Overview
This article explains the building blocks of the Org. Attack Graph in Cye Exposure Management Platform. Each component represents a real element of your organization’s threat landscape—from attacker entry points to your most critical assets.
Understanding these elements helps you assess risks, plan mitigation, and visualize how attackers could move through your environment.
Graph Display Modes
The Org Attack Graph provides a detailed visualization of verified risks within your environment, accessible through two primary modes:
Overview Mode: Designed for high-level orientation and stakeholder reporting.
Visuals: Displays simplified, direct routes between Threat Sources and Business Critical Assets (BCAs).
Use Case: Use this mode to identify which BCAs are at risk and from where, without exposing intermediate technical steps.
Graph Mode: A technical "deep-dive" into the full attack story.
Visuals: Reveals the complete architecture of every route, including all intermediate positions, findings, and technical semantics.
Use Case: Use this mode for root-cause analysis and to understand the specific chain of weaknesses leading to an asset.
Pathways and Positions
Attack Routes
An attack route is the end-to-end path from a threat source to a business asset. These routes are built using a sequence of Positions connected by Edges.
Their visualization depends on the active display mode:
Graph Mode Edges: Displays individual segments (Findings, Capabilities, or Potential Findings) that chain together to form a path.
Overview Mode Routes: Summarizes the underlying technical paths into a single, color-coded line connecting the source to the target.
Positions (Nodes)
A Position represents a state of access or a foothold (the "where").
Threat Source (Orange Icon): The starting point or attack source (e.g., "External attacker" or "Insider"). Appear on the left side of the graph:
Middle/Intermediate position – (Blue circle): An intermediate foothold or attack state (e.g., "Access to Salesforce").
Note: A position is a milestone; it is not the vulnerability itself (the Edge), and it is not the physical target (the Business Asset).
Business-Critical Asset (Solid blue circle): The final target or "crown jewel" (e.g., Customer Information or Intellectual Property). Appear on the right side of the graph:
Aggregated position – (Forked arrow icon): An "AND" condition where all incoming routes must be exploited before an attacker can progress.
Limited Route ("X" icon): A dead-end where an attack path has been broken.
Edges and Findings
Edge (The Connections)
An Edge is the directional line connecting two positions, representing the transition or method (the "how") used to move between footholds.
Depending on the nature and status of the connection, edges are visualized in the following ways:
Finding (Solid Purple Line): A validated security weakness in your environment.
Capability (Dashed Purple Line): An authorized connection or access right, such as built-in permissions or trust relationships. Unlike a Finding, a Capability is not a flaw or "bug"; it represents an attacker’s ability to move laterally using legitimate architectural paths.
Potential Finding (Light Blue, "?"): A suspected but unverified security weakness.
Pre-open Finding (Light Blue, "+"): Findings currently in a Draft or Approval status.
Fixed/Verified Finding (Green Line, checkmark): Paths where remediation is complete.
Interacting with Edges
The graph provides two levels of information for every edge:
Hover for Quick View: Hovering anywhere along an edge (the line) opens a tooltip with the Finding Identity (ID, name, and description) and core risk metrics (Probability, Severity level, and the number of Remediation assets).
Click for Deep Dive: Clicking an edge opens a Right Pane containing comprehensive technical data, including evidence, suggested remediation steps, and detailed asset impact.
Severity and Probability
Severity Levels: Indicated by a color-coded circle on the edge: Maroon (Critical), Red (High), Orange (Medium), or Yellow (Low).
Probability (%): Displayed as a percentage above the edge, reflecting the likelihood of exploitation based on three core parameters:
Complexity: The level of difficulty required to execute the exploit.
Exploitability – Whether tools or exploits are available (e.g., Freely Available, Manual Only)
Popularity: How frequently this specific technique is used by attackers.
User Interaction: Whether a human action is required for the attack to succeed.
Interacting with the Graph
Filters & Highlights
Filters & Highlights
Refine the visualization by using the Filters & Highlights menu to isolate specific risks and reduce visual noise.
Filters:
Fixed Findings: Toggle to show or hide remediated vulnerabilities to visualize historical neutralized paths.
Limited Routes: Toggle to hide "dead-end" paths that do not reach a BCA.
Engagement: Search to isolate findings from specific security assessments.
Highlights:
Critical to Block: Bold high-priority paths where a single fix cuts off maximum risk.
Most Probable Route: Highlights the path an attacker is statistically most likely to take.
Mitigation Planner
Mitigation Planner
A simulation layer used to move from viewing routes to breaking them.
Visual Emphasis: Activating a mitigation strategy (e.g., Critical to Block) or a custom plan will visually alter the graph: findings included in the plan become dashed, while all unrelated routes are de-emphasized to focus your attention on the remediation impact.
Workflow: Select candidate findings directly from the graph to add to a plan and compare total Cost and Effort against the impact on risk reduction.
Edit Mode & Edge Management
Edit Mode & Edge Management
Authorized users can manually reshape the graph’s topology to reflect expert knowledge or specific environment segments. This mode is a structural modeling tool, not a browsing view.
Structural Modeling:
Construct or Sever Edges: Manually draw new connection lines between positions to map a known path, or delete existing edges that do not accurately represent your environment.
Define Intermediate Positions: Insert new nodes (e.g., a "VPN Gateway" or "Cloud Admin Console") to represent architectural milestones that weren’t previously modeled.
Reconfigure Capabilities: Update authorized access relationships (dashed lines) as your internal trust boundaries and permissions change.
Linking Findings:
The Finding Wizard: This tool opens automatically when you draw a new edge. Use it to link the new path to an existing finding or to create a new finding record.
Detach Findings: Remove links between findings and specific routes if they were previously mis-modeled, ensuring the attack story remains accurate.
Operational Guardrails:
Data Integrity: You are modifying the attack architecture, not the underlying finding data (Severity, ID, or Description). These records remain managed in the main Findings area.
Formula Stability: Structural changes update the attacker’s path, but do not alter the underlying probability or risk calculation formulas.
Interface Behavior: While in Edit Mode, a dedicated banner is visible and certain Filters are disabled to prevent accidental data masking during the modeling process.
Dynamic Resolution: Outside of Edit Mode, the platform automates maintenance. Once a linked finding is marked as Fixed, the edge is typically removed automatically (unless "Fixed findings" is enabled in Filters).
Permissions and Visibility
The data displayed is subject to your user profile's access rights and visibility settings.
Restricted Visibility: If your profile lacks permission to view specific findings, a yellow banner will appear at the bottom of the graph.
Route Gaps: Restricted permissions may cause a visual "gap" in an attack route.
Note: A gap represents a lack of data visibility for your specific account, not necessarily the absence of a threat.
Wrap-up / Next Steps
The Org Attack Graph is your primary tool for moving from a list of vulnerabilities to a prioritized defense strategy. Once you have identified your most critical routes, use the following steps to take action:
Execute a Quick Fix: Identify a "Critical to Block" finding (indicated by the bold red line), click the edge to open the Right Pane, and navigate to the Mitigation tab for step-by-step remediation instructions.
Simulate Your Progress: Use the Mitigation Planner to build a candidate plan. Review the "After" state of the graph to confirm that your proposed actions successfully neutralize the targeted attack routes.
Validate Your Model: If the graph does not perfectly reflect your network (e.g., a missing VPN or segmented VLAN), enter Edit Mode to construct the necessary positions and edges, ensuring your risk metrics are based on an accurate architectural map.
Compare Strategies: Toggle the Most Probable Route highlight against the Critical to Block path to determine whether you should focus on the most "likely" attack or the one that protects the most assets simultaneously.