_requirements, max_blast_radius

Simulate safest containment option

ZELQL
SIMULATE containment_options
ON incident "INC-2026-0042"
SHOW options, risk_reduction, business_impact, reversibility
ORDER BY safety_score DESC

13. VERIFY Command

VERIFY validates proof, evidence, action authorization, encryption state, compliance controls, and AI access.

ZELQL
VERIFY object_type "object-id"
SHOW verification_fields
AS evidence

Verify evidence

ZELQL
VERIFY evidence "EV-7781"
SHOW hash_chain, source, timestamp, signature, anchor

Verify proof bundle

ZELQL
VERIFY proof_bundle "PB-INC-2026-0042"
SHOW evidence, hashes, approvals, timeline, chain_status

Verify containment action

ZELQL
VERIFY action "ACT-1044"
SHOW authorization, evidence_basis, policy_decision, risk_before, risk_after

Verify encryption

ZELQL
VERIFY encryption
FOR database "customer-db-primary"
SHOW key, policy, last_rotation, decryption_events

Verify AI restriction

ZELQL
VERIFY ai_access
FOR memory "MEM-9201"
SHOW visibility, policy, action_eligibility, training_permission

Verify compliance control

ZELQL
VERIFY compliance_control "SOC2-CC6.1"
SHOW evidence, policy, last_verified_at, gaps

Verify tenant isolation

ZELQL
VERIFY tenant_isolation
FOR tenant "Rocheston Demo"
SHOW cross_tenant_access, memory_scope, vector_scope, policy_scope

Verify evidence chain

ZELQL
VERIFY evidence_chain "CHAIN-9011"
SHOW records, missing_links, hash_status, signatures

14. WHY Command

WHY explains causality using CyberCells, EvidenceCells, MemoryCells, PolicyCells, IncidentCells, and ActionCells.

ZELQL
WHY subject
SHOW explanation_fields

Why is an asset high risk?

ZELQL
WHY asset "prod-api-07" IS high_risk
SHOW factors, evidence, attack_paths, policy_violations

Why did risk increase?

ZELQL
WHY risk_score INCREASED
FOR cybercell "prod-api-07"
SHOW changed_fields, new_relationships, evidence, timeline

Why did trust drop?

ZELQL
WHY trust_score DROPPED
FOR identity "[email protected]"
SHOW sessions, anomalies, policy_events, source_reputation

Why was an action blocked?

ZELQL
WHY action "isolate-host" WAS blocked
FOR asset "prod-api-07"
SHOW policy, business_impact, approval_required, rollback_status

Why was memory quarantined?

ZELQL
WHY memory "MEM-9201" IS quarantined
SHOW prompt_injection_risk, poisoning_risk, source, evidence

Why can’t AI use this memory?

ZELQL
WHY agent "Aina SOC Agent" CANNOT use memory "MEM-9201"
SHOW policy, sensitivity, tenant_scope, action_eligibility

Why is evidence weak?

ZELQL
WHY evidence "EV-7781" IS weak
SHOW source_reputation, confidence, signature_status, contradictions

Why does this path expose a crown jewel?

ZELQL
WHY attack_path "AP-018" EXPOSES crown_jewel
SHOW path, credentials, vulnerabilities, policies, evidence

15. ASK Command

ASK uses Aina Intelligence with governed ZelDB context.

ZELQL
ASK aina "question"
USING context
SHOW sources, evidence, recommendations

Ask about risky objects

ZELQL
ASK aina "Which CyberCells are most dangerous right now?"
USING cybercells
SHOW summary, evidence, recommended_actions

Ask about an incident

ZELQL
ASK aina "What happened in this incident?"
USING incident "INC-2026-0042"
SHOW timeline, root_cause, evidence, next_steps

Ask about safe containment

ZELQL
ASK aina "What is the safest containment option?"
USING incident "INC-2026-0042"
SHOW options, business_impact, risk_reduction, approvals

Ask about memory safety

ZELQL
ASK aina "Can this memory be used for action?"
USING memory "MEM-9201"
SHOW policy, evidence, memory_safety, answer

Ask about proof

ZELQL
ASK aina "Can we prove this incident was contained?"
USING proof_bundle "PB-INC-2026-0042"
SHOW missing_evidence, verified_evidence, conclusion

Ask for ZelQL generation

ZELQL
ASK aina "Generate a ZelQL query for unencrypted crown jewels"
SHOW zelql, explanation

Ask for executive summary

ZELQL
ASK aina "Summarize current risk for executives"
USING reports, cybercells, incidents
SHOW executive_summary, top_risks, recommendations

16. QUARANTINE Command

QUARANTINE preserves unsafe objects while blocking unsafe use.

