AttackLens Docs

Appearance

Understand the Attack Graph

The Attack Graph is the core analytical engine behind AttackLens. It models your entire infrastructure -- on-premises hosts, cloud resources, identities, credentials, network topology, and Kubernetes clusters -- as a directed weighted graph, then automatically discovers how an attacker could move laterally from entry points to your most critical assets.

What the Attack Graph Does

Traditional vulnerability scanners tell you what is broken. The Attack Graph tells you what it means -- which vulnerabilities, misconfigurations, and trust relationships can be chained together to form a real attack path.

Key Concept

A single medium-severity vulnerability on an internet-facing server might be harmless in isolation. But if that server has SSH access to a jump box, which has stored credentials for a database containing PII, the Attack Graph connects those dots into a Critical attack path.

The Attack Graph answers questions like:

  • What are the most likely paths an attacker would take to reach our crown jewel assets?
  • Which single remediation action would break the most attack paths?
  • Are there dangerous combinations of misconfigurations that individually seem low-risk?
  • If we patch this one CVE, how much does our overall exposure drop?

How the Graph Is Built

The Attack Graph is computed through a 7-step pipeline that runs automatically on a configurable schedule (default: every 60 minutes) or on demand.

Step 1 -- Discovery

AttackLens collects data from two sources:

  • Cloud adapters: Connect to AWS, Azure, and GCP APIs to discover cloud resources (VMs, networks, storage, databases, identities, IAM policies, Kubernetes clusters, and more).
  • Sensors: Lightweight agents installed on on-premises and hybrid machines that collect installed packages, running services, open ports, user accounts, credentials, security policies, and Active Directory data.

Step 2 -- Asset Sync

Discovered resources are reconciled with the asset inventory. New assets are added, changed assets are updated, and decommissioned resources are removed.

Step 3 -- Requirement Analysis

AttackLens evaluates coverage gaps -- which assets have sensors, which cloud accounts have adapters connected, and where blind spots exist that limit graph accuracy.

Step 4 -- Infrastructure Graph

This is the core construction step. Three specialized builders create the graph topology:

BuilderWhat It Creates
Inventory Graph BuilderOn-premises hosts, services, open ports, user accounts, installed software, credentials, scheduled tasks, file shares, and reachability edges between them
Cloud Resource BuilderCloud VMs, VPCs, subnets, security groups, load balancers, databases, storage accounts, serverless functions, and network topology edges using 9 topology wirers
IAM Graph BuilderAzure RBAC role assignments, AWS IAM users/roles/policies, GCP service account bindings, Active Directory trusts, Kerberos delegation paths, and credential dumping edges

Additional enrichment layers add Kubernetes deep models (namespaces, pods, service accounts, RBAC roles, secrets) and mark crown jewel assets.

Step 5 -- Attack Analysis

The engine evaluates 93 attack capabilities defined in YAML against the graph. Each capability encodes a known attack technique (mapped to MITRE ATT&CK) with prerequisite conditions. When conditions match, the capability produces a proven edge: an evidence-backed attack step.

The engine then runs Yen's K-Shortest Paths algorithm to find the top attack paths from entry points (internet-facing resources, the Attacker node) to goal nodes (databases, key vaults, secrets, crown jewels, admin accounts).

Step 6 -- Scoring

Each attack path receives an 8-factor risk score (0--100):

FactorWhat It Measures
ExposureHow exposed the entry point is to the internet
PrivilegeHighest privilege level gained along the path
CredentialCredential access opportunities (plaintext, SSH keys, API keys)
Data SensitivitySensitivity classification of the target asset
Path LengthShorter paths are riskier (negative weight)
Finding RiskSecurity findings along the path
Patch RiskUnpatched vulnerabilities along the path
Config RiskMisconfigurations along the path

Paths are classified by severity:

SeverityScore Range
Critical70 and above
High50 -- 69
Medium30 -- 49
LowBelow 30

Step 7 -- Persist

The computed graph, attack paths, toxic combinations, chokepoints, and remediation priorities are saved and made available in the UI and API.

Node Types

Nodes represent resources, identities, and infrastructure components in your environment. AttackLens supports 97 node types organized into categories:

CategoryExamplesVisual
AttackerAttacker (synthetic entry point)Red
InternetInternetGatewayGold
ComputeHost, CloudVM, WebApp, ServerlessFunction, ContainerServiceBlue shades
NetworkVPC, Subnet, SecurityGroup, LoadBalancer, PublicIp, NATGateway, VpnGatewayIndigo
SecurityWaf, SecurityCenter, ConditionalAccessPolicy, CertificateDiamond shapes
IAMCloudRole, Permission, ManagedIdentity, ServicePrincipal, CloudUser, IamPolicyPurple
DataDatabase, StorageAccount, StorageBucket, KeyVault, Secret, DataTarget, DataLake, DataWarehouseTeal
KubernetesK8SCluster, K8SNamespace, K8SPod, K8SRole, K8SServiceAccount, K8SSecretTag shapes
Active DirectoryDomainController, CredentialStoreDark red
CredentialsSshKey, ApiKey, AccessToken, CredentialDark red

Edge Types

Edges represent relationships and potential lateral movement paths. AttackLens models 51 edge types, including:

Edge TypeMeaningExample
CanReachNetwork reachability between resourcesHost A can reach Service B on port 22
CanEscalatePrivilege escalation opportunityUser can escalate via sudo NOPASSWD
HasCredentialResource has access to a credentialHost stores an SSH key for another host
AllowsTrafficSecurity group permits trafficSG allows inbound port 3389 from 0.0.0.0/0
HasCloudRoleIdentity has a cloud IAM roleService principal has Contributor role
CanAssumeRoleIdentity can assume another roleAWS IAM user can AssumeRole to admin
HasVulnerabilityResource has a known CVEServer has CVE-2024-XXXX (EPSS 0.87)
CanDumpCredentialsCredential dumping is possibleLSASS memory dump on domain controller
KerberosDelegateKerberos delegation relationshipUnconstrained delegation to DC
ExposesToResource is exposed to the internetPublic IP attached to VM

Edge Weights

Every edge carries a weight (0.01--0.99) representing how easy it is to exploit. Higher weight means easier exploitation. Weights are calculated from base values for each edge type and then modified by factors like critical CVEs on the target, high EPSS scores, end-of-life OS, disabled firewalls, and monitoring coverage.

Path Confidence

Each attack path receives a confidence label based on how many of its edges are backed by real capability evidence:

ConfidenceProven Edge RatioMeaning
Confirmed80% or moreMost edges match known attack techniques from the capability catalog
Plausible40% -- 79%A significant portion of edges are evidence-backed
TheoreticalBelow 40%Most edges are inferred from topology only

INFO

A proven edge is an edge where the capability evaluator found a matching attack capability in the YAML catalog. The capability must match source/target node types, edge type, and all prerequisite conditions. Proven edges carry MITRE ATT&CK technique mappings and human-readable evidence strings.

Computation Triggers

The Attack Graph is recomputed:

TriggerWhen
ScheduledAutomatically every 60 minutes (configurable in Attack Graph Settings)
ManualClick the Recompute button in the Attack Graph Explorer
After discovery syncAutomatically after a cloud adapter discovery run completes

Next Steps

AttackLens - Continuous Exposure Management

Copyright 2026 AttackLens. All rights reserved.