Appearance
Analyze an Attack Path
When you click on an attack path in the Paths list, the Attack Path Detail dialog opens with a full step-by-step breakdown. This view lets you understand exactly how an attacker could traverse from entry point to target and what you can do to break the chain.
Opening a Path Detail
From the Paths tab in the Attack Graph Explorer, click any row in the paths table. The detail dialog opens with three sections:
- Path Summary: Overview metrics and score breakdown
- Step-by-Step Breakdown: Each hop with technique details
- Path Visualization: The path highlighted on the graph
Path Summary
The top of the dialog shows key metrics at a glance:
| Metric | Description |
|---|---|
| Risk Score | Normalized score (0--100) with severity badge |
| Confidence | Confirmed, Plausible, or Theoretical |
| Entry Point | Starting node with type and label |
| Target | Ending node with type and label |
| Hop Count | Number of steps from entry to target |
| MITRE Techniques | All ATT&CK techniques present in the path |
Score Breakdown
The score breakdown shows the contribution of each of the 8 risk factors as a horizontal bar chart:
- Exposure: How accessible the entry point is from outside the network
- Privilege: Highest privilege level the attacker reaches (None through CloudAdmin)
- Credential: Credential access along the path (plaintext, SSH keys, API keys)
- Data Sensitivity: Sensitivity classification of the target
- Path Length: Negative factor -- longer paths reduce the score
- Finding Risk: Security findings on nodes along the path
- Patch Risk: Known vulnerabilities along the path
- Config Risk: Misconfigurations along the path
INFO
The score breakdown helps you understand why a path is scored the way it is. A path might score Critical because it has high Exposure (internet-facing entry) and high Credential risk (plaintext credentials stored on a hop), even if the individual CVEs are only medium severity.
Step-by-Step Breakdown
The main body of the dialog shows each hop as a vertical timeline. Each step includes:
Step Fields
| Field | Description |
|---|---|
| Step Number | Sequential position in the path (1, 2, 3, ...) |
| Source Node | The node the attacker is on at this step |
| Edge Type | The relationship being exploited (e.g., CanReach, HasCredential, CanEscalate) |
| Target Node | The node the attacker moves to |
| Edge Weight | Exploit probability for this step (0.01--0.99) |
| Privilege Gained | The privilege level the attacker obtains after this step |
| Is Proven | Whether this step is backed by a capability match |
For Proven Steps
If the step matches a capability from the YAML catalog, additional detail appears:
| Field | Description |
|---|---|
| Capability Name | The matched attack capability (e.g., SSH_PasswordBruteForce) |
| MITRE Technique | ATT&CK technique ID and name (e.g., T1021.004 -- SSH) |
| MITRE Tactic | The attack phase (e.g., Lateral Movement, Privilege Escalation) |
| Evidence | Human-readable explanation: "SSH open on prod-db-01, password authentication enabled" |
| Exploitability | How easy this technique is to execute (0.0 -- 1.0) |
For Unproven Steps
Steps without a capability match show:
- The edge type and weight
- A note indicating the step is based on structural topology rather than a proven attack technique
Reading the Timeline
Follow the timeline from top to bottom. Each step answers: "From this node, the attacker can exploit this relationship to reach that node." The sequence tells a story of how an attacker progresses through your environment.
Path Visualization
The bottom section shows the attack path highlighted on the graph canvas:
- Path nodes are highlighted with colored borders matching the severity
- Path edges are drawn as thick colored lines
- Non-path nodes are dimmed but still visible for context
- The graph auto-zooms to fit the path
Click any node in the visualization to open its Node Details panel.
Privilege Escalation Chain
If the path includes privilege escalation, a privilege ladder shows how the attacker's access level increases:
None --> Authenticated --> UserLevel --> Admin --> RootOrSystemThe seven privilege levels are:
| Level | Meaning |
|---|---|
| None | No authenticated access |
| Authenticated | Basic authenticated session |
| UserLevel | Standard user privileges |
| Operator | Elevated operator privileges |
| Admin | Local administrator |
| RootOrSystem | Root (Linux) or SYSTEM (Windows) |
| CloudAdmin | Cloud platform administrator (Azure Owner, AWS root, GCP Organization Admin) |
Each step in the path shows what privilege level is gained. The highest privilege reached is a major factor in the path's risk score.
MITRE ATT&CK Mapping
Every proven step maps to a MITRE ATT&CK technique. The path detail aggregates all techniques and shows the attack phases covered:
| Tactic | Description | Example Techniques in Path |
|---|---|---|
| Initial Access (TA0001) | How the attacker gets in | Exploit Public-Facing Application, Valid Accounts |
| Execution (TA0002) | How the attacker runs code | Command and Scripting Interpreter |
| Persistence (TA0003) | How the attacker maintains access | Scheduled Tasks, Account Creation |
| Privilege Escalation (TA0004) | How the attacker gains higher access | Sudo abuse, Container Escape |
| Credential Access (TA0006) | How the attacker steals credentials | LSASS dump, Credential in Files |
| Lateral Movement (TA0008) | How the attacker moves between systems | SSH, RDP, SMB, Remote Services |
| Collection (TA0009) | How the attacker gathers data | Data from Database, Data from Storage |
Remediation Impact
At the bottom of the path detail dialog, a Remediation Impact section shows which actions would break this specific path:
| Action | Impact |
|---|---|
| Patch CVE-XXXX-XXXXX on node-A | Breaks this path and 12 other paths |
| Restrict permissions on identity-B | Breaks this path and 8 other paths |
| Enable MFA on account-C | Breaks this path and 5 other paths |
TIP
The remediation suggestion with the highest "other paths broken" count is the most cost-effective fix. It means remediating that single issue has a cascading positive effect across your entire attack surface.
What-If Simulation
Click the What-If button in the path detail to simulate removing one or more steps. The simulation re-runs the attack analysis and shows:
- How many total paths are eliminated
- The new overall risk score
- Changes to toxic combination counts
- Whether the target is still reachable via alternative paths
WARNING
What-If simulation shows the result of removing nodes or edges from the model. It does not account for new paths that might emerge after a change in your real environment. Always validate simulation results against your actual infrastructure.
Next Steps
- Understand Chokepoints -- Find nodes that block the most paths
- Understand Toxic Combinations -- See if path components form dangerous patterns
- Prioritize Remediation -- Get a ranked action plan across all paths