Appearance
Attack Graph Settings
The Attack Graph Settings page controls how AttackLens builds, scores, and filters the attack graph. These settings directly affect which nodes and edges appear in the graph, how risk scores are calculated, and when the graph is recomputed.
INFO
Requires Admin role or higher.
Accessing Attack Graph Settings
Navigate to Settings > Attack Graph in the left sidebar.
Computation Settings
These settings control when and how the attack graph is built.
Auto-Rebuild
When enabled, the attack graph is automatically rebuilt whenever new data arrives that could change the graph -- such as a completed discovery sync, new sensor data, or updated vulnerability correlations.
| Option | Behavior |
|---|---|
| Enabled (default) | The graph rebuilds automatically after relevant data changes. This ensures the graph always reflects the latest state of your environment. |
| Disabled | The graph only rebuilds when you manually trigger it from the Attack Graph Explorer. Use this if you want full control over when computation happens, or if your environment is very large and you want to schedule rebuilds during off-peak hours. |
Rebuild Interval
The minimum time between automatic rebuilds, in minutes. This prevents the graph from rebuilding too frequently when multiple data sources update in rapid succession.
| Setting | Default | Range |
|---|---|---|
| Rebuild interval | 30 minutes | 5 - 1440 minutes (1 day) |
TIP
For environments with fewer than 1,000 assets, the default 30-minute interval works well. For larger environments (5,000+ assets), consider increasing this to 60-120 minutes to reduce computational load.
Max Path Length
The maximum number of hops (edges) that the path-finding algorithm will explore when calculating attack paths. Longer paths may reveal more complex multi-step attacks but increase computation time.
| Setting | Default | Range |
|---|---|---|
| Max path length | 10 | 3 - 25 |
- Lower values (3-5): Faster computation, shows only short attack chains. Good for focused analysis of direct threats.
- Default (10): Balanced. Captures most realistic multi-step attack scenarios.
- Higher values (15-25): Finds longer, more complex attack chains. Useful for advanced threat modeling but increases computation time significantly.
WARNING
Setting the max path length above 15 can significantly increase graph computation time, especially in large environments. Only increase this value if you have a specific need to analyze deep multi-step attack chains.
K-Shortest Paths
The number of alternative attack paths to calculate between each source-target pair. AttackLens uses Yen's K-Shortest Paths algorithm to find not just the optimal path but multiple alternative routes an attacker could take.
| Setting | Default | Range |
|---|---|---|
| K paths | 5 | 1 - 20 |
- 1: Only the shortest (highest-risk) path is calculated.
- 5 (default): The top 5 paths are calculated, giving a broader view of attack surface.
- 10-20: Comprehensive path analysis. Useful for identifying chokepoints that appear across many alternative paths.
Scoring Settings
These settings control how risk scores are calculated for nodes, edges, and attack paths.
Edge Weight Source
Determines where edge weights (the "cost" of traversing an edge in the graph) come from:
| Option | Description |
|---|---|
| Feed-provided weights (default) | Edge weights are loaded from the AttackLens feed, which provides curated weights based on real-world attack data and threat intelligence. These weights are updated automatically when the feed syncs. |
| Default weights | All edges use a uniform default weight. Use this only for testing or if you want all edges to be treated equally. |
Vulnerability Scoring Weights
Configure how much weight each vulnerability scoring factor contributes to the overall risk score of a node:
| Factor | Description | Default Weight |
|---|---|---|
| CVSS | The Common Vulnerability Scoring System base score (0-10). Higher scores indicate more severe vulnerabilities. | 0.4 |
| EPSS | The Exploit Prediction Scoring System probability (0-1). Represents the likelihood that the vulnerability will be exploited in the wild within 30 days. | 0.35 |
| CISA KEV | Whether the vulnerability appears on the CISA Known Exploited Vulnerabilities catalog. KEV vulnerabilities have confirmed real-world exploitation. | 0.25 |
The weights must sum to 1.0. Adjust these to reflect your organization's risk priorities:
- Increase EPSS weight if you want to prioritize vulnerabilities likely to be exploited soon.
- Increase KEV weight if you want to prioritize vulnerabilities that are already being actively exploited.
- Increase CVSS weight if you want to prioritize based on theoretical severity regardless of exploitation likelihood.
Asset Criticality Impact
Controls how an asset's criticality level affects attack path risk scores. Assets marked as critical (e.g., database servers, domain controllers) increase the risk score of any attack path that targets them.
| Option | Description |
|---|---|
| Enabled (default) | Asset criticality is factored into path risk scoring. Paths targeting critical assets receive higher risk scores. |
| Disabled | Asset criticality is ignored in path risk scoring. All assets are treated equally. |
When enabled, the criticality multiplier is applied:
| Asset Criticality | Risk Multiplier |
|---|---|
| Critical | 2.0x |
| High | 1.5x |
| Medium | 1.0x (no adjustment) |
| Low | 0.75x |
Filter Settings
These settings control which nodes and edges are included in the graph.
Excluded Node Types
Select node types to exclude from the attack graph entirely. Excluded nodes and all their edges are removed before path calculation begins. This is useful for:
- Removing noise from node types that are not relevant to your threat model.
- Focusing the graph on specific infrastructure layers.
Common exclusions:
- DNS records: Often create too many edges without adding security value.
- S3 buckets (if not internet-facing) -- Can be excluded to simplify cloud graphs.
TIP
Start with no exclusions and only add them if the graph becomes too noisy. Every excluded node type is a potential blind spot in your attack surface analysis.
Minimum Vulnerability Severity
Set the minimum CVSS severity threshold for vulnerabilities to be included in the graph. Vulnerabilities below this threshold are ignored when building HasVulnerability edges.
| Setting | Effect |
|---|---|
| None (default) | All vulnerabilities are included, regardless of severity. |
| Low (0.1-3.9) | Only Low severity and above are included. |
| Medium (4.0-6.9) | Only Medium severity and above are included. |
| High (7.0-8.9) | Only High and Critical vulnerabilities are included. |
| Critical (9.0-10.0) | Only Critical vulnerabilities are included. |
WARNING
Setting a high minimum severity will reduce graph complexity but may hide attack paths that chain multiple low-severity vulnerabilities. Multi-step attacks often exploit combinations of individually low-risk weaknesses.
Saving Changes
After modifying any settings, click Save. If auto-rebuild is enabled, the graph will rebuild with the new settings on the next trigger. To see the changes immediately, navigate to the Attack Graph Explorer and click Rebuild Now.
Recommended Configurations
Small Environment (< 500 assets)
| Setting | Value |
|---|---|
| Auto-rebuild | Enabled |
| Rebuild interval | 15 minutes |
| Max path length | 10 |
| K paths | 5 |
| Edge weight source | Feed-provided |
| Min vulnerability severity | None |
Large Environment (5,000+ assets)
| Setting | Value |
|---|---|
| Auto-rebuild | Enabled |
| Rebuild interval | 120 minutes |
| Max path length | 8 |
| K paths | 3 |
| Edge weight source | Feed-provided |
| Min vulnerability severity | Medium |
Compliance-Focused
| Setting | Value |
|---|---|
| Auto-rebuild | Enabled |
| Rebuild interval | 60 minutes |
| Max path length | 10 |
| K paths | 10 |
| Edge weight source | Feed-provided |
| Asset criticality | Enabled |
| Min vulnerability severity | None |