🕸

Attack Graph Building

How PhantomYerra constructs and maintains a live directed graph of findings, exploitation relationships, and multi-step attack paths throughout the engagement.

What Is an Attack Graph?

An attack graph is a directed graph where every confirmed finding is a node and every exploitation relationship is an edge. It shows how individual vulnerabilities connect into multi-step attack paths — from initial access through lateral movement to final impact.

PhantomYerra maintains the attack graph live throughout the engagement. Every time a new finding is confirmed, the graph is updated immediately. New edges may connect previously isolated findings into chains. These graph updates feed directly into the AI Pivot Decision engine (Stage 6), which may reprioritize the entire attack plan based on newly discovered paths.

Key insight: Individual findings tell you what is broken. The attack graph tells you what an attacker can do with what is broken. A medium-severity SSRF becomes critical when it chains with an internal service to achieve remote code execution.

Example Attack Graph

Public Web App
exploits
SQL Injection
enables
DB Credentials
escalates_to
Admin Access
exfiltrates_via
Full Data Breach
Public API
exploits
SSRF
enables
Internal Service
escalates_to
Remote Code Exec
Login Page
exploits
Auth Bypass
enables
Admin Panel
exploits
File Upload RCE
escalates_to
Server Compromise
Entry Point
Vulnerability
Pivot Point
Escalation
Objective / Impact

Node Types

NODE

Entry Point

Initial access vector: a public web endpoint, an exposed API, a login page, or any surface accessible to an attacker without prior authentication or exploitation.

NODE

Vulnerability

A confirmed vulnerability with evidence: SQL injection, XSS, SSRF, authentication bypass, or any other security flaw that has been validated with a proof-of-concept.

NODE

Pivot Point

A lateral movement opportunity discovered through chaining: internal services reached via SSRF, credentials extracted from one system used to access another, or network segments accessed through compromised hosts.

NODE

Escalation

A privilege escalation path: standard user to admin, application-level to OS-level, read access to write access, or any increase in the attacker's capability.

NODE

Objective

Final impact: full data breach, remote code execution, complete account takeover, service disruption, or any outcome that represents significant business impact.

Edge Types

EDGE

Exploits

Finding A directly enables exploitation of Finding B. The edge represents a direct causal relationship: without A, B could not be reached.

EDGE

Enables

Finding A provides the access or context needed for Finding B. The relationship may not be a direct exploit but creates the conditions for further testing.

EDGE

Escalates To

Finding A provides a path to increased privileges or capabilities represented by Finding B. The attacker gains more power through this relationship.

EDGE

Exfiltrates Via

Data exfiltration path: Finding A combined with Finding B enables extraction of sensitive data from the target environment.

Live Construction: Step-by-Step Scenario

This walkthrough shows how the attack graph is built incrementally during a real engagement. Each step represents a confirmed finding and the resulting graph update.

Step 1: Entry Point Identified

Surface mapping discovers the target's public web application at https://app.example.com. This becomes the first node in the graph.

Graph: [Public Web App] (1 node, 0 edges)

Step 2: SQL Injection Confirmed

The /api/search?q= parameter is confirmed vulnerable to boolean-based blind SQL injection. A new vulnerability node is added with an "exploits" edge from the entry point.

Graph: [Public Web App] --exploits--> [SQLi on /api/search] (2 nodes, 1 edge)

Step 3: Database Credentials Extracted

The AI depth-pivots on the confirmed SQLi, extracting database credentials from a configuration table. A pivot node is added.

Graph: [SQLi] --enables--> [DB Credentials Extracted] (3 nodes, 2 edges)

Step 4: Admin Access Achieved

Extracted credentials match an admin account. The AI tests the admin login and confirms access. An escalation node is added.

Graph: [DB Credentials] --escalates_to--> [Admin Panel Access] (4 nodes, 3 edges)

Step 5: SSRF Discovered (Parallel Path)

Meanwhile, a separate test confirms SSRF on the public API. This creates a second attack path in the graph, independent of the SQLi chain.

Graph: [Public API] --exploits--> [SSRF on /api/fetch] (6 nodes, 4 edges, 2 paths)

Step 6: Chain Pivot — SSRF Reaches Internal Service

The AI chain-pivots: can the SSRF reach the same internal services the admin panel accesses? It confirms the SSRF can reach an internal admin API, creating a cross-link between the two paths.

Graph: [SSRF] --enables--> [Internal Admin API] --escalates_to--> [Admin Panel Access] (converged paths)

Step 7: Full Impact Assessed

The graph now shows two independent paths to admin access: (1) SQLi chain, (2) SSRF chain. Both converge on the same objective. The AI assesses business impact: full data breach possible via either path.

Graph: 2 attack paths confirmed, both leading to full data breach (8 nodes, 7 edges)

Attack Graph in Reports

The final report includes the complete attack graph as both a visual diagram and a narrative walkthrough. The executive summary uses the graph to communicate business impact: "Two independent attack paths lead to full data breach. Remediating either the SQL injection or the SSRF alone is insufficient — both must be fixed."

Report SectionHow the Graph Is Used
Executive SummaryHigh-level attack path visualization showing business impact
Technical FindingsEach finding references its position in the graph and its connections
Attack Chain NarrativeStep-by-step walkthrough of each path from entry to objective
Remediation PriorityGraph analysis identifies which findings, if fixed, break the most attack paths
Risk AssessmentNumber of paths to critical objectives quantifies overall risk
Remediation insight: The attack graph enables prioritized remediation. Instead of fixing findings by CVSS score alone, the graph shows which findings are load-bearing in attack chains. Fixing a medium-severity finding that appears in 5 attack paths may be more impactful than fixing a high-severity finding that appears in none.