ZELQL
QUARANTINE object_type "object-id"
REASON "reason"
SHOW impact

Quarantine memory

ZELQL
QUARANTINE memory "MEM-9201"
REASON "prompt injection risk"
SHOW affected_agents, policies, evidence

Quarantine suspicious evidence

ZELQL
QUARANTINE evidence "EV-7781"
REASON "signature mismatch"
SHOW chain_impact, related_incidents, required_review

Quarantine a CyberCell

ZELQL
QUARANTINE cybercell "rootkit-alert-2026"
REASON "suspected compromise"
SHOW relationships, attack_paths, blast_radius

Quarantine AI-generated recommendation

ZELQL
QUARANTINE ai_decision "AID-2026-0091"
REASON "unsupported by evidence"
SHOW evidence_gaps, human_review_required

Quarantine all poisoned memories

ZELQL
QUARANTINE memories
WHERE poisoning_risk > 80
SHOW affected_agents, blocked_actions, evidence

17. ANCHOR Command

ANCHOR creates tamper-evident proof references for evidence chains, proof bundles, incident timelines, kinetic actions, compliance packages, encryption proof, and AI decision receipts.

Anchor evidence

ZELQL
ANCHOR evidence "EV-7781"
WITH hash_chain
SHOW hash, timestamp, anchor_id

Anchor proof bundle

ZELQL
ANCHOR proof_bundle "PB-INC-2026-0042"
WITH external_anchor
SHOW hash, chain_status, export_path

Anchor incident timeline

ZELQL
ANCHOR incident "INC-2026-0042"
WITH timeline_hash
SHOW events, hash, proof_status

Anchor kinetic action

ZELQL
ANCHOR action "ACT-1044"
WITH action_receipt
SHOW chain_hash, approvals, evidence

18. COMPARE Command

COMPARE compares states, snapshots, CyberCells, incidents, memories, policies, and outcomes.

Compare before and after containment

ZELQL
COMPARE state BEFORE action "ACT-1044"
WITH state AFTER action "ACT-1044"
SHOW risk_delta, trust_delta, attack_paths_removed, business_impact

Compare two CyberCells

ZELQL
COMPARE cybercell "prod-api-07"
WITH cybercell "prod-api-08"
SHOW risk, trust, evidence, policies, attack_paths

Compare snapshots

ZELQL
COMPARE snapshot "SNAP-2026-01"
WITH snapshot "SNAP-2026-05"
SHOW new_risks, fixed_risks, policy_changes, trust_delta

Compare incident response outcomes

ZELQL
COMPARE incident "INC-2026-0042"
WITH incident "INC-2026-0099"
SHOW containment_time, evidence_strength, risk_reduction, lessons

Compare memory safety

ZELQL
COMPARE memory_cluster "ransomware-playbooks"
WITH memory_cluster "approved-playbooks"
SHOW poisoning_risk, evidence_score, action_eligibility

19. REPORT Command

REPORT generates proof-grade reports for CyberCells, risk, trust, attack paths, incidents, evidence, AI memory, agents, actions, blast radius, policies, encryption, compliance, integrations, users, tenants, and audit logs.

