Overview
This article explains the building blocks of the Industry Attack Graph in the Cye Exposure Management Platform. These components represent how potential attack routes are constructed using a combination of industry-wide threat data and your organization's specific findings.
Understanding these elements helps you interpret system-generated risks and visualize how attackers could potentially reach your most critical assets.
Graph Display Modes
The Industry Attack Graph is a read-only feature that helps users move from high-level industry threats to organization-specific risk through two primary modes:
Overview Mode: Designed for high-level orientation. Use this mode to identify your primary Threat Sources and Business-Critical Assets (BCAs). Clicking any element provides immediate context to help you understand the starting points and targets of the most probable industry routes.
No Org Findings: Before any organizational findings are integrated into the platform, the graph displays paths based entirely on industry-sector data.
With Org Findings: The platform layers verified weaknesses onto the industry paths to reveal where internal vulnerabilities intersect with known external threats.
Visuals: Shows only direct, simplified routes between Threat Sources and BCAs.
Graph Mode: A detailed "deep-dive" into the full hacking story.
No Org Findings: Reveals the full architecture of every sector-based route, including all intermediate positions and Industry Findings between the Threat Source and BCA.
With Org Findings: Reveals the full architecture of every route that contains your specific findings, including all intermediate positions and findings.
Visuals: Displays the technical semantics, including intermediate nodes, all edge types, and specific probability metrics.
Pathways and Positions
Attack Routes
Attack routes represent the end-to-end sequence an attacker takes to reach a target. Their visualization depends on the active display mode:
Graph Mode Edges:
Industry Edges (Gray): System-generated paths based on sector modeling.
Org Edges (Purple): Factual paths containing verified findings from your environment.
Mixed Routes: A single path in Graph Mode can include a combination of both Gray and Purple edges.
Overview Mode Routes:
Industry Routes (Gray): Paths built entirely from industry data.
Org Routes (Purple): Paths built entirely from verified organizational findings.
Mixed Routes (Purple & Gray): Single attack paths that use Industry Edges to bridge gaps between Org Edges, forming a complete route to a BCA.
Positions (Nodes)
A Position represents a state of access or a foothold (the "where").
Threat Source (Orange Icon): The starting point or attack source (e.g., "External attacker" or "Insider"). Appear on the left side of the graph:
Middle/Intermediate position – (Blue circle): An intermediate foothold or attack state (e.g., "Access to Salesforce").
Note: A position is a milestone; it is not the vulnerability itself (the Edge), and it
is not the final target (the Business Asset).
Business-Critical Asset (Solid blue circle): The final target or "crown jewel" (e.g., Customer Information or Intellectual Property). Appear on the right side of the graph:
Aggregated position – (Forked arrow icon): An "AND" condition where all incoming routes must be exploited before an attacker can progress.
Limited Route ("X" icon): A dead-end where an attack path has been broken.
Note on Customization:
The Industry Attack Graph utilizes a predefined model of industry threats. Therefore, adding new, custom Threat Sources or BCAs in Settings will not affect this specific graph unless they are part of the platform's default model. These custom items can still be used for other platform features, such as the Org Attack Graph.
Edges and Findings
Edge (The Connections)
An Edge represents the transition or method (the "how") used to move between footholds. In the Industry Attack Graph, the visualization identifies the source and status of the data:
Industry Finding (Solid Gray Line): System-generated security weaknesses based on sector-wide threat intelligence.
Org Finding (Solid Purple Line): Security weaknesses identified within your specific environment.
Mixed Route (Purple & Gray): In Overview Mode, these routes are visualized with a subtle color gradient that transitions from purple to gray, signaling the blended nature of the evidence supporting the path. In Graph Mode, the path consists of individual gray and purple edges.
Capability (Dashed Purple or Grey Line): Authorized access rights or trust relationships that represent legitimate lateral movement paths.
Potential Finding (Light Blue, "?"): Suspected but unverified weaknesses in your environment.
Fixed Finding (Solid Green Line): Paths where remediation is complete.
Interacting with Edges
The graph provides detailed context through tooltips and the Right Pane:
Hover for Quick View:
Org Findings: Hovering anywhere along an edge (the line) opens a tooltip with the Finding Identity (ID, name, and description) and core risk metrics (Probability, Severity level, and the number of Remediation assets).
Industry Findings: Provides the same context but excludes the Finding ID.
Click for Deep Dive:
Org Findings: Clicking an edge opens a Right Pane containing comprehensive technical data, including evidence, suggested remediation steps, and detailed asset impact.
Industry Findings: Opens a read-only view including the Summary, Description, Business Impact, and Security Domain.
Severity and Probability
Severity Levels: Indicated by a color-coded circle on the edge: Maroon (Critical), Red (High), Orange (Medium), or Yellow (Low).
Interacting with the Graph
Scope Customization: If any default Threat Sources or BCAs are not relevant to your organization, you can delete them in Settings. Deleting a node automatically removes it and all dependent routes from the graph, allowing you to focus strictly on relevant targets.
Filters: Use the Filters panel to isolate specific data layers and reduce visual noise:
Industry Data: Toggles the visibility of all gray edges and positions. Disabling this hides the theoretical sector-wide model, leaving only paths where your organization has verified findings.
Organization Data: Toggles all purple findings and routes. Disabling this reverts the graph to a pure "Industry-Only" state, useful for baseline threat modeling.
Fixed Findings: When enabled, the graph displays vulnerabilities previously marked as "Fixed." This allows you to visualize "broken" paths and verify that remediation has successfully neutralized a specific route.
Mixed Routes: Toggles paths that rely on Industry Edges to bridge gaps between your Org Edges. Disabling this ensures that every step in the displayed routes is backed by finding from your organization.
Potential Findings: (Visible only if applicable) Toggles suspected weaknesses (light blue "?" nodes) that require further investigation to confirm.
Status-Based Visibility: For Organization Findings, you can permanently control their appearance by updating their status in the platform (e.g., marking them as "Fixed" or "Irrelevant").
Legend: Use the bottom bar to interpret symbols, icons, and severity markers at a glance.
Permissions and Licensing
Feature Access: Available only with an active Industry Graph license.
Restricted Visibility: If your user profile lacks permission to view specific findings, the graph will display a yellow notification banner. In these cases, a visual "gap" may appear in an attack route.
Note: A gap in the visualization indicates a lack of data visibility for your specific
account, not necessarily the absence of a physical connection or threat in the
environment.
Wrap-up / Next Steps
Now that you are familiar with the building blocks of the Industry Attack Graph, you can use these components to navigate and customize your risk view:
Switch Perspectives: Use the Overview to present high-level risk to stakeholders, and Graph Mode for technical root-cause analysis.
Customize the View: Apply Filters to refine the graph, such as showing or hiding industry-only routes or potential findings.
Personalize your view: Start by adding your organization's findings via manual input or tool integrations to see the graph transition from purely industry-based data to verified organizational routes.