Huntress Acquires Inside Agent: A New Era for Identity ProtectionFree Trial
Menu
InvestorsCareersBlogAboutAcademySupportContact
LoginSign up
ATTACK GRAPH CORE · MULTI-HOP PATH MODELING · REAL-TIME TRAVERSAL INTELLIGENCE

See exactly how attackersmove across identity,cloud, and endpoints.

Spakto's Attack Graph Core ingests your environment's identity relationships, cloud configurations, network reachability, and asset trust to compute real, multi-hop attacker traversal paths — continuously updated as your environment changes.

See Attack Graph DemoHow Graph Is Built
Overview

Attackers see paths, not vulnerabilities

Three individually medium-severity findings combine into a direct route to your crown jewels. Attack Graph Core finds these chains before adversaries do.

GRAPH TOPOLOGY OVERVIEW · SPAKTO AGC · v3.1.0
LIVE GRAPH · 500K NODES
Live Path Topology · Sample Environment
EXTINTERNETWEBADIAMEC2S3DBCROWNADMT1190T1078TA0004CRITICAL PATH
Critical attack path
Medium-risk edge
Lateral path
Crown jewel target
Core Capabilities
AGC-CAP-01
Multi-hop attack path computation
algorithm: Dijkstra-AEV variant · max depth: 32 hops
AGC-CAP-02
Cross-domain path mapping
AD → cloud IAM → SaaS → data stores · unified schema
AGC-CAP-03
Real-time graph recalculation
trigger: any asset/identity/config change · latency: <14ms
AGC-CAP-04
Toxic combination detection
chain scoring: P(exploit) × blast_radius × asset_criticality
AGC-CAP-05
MITRE ATT&CK technique tagging
per-edge technique mapping · 300+ T-codes covered
AGC-CAP-06
Blast radius analysis
output: affected_assets[] · lateral_reach_score · impact_tier
500K+
Max nodes
14ms
Traversal latency
300+
MITRE T-codes
Graph Construction

Graph build pipeline

Four sequential phases ingest, model, analyze, and compute — producing a continuously updated attack graph that reflects your live environment state.

GRAPH CONSTRUCTION PIPELINE · 4-PHASE BUILD · CONTINUOUS
REBUILD ON CHANGE
01IDENTITY

Identity Mapping

Enumerate users, service accounts, roles, group memberships, trust relationships, and privilege chains across all identity providers.

src: AD · Okta · Azure AD · AWS IAM
depth: full group-in-group traversal
output: identity_graph.json · SPN list
coverage: user + service + machine accounts
ADOktaAWS IAMCyberArk
OUTPUT → identity_graph.json
02NETWORK
VPC-AVPC-B

Asset & Network Modeling

Map all assets, reachability between systems, network segmentation, VPC/VPN topology, and lateral movement potential.

ingestion: VPC flows · firewall rules · DNS
format: adjacency_matrix + reach_vectors
output: topology.graph · segment_map
lateral_move_score per subnet pair
VPCSubnetFirewallZero Trust
OUTPUT → topology.graph
03CONFIG
MISCONFIGUREDMISCONFIGURED

Configuration Analysis

Ingest misconfigurations, over-permissioned roles, stale credentials, exposed services, and unpatched vulnerabilities.

checks: 1,400+ config rules evaluated
sources: CSPM · SAST · CVE feeds
output: vuln_edges[] · misconfiguration[]
correlation: CVE × network_reachability
CSPMCVEIAM DriftSecrets
OUTPUT → config_edges.json
04COMPUTE
SRCP1:9.8P2:7.4P3:4.1

Path Computation

Run graph traversal algorithms to compute all viable attacker paths, rank by exploitability and blast radius.

algorithm: Dijkstra-AEV · BFS toxic-chain
output: ranked_paths[] · blast_radius[]
latency: <14ms traversal p99
MITRE T-code assigned per edge
Dijkstra-AEVBlast RadiusMITRERanking
OUTPUT → attack_paths.json
Data Flow
raw_telemetry{}identity_graph.jsontopology.graph + config_edges.jsonattack_paths.json
Graph Models

Five domains, one unified graph

Each domain is modeled as a typed subgraph with domain-specific edge semantics — all merged into a single traversal-ready adjacency structure at query time.

DOMAIN COVERAGE MATRIX · 5 SUBGRAPH SCHEMAS · UNIFIED ADJACENCYschema: AGC-DOMAIN-v3.1
DM-01IDENTITY & PRIVILEGES
ROOT

Identity & Privileges

Full enumeration of identity principals, privilege chains, and trust delegation — on-prem and cloud unified.