Generate CyberCell report

ZELQL
REPORT cybercell_inventory
WHERE risk_score > 70
INCLUDE summary, table, evidence, recommendations
EXPORT html

Generate executive risk report

ZELQL
REPORT executive_security_summary
DURING "All Data"
INCLUDE risk, trust, incidents, attack_paths, evidence, recommendations
EXPORT pdf

Generate incident proof report

ZELQL
REPORT incident_containment_proof
FOR incident "INC-2026-0042"
INCLUDE timeline, evidence, actions, approvals, before_after
EXPORT html

Generate compliance report

ZELQL
REPORT compliance
FOR framework "SOC 2"
INCLUDE controls, evidence, gaps, proof_bundles
EXPORT csv

Generate AI memory safety report

ZELQL
REPORT ai_memory_safety
WHERE status IN ["quarantined", "contradicted", "training-blocked"]
INCLUDE memory_scores, evidence, policies, recommendations
EXPORT json

Generate blast-radius report

ZELQL
REPORT blast_radius
FOR asset "prod-api-07"
INCLUDE affected_services, risk_delta, rollback_plan, approvals
EXPORT html

20. EXPORT Command

Export current query

ZELQL
EXPORT last_result AS csv

Export CyberCells

ZELQL
FIND cybercells
WHERE risk_score > 80
SHOW name, type, risk_score, evidence_status
EXPORT csv

Export evidence package

ZELQL
EXPORT evidence
FOR incident "INC-2026-0042"
AS proof_bundle

Export report

ZELQL
EXPORT report "Executive Security Reality Summary"
AS html

Export raw JSON

ZELQL
FIND attack_paths
WHERE severity = "critical"
EXPORT raw_json

22. SCORE, SNAPSHOT, WATCH, EXPLAIN

Recalculate risk

ZELQL
SCORE risk
FOR cybercell "prod-api-07"
SHOW factors, previous_score, new_score

Recalculate memory safety

ZELQL
SCORE memory_safety
FOR memory "MEM-9201"
SHOW poisoning_risk, prompt_injection_risk, evidence_score

Recalculate action safety

ZELQL
SCORE action_safety
FOR action "isolate-host"
ON asset "prod-api-07"
SHOW blast_radius, reversibility, approval_required

Create full snapshot

ZELQL
SNAPSHOT security_state
NAME "Pre-Containment Snapshot"
INCLUDE cybercells, relationships, evidence, policies, memory, actions

Snapshot CyberCell

ZELQL
SNAPSHOT cybercell "prod-api-07"
NAME "Before Host Isolation"
INCLUDE risk, trust, evidence, relationships, policies

Watch high-risk CyberCells

ZELQL
WATCH query "Critical CyberCells"
AS
FIND cybercells
WHERE risk_score >= 90
NOTIFY security_team

Watch AI-visible secrets

ZELQL
WATCH query "AI Visible Secrets"
AS
FIND cybercells
WHERE type = "Secret"
AND ai_visibility = "allowed"
NOTIFY admin

Explain query plan

ZELQL
EXPLAIN
FIND cybercells
WHERE risk_score > 80
SHOW evidence, attack_paths

Explain simulation

ZELQL
EXPLAIN
SIMULATE action "isolate-host"
ON asset "prod-api-07"
SHOW blast_radius, business_impact

23. ZelQL Query Grammar

TEXT
statement
  = find_statement
  | show_statement
  | trace_statement
  | replay_statement
  | simulate_statement
  | verify_statement
  | why_statement
  | ask_statement
  | quarantine_statement
  | anchor_statement
  | compare_statement
  | report_statement
  | export_statement
  | create_statement
  | update_statement
  | link_statement
  | unlink_statement
  | score_statement
  | snapshot_statement
  | watch_statement
  | explain_statement

find_statement
  = FIND object_type [WHERE condition] [SHOW fields] [ORDER BY field direction] [LIMIT number] [AS view]

trace_statement
  = TRACE source TO target [VIA relationships] [WHERE condition] [SHOW fields] [AS view]

replay_statement
  = REPLAY object_ref [FROM time_ref] [TO time_ref] [SHOW fields] [AS timeline]

simulate_statement
  = SIMULATE action_or_scenario ON object_ref [WITH options] [SHOW fields] [AS simulation]

verify_statement
  = VERIFY object_ref [SHOW fields] [AS evidence]

why_statement
  = WHY subject [SHOW fields]

ask_statement
  = ASK aina string [USING context] [SHOW fields]

quarantine_statement
  = QUARANTINE object_ref [REASON string] [SHOW fields]

anchor_statement
  = ANCHOR object_ref [WITH method] [SHOW fields]

compare_statement
  = COMPARE object_ref WITH object_ref [SHOW fields]

report_statement
  = REPORT report_type [FOR object_ref] [WHERE condition] [INCLUDE sections] [EXPORT format]

export_statement
  = EXPORT target AS format

24. Field Libraries

CyberCell Fields

TEXT
id
tenant_id
name
slug
type
owner
zone
business_service
sensitivity
risk_score
trust_score
confidence_score
encryption_status
ai_visibility
policy_status
evidence_status
description
metadata
relationships
timeline
mutation_history
action_eligibility
created_by
created_at
updated_at
is_demo

