Appearance
Understand Chokepoints
Chokepoints are nodes in the attack graph where multiple attack paths converge. Remediating a chokepoint breaks many paths simultaneously, making chokepoints the highest-impact targets for security improvement.
What Is a Chokepoint
A chokepoint is a node that appears in a disproportionately high number of attack paths. Because multiple paths pass through it, hardening or removing the chokepoint eliminates all those paths at once.
Think of it like a bridge over a river: many roads use that bridge, and closing it forces all traffic to find another route. In the attack graph, "closing" a chokepoint means the attacker cannot traverse those paths without finding an entirely different chain of exploits.
Minimum Path Threshold
A node qualifies as a chokepoint only if it appears in at least 3 attack paths (configurable in Attack Graph Settings). This prevents low-traffic nodes from appearing in the chokepoints list.
Common Chokepoint Patterns
| Pattern | Why It Becomes a Chokepoint |
|---|---|
| Jump server / bastion host | Connects two otherwise isolated network segments. All lateral movement between segments passes through it. |
| Shared service account | A single identity with broad permissions that multiple attack paths use for privilege escalation or credential access. |
| Subnet gateway | A NAT gateway, VPN endpoint, or VPC peering connection that is the only path between network zones. |
| Domain controller | AD domain controllers are natural chokepoints because all domain authentication and trust relationships flow through them. |
| Key vault / secret store | Centralized secret storage that multiple paths target for credential access. |
| Load balancer | A load balancer fronting multiple backend services acts as a funnel point. |
| Managed identity | A cloud managed identity attached to multiple resources that grants broad access. |
| Overprivileged IAM role | An IAM role assumed by many identities, creating a convergence point in the IAM graph. |
Chokepoints List
The Chokepoints tab in the Attack Graph Explorer displays a table of all identified chokepoint nodes, ranked by impact.
Columns
| Column | Description |
|---|---|
| Node | The resource acting as a chokepoint, with type icon and label. Click to open Node Details. |
| Type | The node type (e.g., Host, CloudVM, ServicePrincipal, Subnet) |
| Paths Through | The number of attack paths that pass through this node |
| Impact % | The percentage of all attack paths that would be eliminated by remediating this node |
| Risk Reduction | The estimated reduction in the average risk score if this node is hardened |
| Provider | AWS, Azure, GCP, or On-Premises |
Sorting
By default, chokepoints are sorted by Paths Through descending (most-traversed chokepoints first). Click any column header to change the sort.
How Chokepoints Are Calculated
The ChokePointAnalyzer examines all attack paths and counts how many times each node appears as an intermediate hop:
- For each attack path, every intermediate node (excluding the entry point and target) is tallied
- Nodes that appear in fewer than the minimum threshold (default: 3 paths) are discarded
- The remaining nodes are ranked by path count
- Impact percentage is calculated as:
(paths through node / total paths) * 100 - Risk reduction is estimated by simulating the removal of each chokepoint
TIP
A chokepoint with an impact of 40% means remediating it would eliminate 40% of all attack paths in your environment. That single action is worth more than patching dozens of individual vulnerabilities that each appear in only one path.
Reading the Impact Metric
The impact percentage answers the question: "If I fix this one node, what fraction of my total attack surface disappears?"
| Impact % | Interpretation | Priority |
|---|---|---|
| 50% or higher | Critical chokepoint. Remediating this node eliminates half or more of all attack paths. | Immediate action required |
| 25% -- 49% | High-impact chokepoint. Significant portion of attack paths depend on this node. | High priority |
| 10% -- 24% | Moderate chokepoint. Meaningful but not dominant in the path landscape. | Medium priority |
| Below 10% | Minor chokepoint. Appears in several paths but not a dominant convergence point. | Lower priority, but still more impactful than non-chokepoint nodes |
Paths Through Detail
Click a chokepoint row to expand the detail view and see the specific attack paths that pass through it:
- Path list: All attack paths using this chokepoint, with risk scores and confidence levels
- Entry points: Which entry points feed into this chokepoint
- Targets: Which targets are reached via this chokepoint
- Role in path: Whether the chokepoint is near the entry point (early hop), in the middle, or near the target (late hop)
Position Matters
A chokepoint that appears early in paths (close to entry points) is often a network-level bottleneck. A chokepoint that appears late (close to targets) is often a credential or privilege convergence point. Both are valuable remediation targets, but the remediation action differs -- network segmentation for early chokepoints, access control for late ones.
Blast Radius from a Chokepoint
Click the Blast Radius button on any chokepoint to see what an attacker could reach if they compromise it:
- Depth 1: Resources directly connected to the chokepoint
- Depth 2: Resources two hops away
- Depth 3+: Progressively deeper reach
- Critical assets reached: How many crown jewels are within the blast radius
- Data stores reached: Databases, storage accounts, and key vaults within reach
Chokepoints and Remediation
Chokepoints are the foundation of the remediation priority list. The remediation engine weighs chokepoint impact heavily when ranking actions, because:
- Fixing a chokepoint has a multiplier effect: one action eliminates many paths
- Chokepoints represent architectural weaknesses, not just individual misconfigurations
- Remediating chokepoints often involves structural changes (network segmentation, least-privilege access) that improve security broadly
Typical Remediation Actions for Chokepoints
| Chokepoint Type | Remediation Actions |
|---|---|
| Jump server / bastion | Harden the host, restrict SSH/RDP access to specific source IPs, enforce MFA, reduce installed packages |
| Shared service account | Split into per-service identities, apply least-privilege policies, enable MFA |
| Subnet gateway | Add network security groups, restrict allowed traffic, segment into smaller subnets |
| Domain controller | Restrict Kerberos delegation, enable advanced audit logging, monitor for DCSync |
| Key vault | Enable access policies, rotate secrets, restrict access to specific identities |
| Managed identity | Reduce role assignments, limit scope to specific resources instead of resource groups |
Next Steps
- Understand Toxic Combinations -- Some chokepoints participate in toxic patterns
- Prioritize Remediation -- See the full ranked action plan
- Analyze an Attack Path -- Drill into a specific path through a chokepoint