AD users/groups + service accounts
JWT tokens · OAuth scopes · SAML assertions
Kerberos delegations · SPNs · constrained/unconstrained
AWS/Azure/GCP IAM roles + assume-role chains
Privilege escalation paths · shadow admin detection
node_type: USER|SVC_ACCT|ROLE|GROUP|TRUST
edge_type: MEMBER_OF|HAS_ROLE|CAN_ASSUME|DELEGATES_TO
integrations: AD · Okta · Entra ID · CyberArk
DM-02CLOUD INFRASTRUCTURE
IAMS3EC2RDS

Cloud Infrastructure

Cloud-native IAM, resource relationships, cross-account trust, and data store exposure across AWS, Azure, GCP.

IAM roles + resource policies + assume-role chains
S3/Blob/GCS exposure + public-access policies
Lambda/Functions execution roles + event triggers
EC2/VMs + attached instance profiles
Cross-account + cross-subscription trust relationships
node_type: RESOURCE|ROLE|POLICY|STORAGE|FUNCTION
edge_type: CAN_ACCESS|HAS_POLICY|INVOKES|EXPOSES
integrations: AWS · Azure · GCP · Terraform state
DM-03NETWORK & SEGMENTATION

Network & Segmentation

Network reachability modeled as directed edges — every firewall rule, VPC peer, and routing path encoded in the graph.

Subnet reachability + firewall allow/deny rules
VPC peering + Transit Gateway + VPN tunnels
Zero-trust policy enforcement points
East-west lateral movement vectors
Internet-facing exposure + ingress points
node_type: SUBNET|HOST|FIREWALL|GATEWAY|ENDPOINT
edge_type: REACHABLE|BLOCKED|PEERED|TUNNELS_TO
integrations: AWS VPC · Azure NSG · Palo Alto · Zeek
DM-04ENDPOINT & WORKLOAD

Endpoint & Workload

EDR telemetry enriches the graph with process-level attack paths — memory injection, credential harvesting, and local privesc vectors.

EDR telemetry integration — CrowdStrike/Defender/SentinelOne
Process injection and DLL hijacking paths
Local privilege escalation vectors
Credential harvesting and LSASS dump paths
Container escape and namespace breakout
node_type: HOST|PROCESS|CONTAINER|POD|SERVICE
edge_type: EXEC_ON|INJECTS_INTO|DUMPS_CREDS|ESCALATES_TO
integrations: CrowdStrike · SentinelOne · Defender
DM-05EXTERNAL ATTACK SURFACE

External Attack Surface

Internet-facing exposure mapped as entry nodes — every exposed port, subdomain, and third-party access chain is a potential graph root.

Internet-facing assets + exposed ports/services
Subdomain takeover exposure
Leaked credentials from threat intel feeds
Third-party and supply chain access chains
Shadow IT and unmanaged asset discovery
node_type: DOMAIN|IP|SERVICE|CRED_LEAK|THIRD_PARTY
edge_type: EXPOSES|ACCESSIBLE_FROM|LEAKED_TO|TRUSTS
integrations: Shodan · VirusTotal · SpiderFoot · EASM
All 5 domains merge into a single unified_graph.adjacency at query time — cross-domain edges resolved automatically.
GraphDBJSON-LDOpenAPISTIX 2.1
Toxic Combinations

Individual risks are noise. Combinations are attacks.

Traditional tools flag findings in isolation. Spakto chains them together — scoring the compound risk of combinations that individually score below your alert threshold.

Chain Example · 3-Step Domain CompromiseCRITICAL PATH
01
Stale service account — excessive IAM permissionsMEDIUM · 5.2
svc-deploy@prod not rotated 24 months · AssumeRole on 6 production accounts
T1078.004 · Valid Cloud Accounts
02
S3 bucket readable by that service accountMEDIUM · 4.8
s3://prod-config-backup · wildcard ACL · no encryption at rest
T1530 · Data from Cloud Storage
03
S3 bucket contains production DB credentialsCRITICAL · 9.6
credentials.json in plaintext · RDS master password + connection string
T1552.001 · Credentials in Files
!
Result: domain compromise in 3 hops

Two MEDIUM findings + one credential file = direct path to production RDS and full account takeover. Combined chain score: 9.8 CRITICAL

TC-019.4

Identity + Cloud

Over-permissioned IAM role assumed by compromised identity leads to cloud-wide privilege escalation.

SVC_ACCT → ASSUME_ROLE → ADMIN_POLICY → ALL_RESOURCES
TC-028.7

Endpoint + Network

Compromised endpoint traverses poorly segmented network to reach sensitive systems via lateral movement.

ENDPOINT → REACH_SEGMENT → CRED_REUSE → DC
TC-039.1

External + Internal

Internet-facing misconfiguration provides direct path to internal crown jewels without authentication.

INTERNET → EXPOSE_SVC → BYPASS_WAF → DB_HOST
TC-048.3

Cloud + Data

Cloud service misconfiguration enables mass data exfiltration through exposed storage layer.

