Appearance
Node Details
When you select a node in the Attack Graph Explorer, the Node Details panel opens on the right side of the canvas. This panel provides a comprehensive view of the resource, its security posture, connections, and role in attack paths.
Opening Node Details
Click any node in the graph canvas to open its detail panel. You can also access node details from:
- The Paths tab -- Click on an entry point or target node in the paths list
- The Chokepoints tab -- Click on a chokepoint node
- The Toxic Combinations tab -- Click on a component node
- The API:
GET /api/v1/attack-graph/nodes/{nodeId}
Header
The panel header shows:
- Node type icon: Color-coded icon matching the node category (Compute, Network, IAM, Data, etc.)
- Label: The display name of the resource (e.g., hostname, cloud resource name, identity name)
- Type badge: The specific node type (e.g., CloudVM, Database, ServicePrincipal)
- Provider badge: AWS, Azure, GCP, or On-Premises
Properties
The Properties section displays key attributes and security-relevant metadata for the resource. Properties vary by node type.
Compute Node Properties
| Property | Description |
|---|---|
| OS | Operating system name and version |
| IP Address | Private and public IP addresses |
| Instance Type | Cloud instance type (e.g., t3.large, Standard_D2s_v3) |
| Region | Cloud region or data center location |
| Is Internet-Facing | Whether the resource is reachable from the internet |
| Firewall Enabled | Whether the host firewall is active |
| EOL OS | Whether the operating system is end-of-life |
| Monitoring Score | Combined score from EDR, SIEM, alerts, and audit log coverage (0.0 -- 1.0) |
Identity / IAM Node Properties
| Property | Description |
|---|---|
| Identity Type | User, Service Principal, Managed Identity, Service Account |
| Has MFA | Whether multi-factor authentication is enabled |
| Has Admin Policy | Whether the identity has administrative privileges |
| Has Wildcard Actions | Whether IAM policies contain wildcard (*) permissions |
| Has Dangerous Actions | Whether the identity can perform high-risk operations |
| Has Console Access | Whether the identity can log into the cloud console |
| Has Active Access Keys | Whether API access keys exist and are active |
| Has Data Plane Access | Whether the identity can access data-plane resources (storage, databases) |
| Last Activity | When the identity was last used |
| Credential Age | How old the credentials are (days) |
Network Node Properties
| Property | Description |
|---|---|
| CIDR | IP address range for VPCs and subnets |
| Allowed Ports | Ports permitted by security group rules |
| Source CIDRs | Allowed source IP ranges |
| Protocol | TCP, UDP, or ICMP |
| Is Public | Whether the subnet or VPC has internet routing |
Data Node Properties
| Property | Description |
|---|---|
| Encrypted | Whether data at rest is encrypted |
| Encryption Key | Key vault or KMS key used for encryption |
| Public Access | Whether the resource allows public/anonymous access |
| Backup Enabled | Whether automated backups are configured |
| Sensitivity | Data classification level if known |
Credential Node Properties
| Property | Description |
|---|---|
| Credential Type | SSH Key, API Key, Access Token, or generic Credential |
| Age | How old the credential is (days) |
| Last Rotated | When the credential was last rotated |
| Is Plaintext | Whether the credential is stored in plaintext |
| Associated Identity | The identity this credential belongs to |
Connections
The Connections section shows all incoming and outgoing edges for the selected node.
Incoming Edges
Resources that connect to this node. Each entry shows:
- Source node: The node on the other end of the edge (click to navigate)
- Edge type: The relationship type (e.g., CanReach, HasCredential)
- Weight: Exploit probability for this edge
- Port/Protocol: For network edges, the specific port and protocol
Outgoing Edges
Resources that this node connects to. Same fields as incoming edges but in the other direction.
TIP
The connection count is shown as a badge next to the section header (e.g., "Incoming (7)"). High connection counts on IAM nodes or credential stores often indicate overprivileged resources.
Vulnerabilities
If the node has known vulnerabilities, they are listed in the Vulnerabilities section.