Evidence Fields

TEXT
id
tenant_id
title
evidence_type
source
actor
target
event_type
before_state
after_state
hash_value
signature_value
chain_id
confidence
forensic_relevance
policy_id
incident_id
cybercell_id
status
source_reputation
created_at
is_demo

Memory Fields

TEXT
id
tenant_id
title
content
source
memory_type
sensitivity
trust_score
evidence_score
freshness_score
poisoning_risk
prompt_injection_risk
ai_visibility
action_eligible
training_allowed
status
created_at
updated_at
is_demo

Kinetic Action Fields

TEXT
id
tenant_id
action_type
target
requested_by
approved_by
executed_by
ai_confidence
policy_id
zelc_rule
evidence_id
predicted_blast_radius
actual_impact
risk_before
risk_after
rollback_status
proof_status
chain_hash
created_at
is_demo

Policy Fields

TEXT
id
tenant_id
name
policy_type
scope
condition
allowed_actions
forbidden_actions
approval_required
ai_visibility_rule
training_rule
export_rule
encryption_rule
status
created_at
updated_at
is_demo

Common Result Fields

TEXT
id
name
type
owner
tenant
zone
business_service
sensitivity
risk_score
trust_score
confidence_score
evidence_score
freshness_score
poisoning_risk
prompt_injection_risk
policy_status
evidence_status
encryption_status
ai_visibility
action_eligible
training_allowed
created_at
updated_at
relationships
attack_paths
blast_radius
business_impact
rollback_plan
approval_required
proof_status
chain_hash

25. Query Library by Module

Command Center

ZELQL
FIND cybercells
WHERE risk_score > 80
SHOW name, type, risk_score, trust_score
ZELQL
FIND incidents
WHERE status != "closed"
SHOW incident_key, severity, phase
ZELQL
FIND attack_paths
WHERE severity IN ["critical", "high"]
SHOW start_node, end_node, risk_score
ZELQL
FIND evidence
WHERE status != "verified"
SHOW title, source, confidence
ZELQL
FIND memories
WHERE status = "quarantined"
SHOW title, poisoning_risk, prompt_injection_risk

CyberCells

ZELQL
FIND cybercells
WHERE type = "Asset"
SHOW name, owner, zone, risk_score
ZELQL
SHOW cybercell "prod-api-07"
WITH overview, relationships, evidence, policies
ZELQL
WHY cybercell "prod-api-07" IS high_risk
SHOW factors, evidence, recommendations

Security Reality Graph

ZELQL
TRACE asset "prod-api-07"
TO database "customer-db-primary"
SHOW path, relationships, evidence
AS graph
ZELQL
TRACE all
TO crown_jewel
WHERE risk_score > 70
SHOW path, risk_score, cut_points
AS graph

Attack Paths

ZELQL
FIND attack_paths
WHERE risk_score > 80
SHOW start_node, end_node, hops, recommended_containment
ZELQL
TRACE identity "[email protected]"
TO crown_jewel "Customer Production Database"
SHOW path, credentials, sessions

Incidents

ZELQL
REPLAY incident "INC-2026-0042"
SHOW timeline, evidence, ai_decisions, actions
ZELQL
VERIFY incident "INC-2026-0042"
SHOW containment_status, proof_bundle, residual_risk

Evidence Vault

ZELQL
VERIFY evidence "EV-7781"
SHOW hash_chain, signature, source, timestamp
ZELQL
FIND evidence
WHERE confidence < 60
SHOW title, source, related_incident

ZelMemory AI

ZELQL
FIND memories
WHERE status = "quarantined"
SHOW title, reason, poisoning_risk
ZELQL
WHY memory "MEM-9201" IS quarantined
SHOW prompt_injection_risk, evidence, policy