IAM_DRIFT → READ_STORAGE → EXFIL → S3_SYNC
Real-Time Intelligence

Graph recalculates on every environment change

Every new asset, permission grant, cloud deployment, or identity change potentially creates new attack paths. Spakto re-evaluates the full graph within seconds — not hours.

EVENT-TRIGGERED RECALCULATION ENGINE · STREAMING EVENTS · SUB-60S SLA
WATCHING 4 EVENT STREAMS
RT-01RESOURCE_DEPLOYED

New Cloud Resource Deployed

Event Source
stream: CloudTrail · Event: CreateEC2Instance / DeployLambda
Graph Action

Ingest resource → compute new edges → re-rank paths through new node

Detection Logic

Checks: inherits IAM profile? reachable from internet? connects to sensitive data?

<22s rebuild p99New path risk surfaced before resource reaches prod traffic
RT-02PERMISSION_CHANGED

Permission or Role Changed

Event Source
stream: IAM audit log · Event: AttachRolePolicy / AddUserToGroup
Graph Action

Re-evaluate all paths using modified identity/role → diff new vs old path set

Detection Logic

Detects: privilege escalation created? existing critical path widened? new assume-role chain?

<14ms graph diffPermission grants that create new attack paths flagged in seconds
RT-03VULNERABILITY_FOUND

New Vulnerability Discovered

Event Source
stream: CVE feed · Event: NVD publish / scanner finding / EDR alert
Graph Action

Correlate CVE with asset graph position → score exploitability in existing chains

Detection Logic

Critical only if: asset is on active path AND vuln is remotely exploitable AND no compensating control

<45s correlationDistinguishes critical-in-context CVEs from noise — 94% noise reduction
RT-04ASSET_DECOMMISSIONED

Asset Decommissioned or Removed

Event Source
stream: CMDB delta · Event: TerminateInstance / DeleteRole / DisableAccount
Graph Action

Remove node from graph → identify broken paths → surface newly exposed paths

Detection Logic

A pivot node removal may eliminate 10 paths but expose 2 previously blocked ones via rerouting

<18s path diffDecommission validation — no residual access or orphaned trust relationships
Event Stream
asset.creatediam.modifiedcve.ingestedconfig.changedcred.detectedpath.recalculated
Use Cases

Who relies on the attack graph

Three operational roles query the graph differently — each receiving role-scoped path data, custom output formats, and targeted insights for their workflow.

UC-01THREAT HUNTING

Threat Hunting

Query the live graph to map what any compromised identity can reach — before attackers explore it.

Query Examples
graph.paths(from:"internet", to:"crown_jewel")
// Find all internet-to-target paths
graph.reach(node:"svc-deploy@prod")
// Map blast radius of compromised account
graph.toxic_chains(severity:">7.0")
// Surface high-score compound risks
<100ms
Query latency
Unlimited
Concurrent queries
Full graph
Query scope
STIX 2.1
Output format
Output

Path maps · Blast radius report · Hunting playbook

UC-02RED TEAM OPS

Red Team Augmentation

Automatically surface attack chains that would take a red team days to discover manually — in minutes.

Query Examples
graph.shortest_path(src:"initial_access", dst:"domain_admin")
// Find fastest path to DA
graph.techniques_on_path(path_id:"P-0041")
// Map MITRE T-codes per hop
graph.alternative_paths(blocked_node:"vpn-gw")
// Find paths around a control
Weeks→min
Discovery speed
300+
T-codes mapped
All paths
Enumerated
MITRE nav
Export format
Output

Attack scenario · T-code heatmap · Control bypass map

UC-03INCIDENT RESPONSE

Incident Response

After a breach, trace backward through the graph to reconstruct the full attack chain and quantify blast radius.

Query Examples
graph.ancestors(node:"compromised-host-041")
// Trace attacker entry path backward
graph.descendants(node:"compromised-host-041")
// Map full blast radius forward
graph.path_diff(before:"T-24h", after:"now")
// Identify what changed in the graph
14ms
Path reconstruction
Full
Blast radius map
Timestamped
Artifact evidence
<3h
vs 3-day forensic
Output

Incident timeline · Affected assets · Remediation order

Path Scoring Engine

Every path carries a blast radius score

AGC scores each traversal path using a composite formula: score = criticality × reach × exploit × choke_factor. Only the paths that actually matter surface first — prioritized by true blast radius, not theoretical severity.

