Appearance
View Attack Paths
The Paths tab in the Attack Graph Explorer lists all calculated routes an attacker could take from entry points to critical assets. Each path represents a chain of exploitable relationships that, if followed, would allow an adversary to reach a target.
What Is an Attack Path
An attack path is a sequence of connected steps through the graph:
- Entry point: Where the attacker gains initial access. Typically an internet-facing resource with a vulnerability, an exposed service, or a compromised credential.
- Intermediate hops: Lateral movement through network connections, credential access, privilege escalation, IAM role assumption, or trust relationships.
- Target: The critical asset the attacker ultimately reaches. Examples include databases with sensitive data, key vaults, secrets, admin accounts, and crown jewel assets.
How Paths Are Found
AttackLens uses Yen's K-Shortest Paths algorithm with Dijkstra subroutines to find up to 50 paths (configurable). Paths are limited to a maximum of 8 hops and are deduplicated by path signature. The algorithm operates on edge weights, so it naturally favors paths where each step is easier to exploit.
Attack Paths List
The Paths tab displays a table of all discovered attack paths, sorted by risk. Each row shows:
| Column | Description |
|---|---|
| Risk Score | Normalized score from 0 to 100, with severity badge (Critical, High, Medium, Low) |
| Confidence | Confirmed, Plausible, or Theoretical -- based on how many edges are backed by capability evidence |
| Entry Point | The node where the path starts (click to view node details) |
| Target | The node where the path ends (click to view node details) |
| Hops | Number of steps in the path |
| Key Techniques | MITRE ATT&CK techniques used along the path |
Sorting
By default, paths are sorted by:
- Confidence: Confirmed paths first, then Plausible, then Theoretical
- Risk Score: Highest score first within the same confidence level
Click any column header to change the sort order.
Severity Filter
Use the severity filter buttons above the table to show only paths of a specific severity:
- All: Show all paths
- Critical (score 70+) -- Red badge
- High (score 50--69) -- Orange badge
- Medium (score 30--49) -- Yellow badge
- Low (score below 30) -- Blue badge
Path Risk Score
Each path receives an 8-factor decomposed risk score. The breakdown is visible when you click into a path detail:
| Factor | Weight | What It Measures |
|---|---|---|
| Exposure | High | How exposed the entry point is (internet-facing, public IP, open ports) |
| Privilege | High | Highest privilege level gained along the path (UserLevel through CloudAdmin) |
| Credential | Medium | Credential access opportunities -- plaintext credentials, SSH keys, API keys along the path |
| Data Sensitivity | Medium | Classification of the target asset (PII, financial, health, classified) |
| Path Length | Negative | Shorter paths receive higher scores -- fewer hops means easier exploitation |
| Finding Risk | Medium | Security findings (policy violations) present on nodes along the path |
| Patch Risk | Medium | Unpatched vulnerabilities along the path |
| Config Risk | Low | Misconfigurations on nodes along the path |
The factors are combined into a normalized score (0--100) and classified:
| Severity | Score Range |
|---|---|
| Critical | 70 and above |
| High | 50 -- 69 |
| Medium | 30 -- 49 |
| Low | Below 30 |
Path Confidence
Confidence indicates how much of the path is backed by real evidence from the capability catalog:
| Confidence | Proven Edge Ratio | Interpretation |
|---|---|---|
| Confirmed | 80% or more | The path relies primarily on edges matched to known attack techniques. Each proven edge has a MITRE ATT&CK mapping and evidence string. |
| Plausible | 40% -- 79% | A substantial portion of the path is evidence-backed, but some steps are inferred from network topology or structural relationships. |
| Theoretical | Below 40% | The path exists in the graph topology, but most steps are based on structural relationships rather than proven attack capabilities. |
Focus on Confirmed Paths First
Confirmed paths have the strongest evidence backing. When triaging, prioritize Confirmed paths before Plausible ones. Theoretical paths may warrant investigation but could represent connectivity that is harder to exploit in practice.
Filtering Paths by Asset
To see only attack paths involving a specific asset:
- Use the asset search field above the paths table
- Type the asset name, hostname, or IP
- The table filters to show paths where the asset appears as an entry point, target, or intermediate hop
Alternatively, from the Assets page, click View Attack Paths on any asset to navigate directly to a filtered view.
Entry Points and Targets
Common Entry Points
| Entry Point Type | Why It Is an Entry Point |
|---|---|
| Internet-facing VMs | Directly reachable from the internet (public IP, open ports) |
| Exposed web applications | Web services listening on public-facing ports |
| Public storage buckets | Storage with anonymous or public read access |
| Compromised credentials | Leaked or weak credentials (API keys, access tokens) |
| VPN endpoints | VPN gateways accessible from external networks |
Common Targets
| Target Type | Why It Is a Target |
|---|---|
| Databases | Store sensitive data (PII, financial records, health data) |
| Key Vaults / Secret Stores | Contain encryption keys, certificates, and secrets |
| Domain Controllers | Control Active Directory -- compromising these means full domain control |
| Admin accounts | High-privilege identities that can control the entire environment |
| Crown jewel assets | Resources explicitly marked as critical by your organization |
Next Steps
- Analyze an Attack Path -- Click into a specific path for step-by-step breakdown
- Understand Chokepoints -- Find nodes that appear across many paths
- Prioritize Remediation -- See which fixes break the most paths