Appearance
Filter the Graph
The filter panel lets you narrow down the Attack Graph to focus on specific resource types, providers, severity levels, assets, or network segments. Filters apply to both the graph visualization and the data tables in other tabs.
Opening the Filter Panel
Click the Filter button in the Explorer toolbar to open the filter panel on the left side of the canvas. Active filters are indicated by a badge count on the Filter button.
Filter by Node Type
Select one or more node types to display only those resources in the graph. All other nodes and their edges are hidden.
Common filter scenarios:
| Goal | Node Types to Select |
|---|---|
| See only compute resources | Host, CloudVM, WebApp, ServerlessFunction |
| Focus on identity and access | CloudRole, Permission, ManagedIdentity, ServicePrincipal, CloudUser, IamPolicy |
| Examine data assets | Database, StorageAccount, StorageBucket, KeyVault, Secret, DataTarget |
| Kubernetes overview | K8SCluster, K8SNamespace, K8SPod, K8SRole, K8SServiceAccount |
| Network topology | VPC, Subnet, SecurityGroup, LoadBalancer, PublicIp, NATGateway |
| Credentials only | Credential, SshKey, ApiKey, AccessToken, CredentialStore |
TIP
When you filter by node type, edges between hidden nodes are also hidden. Edges where at least one endpoint is visible remain displayed.
Filter by Provider
Filter nodes by their cloud provider origin:
- AWS: Resources discovered via AWS adapters
- Azure: Resources discovered via Azure adapters
- GCP: Resources discovered via GCP adapters
- On-Premises: Resources discovered by sensors (not associated with a cloud provider)
Select multiple providers to see cross-cloud relationships. For example, selecting both AWS and Azure reveals any trust relationships or credential paths that span providers.
Multi-Cloud Visibility
Cross-cloud attack paths are one of the hardest risks to detect. Filtering to show two providers simultaneously highlights lateral movement opportunities between cloud environments that single-provider tools miss entirely.
Filter by Severity
Filter attack paths and their associated nodes by risk severity:
| Severity | Score Range | Description |
|---|---|---|
| Critical | 70+ | Paths with high exploitability and sensitive targets |
| High | 50 -- 69 | Significant risk requiring prompt attention |
| Medium | 30 -- 49 | Moderate risk, typically with mitigating factors |
| Low | Below 30 | Low risk, usually theoretical or long paths |
When you filter by severity, the graph shows only nodes that participate in attack paths of the selected severity levels. This is useful for focusing your review on the most urgent risks.
Filter by Specific Asset
Use the asset search to find and highlight a specific resource in the graph:
- Type the asset name, hostname, or IP address in the search field
- Matching assets appear in a dropdown list
- Select an asset to center the graph on that node and highlight it
- All attack paths involving that asset are emphasized
TIP
You can also arrive at an asset-focused view from the Assets page. Click View in Attack Graph on any asset detail page to open the Explorer pre-filtered to that asset.
Filter by Subnet
Filter by network subnet to focus on a specific network segment:
- Open the Subnet filter dropdown
- Select one or more subnets (listed by CIDR range and name)
- The graph displays only nodes within those subnets and any edges that cross subnet boundaries
This is particularly useful for:
- Reviewing the exposure of a specific DMZ segment
- Verifying network segmentation between production and development environments
- Examining lateral movement paths within a single VLAN
Filter by Edge Type
Filter edges by relationship type to focus on specific attack vectors:
| Filter Group | Edge Types Included |
|---|---|
| Credential access | HasCredential, ExposesCredential, OwnsCredential, HasExposedSecret |
| Network reachability | CanReach, AllowsTraffic, ExposesTo, NetworkNeighbor |
| Privilege escalation | CanEscalate, CanDumpCredentials |
| IAM relationships | HasCloudRole, CanAssumeRole, HasRoleAssignment, GrantsAccessTo |
| Topology | BelongsToSubnet, BelongsToVPC, AttachedNIC, RunsIn |
Combining Filters
All filters are applied together with AND logic. For example:
- Node type: Database + Provider: AWS + Severity: Critical shows only AWS database nodes that are part of critical attack paths
- Subnet: 10.0.1.0/24 + Node type: Host, Service shows hosts and services within that specific subnet
Clearing Filters
- Click the X next to any individual filter to remove it
- Click Clear All in the filter panel to reset all filters at once
- The graph returns to its full, unfiltered state
WARNING
Clearing filters on a large graph may cause a brief re-render as all nodes become visible. Use view modes in combination with filters for the best experience.
Next Steps
- Node Details -- Inspect a specific node after filtering
- View Attack Paths -- See attack paths matching your filter criteria
- Navigate the Explorer -- Pan, zoom, and interact with the filtered view