Each vulnerability shows:
| Field | Description |
|---|---|
| CVE ID | The CVE identifier (e.g., CVE-2024-38063) |
| CVSS Score | Common Vulnerability Scoring System severity (0.0 -- 10.0) |
| EPSS Score | Exploit Prediction Scoring System probability (0.0 -- 1.0) -- the likelihood of exploitation in the next 30 days |
| CISA KEV | Whether this CVE appears in the CISA Known Exploited Vulnerabilities catalog |
| Has RCE | Whether the vulnerability enables remote code execution |
| Affected Package | The software package that contains the vulnerability |
| Installed Version | The version currently installed on the asset |
| Fixed Version | The version that fixes the vulnerability (if known) |
CISA KEV
CVEs in the CISA Known Exploited Vulnerabilities (KEV) catalog have been confirmed as actively exploited in the wild. These should be treated as high priority regardless of CVSS score.
EPSS Scoring
The EPSS score is a probability (0.0 to 1.0) representing the likelihood that a vulnerability will be exploited in the wild in the next 30 days. AttackLens uses EPSS to adjust edge weights in the attack graph:
- EPSS > 0.5: High exploitation likelihood; edge weights are multiplied by 1.2x
- EPSS > 0.1: Moderate exploitation likelihood; standard weight applied
- EPSS < 0.1: Low exploitation likelihood; may still be relevant in context
Capabilities
The Capabilities section lists which attack capabilities from the AttackLens catalog matched this node. Each capability represents a known attack technique.
| Field | Description |
|---|---|
| Capability Name | Descriptive name (e.g., SSH_PasswordBruteForce, AzureOwnerRoleAbuse) |
| MITRE Technique | ATT&CK technique ID and tactic (e.g., T1021.004 -- Lateral Movement) |
| Exploitability | How easy this technique is to execute (0.0 -- 1.0) |
| Confidence | Confirmed, Plausible, or Theoretical |
| Evidence | Human-readable explanation of why the capability matched |
INFO
Capabilities are evaluated from a catalog of 93 YAML-defined attack techniques. Each capability specifies prerequisite conditions (open ports, missing MFA, specific IAM permissions, etc.) that must all be true for the capability to match. This means every matched capability is backed by concrete evidence from your environment.
Graph Tags
Tags provide additional context about the node's security posture. Tags come from two sources:
Finding Tags (Rule-Based)
Tags derived from policy rule evaluations. Examples:
SSH_PASSWORD_AUTH_ENABLED-- SSH allows password authenticationRDP_ENABLED-- Remote Desktop Protocol is activeFIREWALL_DISABLED-- Host firewall is not runningNO_MFA-- Multi-factor authentication is not configured
IAM Context Tags (Derived)
Tags computed from the node's IAM properties:
HAS_WILDCARD_ACTIONS-- IAM policy containsAction: "*"permissionsHAS_ADMIN_POLICY-- Identity has administrative policy attachedHAS_DANGEROUS_ACTIONS-- Identity can perform high-risk operations (iam:CreateUser, sts:AssumeRole, etc.)HAS_ACTIVE_ACCESS_KEYS-- API access keys are activeHAS_CONSOLE_ACCESS-- Identity can access the cloud management consoleHAS_DATA_PLANE_ACCESS-- Identity can access data in storage or databases
Blast Radius
Click Blast Radius in the node detail panel to see the potential impact if this node is compromised. The blast radius uses a breadth-first search from the selected node to calculate:
- Affected nodes by depth: How many resources are reachable at each hop distance (1 hop, 2 hops, etc.)
- Critical assets reached: How many crown jewel or high-sensitivity assets are within reach
- Data stores reached: How many databases, storage accounts, or key vaults are accessible
What-If Simulation
Click What-If to simulate what would happen if this node were remediated (e.g., patched, hardened, or decommissioned). The simulation re-runs the attack analysis without this node and shows:
- Risk reduction %: How much the overall risk score drops
- Eliminated paths: Number of attack paths that no longer exist
- Toxic combination change: How many toxic combinations are resolved
TIP
What-If simulation is a powerful tool for justifying remediation effort to stakeholders. Run it on a proposed fix before committing resources to show the quantified security improvement.
Next Steps
- View Attack Paths -- See attack paths involving this node
- Understand Chokepoints -- Check if this node is a chokepoint
- Understand Toxic Combinations -- See if this node is part of a toxic pattern