PATH SCORING ENGINE · BLAST RADIUS COMPUTE · PSE-v1.8
SCORING ACTIVE
Live Blast Radius · Crown Jewel: prod-db-primary
prod-dbCRITICAL·9.8iam-role8.9ad-admin8.5ec2-jump7.2svc-acct6.8ext-userScore: 1,485.2CRITICAL · 6 nodes in blast radius
Score Decomposition · path_id: PSC-00041
CCriticality Weight
0.94

Crown jewel sensitivity rating (0–1.0)

RReachability Factor
0.87

% of env nodes reachable via this path

EExploitability Index
0.78

Composite CVSSv3 exploit score across hops

MChoke-Point Mult.
2.3×

Path intersects 2 critical choke-points

Composite Score Formula
path_score = C × R × E × M × 1000
= 0.94 × 0.87 × 0.78 × 2.3 × 1000
= 1,485.2 → CRITICAL
Top Critical Paths · Ranked by Blast Score
RANKPATH IDENTRY → TARGETHOPSTECHNIQUESSCORESEV
#1PSC-00041ext-user → prod-db5T1078·T1550·T14841,485.2CRITICAL
#2PSC-00019svc-acct → s3-crown3T1098·T15301,203.7CRITICAL
#3PSC-00088ec2-jump → ad-forest4T1021·T1558987.4HIGH
#4PSC-00031vpn-user → rds-cluster6T1133·T1078·T1484831.0HIGH
#5PSC-00055api-svc → kms-key2T1552·T1555654.3HIGH
Graph Query Interface

Query the graph with AGC-QL

Purpose-built traversal query language for multi-hop attack path analysis. Express complex security questions as graph queries — return scored paths, technique chains, and blast radius data in milliseconds.

AGC-QL QUERY INTERFACE · TRAVERSAL ENGINE · v2.9.4
avg latency: 14msENGINE READY
Query Editor · AGC-QL v2
QUERY-01 · Crown Jewel Exposure14 paths · 11ms
TRAVERSE
FROM node(type:"EXTERNAL_ACTOR")
TO node(tag:"crown_jewel")
WHERE exploitable = true
AND hop_count <= 6
ORDER BY blast_score DESC
RETURN path, score, techniques
QUERY-02 · Identity Chain to Cloud7 paths · 9ms
MATCH
node(type:"AD_USER")
-[EDGE(relation:"ASSUME_ROLE")]->
node(type:"IAM_ROLE")
-[EDGE(relation:"GRANTS_ACCESS")]->
node(type:"S3_BUCKET", sensitivity:"HIGH")
RETURN chain, edge_weights, iam_policies
Result Set · QUERY-01
1.
ext→vpn→ec2→iam→db
4 hopsCRITICAL
1,485
2.
ext→api→svc→rds
3 hopsCRITICAL
1,203
3.
ext→ssh→jump→ad→db
4 hopsHIGH
987
4.
ext→web→app→iam→s3
4 hopsHIGH
831
5.
ext→vpn→ad→gpo→db
4 hopsHIGH
654
6.
ext→smtp→svc→kms
3 hopsMEDIUM
412
AGC-QL Operators
TRAVERSE
MATCH
FROM · TO
WHERE
AND · OR
ORDER BY
LIMIT
RETURN
500K+
Graph Nodes
14ms
Avg Query Time
12
Query Types
Max Hop Depth
Cross-Domain Traversal Map

One attacker. Five domains. One path to your data.

Attack Graph Core maps multi-domain traversal paths end-to-end — from initial access through identity, network, cloud, and data tiers. Every hop is technique-tagged, evidence-backed, and scored.

CROSS-DOMAIN TRAVERSAL · PATH-ID: CDT-00001 · 5 DOMAINS · 7 HOPS
PATH ACTIVE
IDENTITY DOMAINNETWORK LAYERCLOUD BOUNDARYPRIVILEGE TIERDATA CROWNEXTAD USERT1078VPN GWT1133EC2IAM ROLET1098IAM ADMINT1550RDS CROWNCVSS·9.8T1484
HOP 0→1
IDENTITY
ext-user → ad-john
T1078

Valid Account – domain credentials from credential stuffing campaign. No MFA enforced on VPN.

HOP 1→2
NETWORK
ad-john → vpn-gw-01
T1133

External Remote Services – domain user granted VPN access. Split-tunnel routes to internal EC2.

HOP 2→3
NET → CLOUD
vpn-gw-01 → ec2-jump
T1021.004

SSH lateral movement from VPN gateway to EC2 jump host. Shared SSH key pair grants access.

HOP 3→5
PRIVILEGE
ec2-jump → iam-admin
T1098+T1550

IAM role chaining via ec2-instance-profile. Privilege escalation through assume-role to admin.

HOP 5→6
DATA CROWN
iam-admin → prod-rds
T1484

Admin credentials grant full RDS access. Crown jewel reached in 5 hops from external entry point.

Attack Graph Core FAQs

Frequently asked
questions.

Still have questions?
Our security engineers answer within one business day.
Ask a question