Appearance
Navigate the Explorer
The Attack Graph Explorer is an interactive canvas that visualizes your environment's attack surface. This page explains how to navigate, select, and inspect elements in the graph.
Explorer Layout
The Explorer has five tabs across the top:
| Tab | Purpose |
|---|---|
| Graph | Interactive graph visualization |
| Paths | Attack paths list sorted by risk |
| Chokepoints | Nodes that appear in many attack paths |
| Toxic | Dangerous misconfiguration combinations |
| Remediation | Prioritized fix list |
This page covers the Graph tab. The other tabs are documented on their own pages.
Zooming
Use any of these methods to zoom the graph:
| Method | Action |
|---|---|
| Scroll wheel | Scroll up to zoom in, scroll down to zoom out |
| Pinch gesture | On trackpad, pinch to zoom in/out |
| Zoom controls | Use the + and - buttons in the toolbar |
| Fit to screen | Click the Fit button to auto-zoom so all nodes are visible |
TIP
When you first open the graph, it automatically fits to show all nodes. If you lose your place after zooming in, click Fit to reset the view.
Panning
Click and drag on the background (not on a node) to pan the canvas. The cursor changes to a grab icon while panning.
Selecting Nodes
Click on any node to select it. When a node is selected:
- The node is highlighted with a selection ring
- The Node Details panel opens on the right side
- Connected edges are visually emphasized
- Unrelated nodes dim slightly for context
To deselect, click on the background or press Escape.
Selecting Edges
Click on any edge (the line between two nodes) to view edge details:
- Edge type: The relationship type (e.g., CanReach, HasCredential)
- Weight: Exploit probability (higher = easier to exploit)
- Protocol and port: For network edges, the protocol (TCP/UDP) and port or port range
- Privilege levels: Required privilege to traverse and privilege gained
- Source CIDR: For traffic rules, the allowed source range
Minimap
The minimap in the bottom-right corner shows a bird's-eye view of the entire graph. The highlighted rectangle represents your current viewport. Click and drag within the minimap to quickly navigate to a different area of the graph.
Node Visual Encoding
Nodes are visually encoded by type using both color and shape so you can identify resource categories at a glance:
| Category | Color | Shape |
|---|---|---|
| Attacker | Red | Octagon |
| Internet | Gold | Octagon |
| Compute (Hosts, VMs, WebApps) | Blue shades | Ellipse |
| Network (VPCs, Subnets, SGs) | Indigo | Ellipse |
| Security (WAF, SecurityCenter) | Teal | Diamond |
| IAM (Roles, Permissions, Identities) | Purple | Ellipse |
| Data (Databases, Storage, KeyVaults) | Teal/Blue | Barrel |
| Kubernetes | Green | Tag |
| Active Directory | Dark red | Star |
| Credentials (SSH Keys, API Keys) | Dark red | Ellipse |
Node Legend
Click the Legend toggle in the toolbar to show or hide the node legend overlay. The legend shows all node categories with their colors and shapes.
Edge Visual Encoding
Edges are color-coded by type to help distinguish relationship categories:
- Red edges: High-risk attack relationships (CanEscalate, CanDumpCredentials, ExposesCredential)
- Orange edges: Access and credential relationships (HasCredential, CanAssumeRole, HasCloudRole)
- Blue edges: Network topology (BelongsToSubnet, BelongsToVPC, AttachedNIC)
- Gray edges: Structural relationships (ListensOn, RunsAs, MemberOf)
- Green edges: Security controls (ProtectedBy, EncryptedBy)
Edge thickness varies with weight -- heavier (more exploitable) edges appear thicker.
Graph View Modes
The toolbar provides view mode toggles:
| Mode | What It Shows |
|---|---|
| Full Graph | All nodes and edges in the topology |
| Attack Paths Only | Only nodes and edges that participate in at least one attack path, hiding structural-only nodes |
TIP
Use Attack Paths Only mode when the full graph is too dense. This filters out nodes that are not part of any calculated attack path, making it easier to focus on what matters.
Toolbar Actions
| Button | Action |
|---|---|
| Recompute | Triggers a fresh graph computation from the latest discovery data |
| Fit | Auto-zooms to fit all visible nodes |
| Legend | Toggles the node category legend |
| Export | Exports the graph in JSON or Cytoscape format |
| Full Screen | Expands the graph canvas to fill the browser window |
Performance with Large Graphs
For environments with thousands of nodes, the Explorer uses progressive rendering:
- Nodes outside the current viewport are not rendered until you pan to them
- Zooming out far enough switches to a simplified rendering mode
- The status bar at the bottom shows the total node count, edge count, and path count
Large Environments
Graphs with more than 10,000 nodes may take longer to render initially. Use filters to focus on specific segments of your infrastructure for smoother interaction.
Next Steps
- Filter the Graph -- Narrow down what is displayed
- Node Details -- Deep dive into a selected node
- View Attack Paths -- Switch to the Paths tab