Attack Path Decision Graph

What the decision engine uses

The attack path decision graph combines seven types of cloud evidence:

1. Cloud metadata — resources, configurations, tags, and lifecycle
2. Identity relationships — roles, permissions, trust chains
3. Network exposure — public endpoints, security rules, routing
4. Security findings — CSPM results, misconfigurations, control gaps
5. Data classification — sensitivity, storage types, replication scope
6. Workload context — application tiers, dependencies, criticality
7. Business context — crown-jewels, compliance scope, risk appetite

What customers get

The decision graph produces seven types of deliverables:

1. Attack paths — exposure sequences that could reach high-value assets
2. Crown-jewel exposure — reachability analysis from current vectors
3. Identity risk — over-privileged, exposed, or lateral-movement identities
4. Data exposure — sensitive stores and potential access paths
5. Remediation priorities — ranked actions by risk reduction per effort
6. Risk reduction tracking — progress on exposure, paths, and identity risk
7. Compliance evidence — control status and remediation linked to frameworks

Important limitations

Attack paths are decision-support evidence based on available cloud metadata, configuration, identity relationships, and business context. Review as exposure chains, not proof of exploitation. Accuracy depends on:

• Granted cloud permissions and API visibility
• Third-party federation or cross-tenant trust (not always visible)
• Runtime behavior and zero-day exploits (not modeled)
• Application-layer authorization (outside cloud IAM scope)
• Connected cloud scope and accuracy of business context