AI Agents

ZELQL
FIND ai_agents
WHERE risk_score > 70
SHOW name, tools, allowed_actions, policy_status
ZELQL
VERIFY action_eligibility
FOR agent "Aina SOC Agent"
ON action "isolate-host"
SHOW allowed, blocked_by, approval_required

Kinetic Ledger

ZELQL
FIND kinetic_actions
SHOW action_type, target, risk_before, risk_after, proof_status
ZELQL
VERIFY action "ACT-1044"
SHOW evidence, approvals, chain_hash

Blast Radius

ZELQL
SIMULATE action "isolate-host"
ON asset "prod-api-07"
SHOW blast_radius, business_impact, rollback_plan
ZELQL
SIMULATE containment_options
ON incident "INC-2026-0042"
SHOW options, risk_reduction, business_impact

Policy Center

ZELQL
FIND policies
WHERE violation_count > 0
SHOW name, policy_type, affected_objects
ZELQL
WHY policy "AI Restricted Data Policy"
BLOCKED memory "MEM-9201"
SHOW sensitivity, tenant_scope, action_eligibility

Encryption & Keys

ZELQL
FIND cybercells
WHERE encryption_status = "unencrypted"
AND sensitivity = "critical"
SHOW name, type, owner, risk_score
ZELQL
VERIFY encryption
FOR cybercell "customer-db-primary"
SHOW key, rotation, policy, evidence

Compliance Proof

ZELQL
VERIFY compliance_control "SOC2-CC6.1"
SHOW evidence, gaps, last_verified_at
ZELQL
REPORT compliance
FOR framework "SOC 2"
INCLUDE controls, evidence, gaps
EXPORT html

Reports Center

ZELQL
REPORT executive_security_summary
DURING "All Data"
INCLUDE risk, trust, incidents, evidence, ai_safety, recommendations
EXPORT html
ZELQL
REPORT critical_cybercells
WHERE risk_score >= 90
INCLUDE summary, table, evidence, attack_paths
EXPORT csv
ZELQL
REPORT ai_memory_safety
INCLUDE quarantined, poisoned, training_blocked, action_eligible
EXPORT html

26. Website Demo Queries

Overview View

ZELQL
FIND cybercells
WHERE risk_score > 70
SHOW name, type, risk_score, trust_score, policy_status
AS cards

Table View

ZELQL
FIND cybercells
WHERE zone = "production"
SHOW name, type, owner, risk_score, trust_score, encryption_status
AS table

Graph View

ZELQL
TRACE asset "prod-api-07"
TO crown_jewel "Customer Production Database"
SHOW path, relationships, risk_score
AS graph

Timeline View

ZELQL
REPLAY incident "INC-2026-0042"
SHOW timeline, risk_changes, actions
AS timeline

Simulation View

ZELQL
SIMULATE action "isolate-host"
ON asset "prod-api-07"
SHOW blast_radius, business_impact, rollback_plan
AS simulation

Evidence View

ZELQL
VERIFY evidence "EV-7781"
SHOW hash_chain, source, timestamp, signature
AS evidence

Aina View

ZELQL
ASK aina "Explain this result"
USING last_result
SHOW summary, recommendations, evidence

Raw JSON View

ZELQL
FIND cybercells
WHERE risk_score > 90
EXPORT raw_json

27. Live Console Copy for the Website

ZELQL
SIMULATE action "isolate-host"
ON asset "prod-api-07"
SHOW blast_radius, business_impact, rollback_plan, approval_required

Example result copy:

TEXT
Building Security Reality Graph...
Loaded 59 relationships.
Tracing attack paths...
Detected lateral movement path.
Detected privilege escalation path.
Computing blast radius...
Tenant isolation: ENFORCED.
Policy-bound retrieval: ENFORCED.
Result set verified and signed.

Cells scanned: 68
Attack vectors evaluated: 9
Max risk score: 80
Execution time: 47ms
Simulation status: COMPLETE

Website explanation: > This is not passive search. ZelQL computes consequences before action. It evaluates relationships, attack paths, business impact, policy, evidence, and AI action safety at the database layer.

