Overview
This article explains the building blocks of the mitigation graph in Hyver. Each component represents a real element of your organization’s threat landscape — from attacker entry points to your most critical assets. Understanding these elements helps you assess risks, plan mitigation, and visualize how attackers could move through your environment.
You’ll learn how each part of the graph works and what it represents.
Main Components in the Mitigation Graph
Attack Threat Sources
These appear on the left side of the mitigation graph. They represent the origin of an attack — such as external actors (e.g., internet-based attackers) or internal threats (e.g., insider access).
If threat sources are defined in Hyver, they appear automatically.
You can also add new threat sources manually when needed.
Business Assets
These appear on the right side of the graph and represent the organization’s critical business assets — like customer data or operational systems:
If business assets are already defined in Hyver, they show up automatically.
You can manually add assets that haven’t yet been defined.
Pathways and Positions
Attack Routes
These are the lines (called edges) that connect the threat source to business assets. They show how an attacker could move from entry point to target by exploiting vulnerabilities.
Positions
Positions are the points (nodes) that appear along attack routes. They can represent assets, vulnerabilities, or logic conditions that shape how attackers progress.
There are three types:
Threat position – Always the starting point. Represents the attack source:
Middle position – A regular point along the route. Represents a specific asset or vulnerability. These have one incoming and one outgoing route:
Aggregated position – A virtual node that depends on multiple preceding routes. It models a point in the attack path that requires inputs from several positions:
Edges and Findings
Edge
An edge is the line drawn between two positions. Each edge usually represents a finding — a vulnerability or security issue.
When you draw an edge, the finding wizard opens so you can link it to an existing finding or create a new one.
Once a finding is marked Fixed, its corresponding edge is automatically removed.
Finding Severity and Probability
Each edge includes a small dot that shows severity. You can hover over it to get a tooltip showing:
Severity level
Description
Number of remediation assets linked to the finding
Probability reflects how likely the vulnerability is to be exploited. It’s based on factors like:
Complexity
Popularity of the technique
Required user interaction
You can adjust these parameters in the finding’s detail pane. A single finding can appear on multiple edges.
Capability
This represents a non-vulnerability connection — permissions or access that aren’t necessarily flaws but still affect the threat landscape:
Capabilities are shown with a gray icon.
They help you understand implicit trust or access relationships that could enable lateral movement.
While not a weakness, they should be modeled carefully to reflect real-world security posture.
Permissions and Visibility
Only findings you have permission to view will appear on the graph:
If you don’t have access to a specific finding, you’ll see a gap in the attack route with a message about restricted access.
This ensures visibility and control are tied to role-based permissions.
Wrap-up / Next Steps
Each part of the mitigation graph plays a role in showing how attackers could reach your most valuable assets. By understanding these components, you’ll be better equipped to model your threat landscape and prioritize what to fix.
Next, you can dive deeper into how to build attack routes, search within the graph, or plan your remediation.