Described herein, is a technique of data reduction and focusing for system and network security. Anomaly alerts pertain to specific risk objects that are network devices or users that triggered the associated anomaly. Threat objects are entities used by the risk object that include the specific activity of the risk object that triggered the anomaly. Once identified, threat objects are linked to the risk objects that they respectively pertain to. The link between a risk object and a threat object is generated via searchable metadata. Through linking, relationships are built between threat objects and risk objects. Links are between a number (N) risk objects and a number (M) of threat objects. The relationships are surfaced to a user based on satisfaction of predetermined thresholds. Examples of display to the user may include generation of a threat report, anomaly alerts, or graphical presentations depicting the links in the relationship(s). Where alerts are limited (via searches or reports) to relationships between threat objects and risk objects that are of a predetermined character, the excessive amount of data is reduced to a manageable number of notices.