28. Chatbot-Friendly FAQ Examples

How do I find high-risk assets?

ZELQL
FIND cybercells
WHERE type = "Asset"
AND risk_score > 80
SHOW name, owner, zone, risk_score, evidence_status

How do I find unencrypted critical databases?

ZELQL
FIND cybercells
WHERE type = "Database"
AND sensitivity = "critical"
AND encryption_status = "unencrypted"
SHOW name, owner, policy_status, risk_score

How do I trace an admin to customer data?

ZELQL
TRACE identity "[email protected]"
TO database "customer-db-primary"
SHOW path, credentials, sessions, evidence

How do I replay an incident?

ZELQL
REPLAY incident "INC-2026-0042"
FROM first_seen
TO contained
SHOW timeline, evidence, ai_decisions, actions

How do I verify evidence?

ZELQL
VERIFY evidence "EV-7781"
SHOW hash_chain, signature, timestamp, source

How do I simulate isolation?

ZELQL
SIMULATE action "isolate-host"
ON asset "prod-api-07"
SHOW blast_radius, business_impact, rollback_plan

How do I know why an action was blocked?

ZELQL
WHY action "isolate-host" WAS blocked
FOR asset "prod-api-07"
SHOW policy, business_impact, approval_required

How do I quarantine poisoned memory?

ZELQL
QUARANTINE memory "MEM-9201"
REASON "prompt injection risk"
SHOW affected_agents, blocked_actions, evidence

How do I ask Aina for a report summary?

ZELQL
ASK aina "Summarize this report for executives"
USING report "Executive Security Reality Summary"
SHOW summary, key_risks, recommendations

29. Advanced Query Patterns

Nested context

ZELQL
ASK aina "Which action is safest?"
USING (
  FIND cybercells
  WHERE risk_score > 85
  AND business_service = "Customer Portal"
)
SHOW recommendation, evidence, policy_constraints

Query result as simulation input

ZELQL
SIMULATE action "rotate-credential"
ON (
  FIND credentials
  WHERE risk_score > 80
)
SHOW affected_services, risk_delta, rollback_plan

Trace then verify

ZELQL
TRACE identity "[email protected]"
TO crown_jewel "Customer Production Database"
SHOW path, evidence

VERIFY last_result
SHOW evidence_strength, policy_status, proof_status

Find then report

ZELQL
FIND cybercells
WHERE risk_score > 90
SHOW name, type, evidence, policy

REPORT last_result
AS "Critical CyberCells Report"
EXPORT html

Replay then explain

ZELQL
REPLAY incident "INC-2026-0042"
SHOW timeline, actions, risk_changes

WHY risk_score INCREASED
DURING last_replay
SHOW factors, evidence, source_events

30. Human-AI Decision Queries

Accepted AI recommendations

ZELQL
FIND human_ai_decisions
WHERE status = "approved"
SHOW recommendation, human_response, outcome, risk_after

Rejected AI recommendations

ZELQL
FIND human_ai_decisions
WHERE status = "rejected"
SHOW recommendation, reason, alternative_action, outcome

AI recommendations that reduced risk

ZELQL
FIND human_ai_decisions
WHERE risk_after < risk_before
SHOW recommendation, risk_before, risk_after, evidence_id

Human overrides

ZELQL
FIND human_ai_decisions
WHERE human_response = "override"
SHOW recommendation, reason, business_impact, outcome

Explain AI decision

ZELQL
WHY ai_decision "AID-2026-0091" recommended action "rotate-credential"
SHOW evidence, policy, context, confidence

31. Compliance and Proof Queries

Prove MFA enforcement

ZELQL
VERIFY compliance_control "MFA-Enforcement"
SHOW users, policies, evidence, exceptions

Prove privileged access review

ZELQL
VERIFY compliance_control "Privileged Access Review"
SHOW identities, approvals, evidence, last_reviewed_at

Prove encryption

ZELQL
VERIFY compliance_control "Encryption at Rest"
SHOW encrypted_cybercells, keys, policy, evidence

Prove AI did not access restricted data

ZELQL
VERIFY ai_access_restrictions
WHERE classification = "restricted"
SHOW denied_attempts, policies, audit_logs

