Overview
This article offers practical guidance for building effective attack routes in Hyver’s mitigation graph. A well-constructed graph helps you visualize how attackers could reach your most critical assets — and enables better decisions about where to intervene.
By mapping threats, assets, vulnerabilities, and remediation steps, you can turn abstract risks into a concrete, prioritized strategy.
Why Use the Mitigation Graph?
Building attack routes in Hyver gives you a full picture of how threats could exploit gaps in your environment. It helps you:
Identify and analyze real-world threats
Evaluate the likelihood of exploitation
Prioritize mitigation based on risk and impact
Plan efficient and effective remediation strategies
Step-by-Step Guide to Building Attack Routes
Step 1: Define Business Assets
Start by adding the business assets that matter most — these are the targets attackers aim for:
Common default assets include:
Customer information
Employee information
Business continuity
Intellectual property
Reputation
Position these on the right side of the graph. You can drag them in from the position icon bank while in edit mode.
Step 2: Add Threat Sources
Position threats like:
External attacker (internet)
Insider attacker (employee/contractor)
Third-party vendor
These are placed on the left side of the graph, as the starting point for attack routes:
Step 3: Plan the Routes
Think like an attacker. What steps would they take to move from a threat to a business asset?
Map out these steps as positions and edges, where:
Each position represents a system, access level, or component.
Each edge represents a finding — a vulnerability, potential issue, or capability.
Step 4: Draw Edges and Link Findings
From threat to business asset, draw edges between positions:
Use the arrow tool to draw a connection (edge).
The Finding wizard opens automatically so you can link a new or existing finding.
You can:
Use existing findings from the Findings page:
Create findings on the fly as you draw edges:
Tip: Each edge should represent a verifiable vulnerability. If it’s not clearly exploitable, reconsider adding it.
Step 5: Use Specific Findings
Make sure each finding:
Accurately describes the problem
Can be traced to a specific edge and asset
Is categorized correctly:
Vulnerability – Confirmed issue that can be fixed
Potential – Suspected issue without full evidence
Capability – Built-in permissions or trust relationships, not actual flaws
Tip: Be precise about finding types — this improves risk calculation and mitigation accuracy.
Step 6: Link Remediation Assets
For each edge (finding), link the relevant remediation asset — the component that needs fixing.
This helps you:
Visualize how a specific vulnerability enables an attacker’s movement
Show how fixing a particular asset breaks the route
Prioritize real-world fixes based on business impact
Tip: Always link remediation assets where possible — they turn the graph into a real-world action plan.
Step 7: Use Clear, Descriptive Position Names
Use names that describe the function or type of access:
"Admin access to server"
"Read/write access to file share"
"Network access to internal API"
This helps everyone understand how each position plays into the attack route.
Tip: Treat business assets at the end of your route as your “crown jewels” — they are your most sensitive targets.
Step 8: Analyze the Graph
Once your graph is built:
Identify full routes (threat to business asset)
Look for limited routes (stopped before reaching an asset)
Spot common findings or chokepoints across multiple routes
Tip: Limited routes show attackers making progress but getting stopped — a strong signal of security improvements.
Wrap-up / Next Steps
Building a strong mitigation graph is about more than drawing lines — it’s about understanding how attackers think, how vulnerabilities connect, and where to act. These tips will help you create accurate, actionable routes that support smarter, faster decision-making.
Next, try using the Mitigation Planner to simulate fixes, or add supporting evidence to findings for audit and review.