Prove incident response

ZELQL
VERIFY incident_response
FOR incident "INC-2026-0042"
SHOW timeline, evidence, approvals, containment, recovery

Generate compliance proof bundle

ZELQL
CREATE proof_bundle "SOC 2 Evidence Pack"
FOR framework "SOC 2"
INCLUDE controls, evidence, policies, incidents, actions

32. Error Model

ACTION_BLOCKED_BY_POLICY

TEXT
ERROR: ACTION_BLOCKED_BY_POLICY
Policy: Production Host Isolation Requires Approval
Reason: Target asset is production and business impact is high.
Next step: Run SIMULATE with approval_required or request human approval.

TENANT_SCOPE_DENIED

TEXT
ERROR: TENANT_SCOPE_DENIED
Reason: Query attempted to access CyberCells outside the active tenant.
Tenant isolation: enforced.

MEMORY_QUARANTINED

TEXT
ERROR: MEMORY_QUARANTINED
Memory: MEM-9201
Reason: Prompt injection risk is high.
Allowed use: human review only.
Blocked use: AI recommendation, AI action, training.

EVIDENCE_WEAK

TEXT
ERROR: EVIDENCE_WEAK
Evidence confidence: 42
Reason: unsigned source and missing chain link.
Recommended action: verify source or attach stronger evidence.

33. Response Metadata

JSON
{
  "query_id": "ZQL-2026-0091",
  "tenant_isolation": "enforced",
  "policy_bound_retrieval": "enforced",
  "memory_quarantine_filter": "enabled",
  "evidence_weighting": "enabled",
  "result_verified": true,
  "execution_time_ms": 47,
  "cells_scanned": 68,
  "relationships_loaded": 59,
  "attack_vectors_evaluated": 9
}

Every ZelQL result can carry safety metadata: tenant isolation, policy-bound retrieval, memory quarantine filtering, evidence weighting, result verification, and execution timing.

34. Mini Glossary

  • CyberCell: The native security object in ZelDB.
  • EvidenceCell: A first-class proof object with source, hash, signature, chain, confidence, and related objects.
  • MemoryCell: An AI memory object with trust, evidence, freshness, poisoning risk, prompt-injection risk, AI visibility, and action eligibility.
  • ActionCell: A record of a defensive action, simulation, approval, risk delta, rollback, and proof.
  • PolicyCell: A policy object governing access, AI visibility, training, export, encryption, approval, and action eligibility.
  • Security Reality Graph: The connected graph of CyberCells and their relationships.
  • Kinetic Ledger: The defensive-action provenance ledger.
  • Blast Radius: The operational consequence of compromise, isolation, revocation, or containment.
  • Proof Bundle: A packaged set of evidence, hashes, approvals, timeline, policies, and outcomes.
  • Action Eligibility: Whether data or memory may be used for read, reason, recommend, simulate, execute, export, or train.

35. Taglines and Website Copy

  • ZelQL: Query security reality.
  • ZelQL: FIND risk. TRACE exposure. REPLAY incidents. SIMULATE action. VERIFY proof.
  • ZelQL is not SQL for logs. It is a command interface for cybersecurity reality.
  • ZelQL moves cybersecurity beyond retrieval.
  • ZelQL turns the database into a Security Reality Engine.
  • ZelQL is how Aina, ZelC, ZelEn, and Zelfire speak to ZelDB.
  • ZelQL is the language of CyberCells, evidence, AI memory, policies, attack paths, blast radius, and defensive action.

36. Closing Website Copy

ZelQL is the language of ZelDB.

It lets analysts, AI agents, auditors, and Zelfire modules ask the questions cybersecurity actually requires:

TEXT
FIND risk.
TRACE exposure.
REPLAY incidents.
SIMULATE action.
VERIFY proof.
WHY decisions.
QUARANTINE poisoned memory.

ZelQL is not a new way to search old logs. It is a new way to command security reality.

It is the interface between CyberCells, evidence, AI memory, policies, attack paths, blast radius, incident replay, encryption, and defensive action.

ZelQL is how ZelDB moves beyond retrieval.

Built with 💛 by Haja Mo.