Skip to content
Pilot Docs

SaaS Attack Matrix

The SaaS Attack Matrix is Pilot’s catalogue of known SaaS-focused attacker tradecraft — inspired by Push Security’s Browser & Identity Attacks Matrix and BloodHound’s graph-based attack-path modelling. It answers a different question than “what’s wrong right now”:

If vendor X were compromised, what could an adversary reach?

What’s in the catalogue

  • Techniques — discrete attacker steps. Some mirror published identifiers (SAT1027 — OAuth token abuse, SAT1032 — SAMLjacking, SAT1041 — Inbound federation abuse). Others are Pilot extensions prefixed MATRIX_* for vendor-specific patterns (MATRIX_GITHUB_OIDC_ABUSE, MATRIX_STRIPE_KEY_ABUSE, MATRIX_DB_PUBLIC_EXPOSURE).
  • Vendors — the catalogue ships bindings for ~23 vendors today, spanning IdPs (Okta, Auth0, Google Workspace, Microsoft 365), cloud IaaS (AWS, GCP, Azure), code hosts (GitHub, GitLab), payment (Stripe), comms (Twilio, Mailgun, SendGrid), edge (Cloudflare), databases (MongoDB, MySQL, Postgres, Redis), and major SaaS (Snowflake, Salesforce, Slack, Atlassian).
  • Cross-vendor paths — chains where origin vendor compromise reaches a target vendor. E.g. MATRIX_GITHUB_TO_AWS_OIDC walks “GitHub Actions OIDC trust → AWS AssumeRole → cloud admin”.

The full catalogue is browseable at SaaS Matrix in the sidebar.

How it intersects with your data

When Pilot builds the attack graph for a company, it walks the matrix and injects speculative MATRIX_CHAIN edges between vendor nodes whose pairing matches a catalogue path. The edges are confidence: speculative by design — these are catalogue hypotheses, not observed pivots.

A MATRIX_PIVOT path template surfaces the same chains as first-class attack paths in the Attack Graph → Canonical → SaaS Matrix chains canonical query. Each chain renders with a clear if true: <severity> pill to keep the speculative framing on screen.

Where it shows up

SurfaceWhat you see
Attack Graph → All ViewEmerald dotted MATRIX_CHAIN edges between vendor nodes. Click any edge → catalogue popover.
Attack Graph → Canonical → SaaS Matrix chainsRanked list of all matrix chains for the scope, click any to highlight the chain on the canvas.
Attack Graph → What-ifOperator-prompted scenario synthesiser — combines catalogue + LLM.
Home → Hypothetical scenarios cardLower-priority card below verified urgency. Always framed: “research leads for blast-radius analysis — not verified findings, nothing here needs to be remediated.”
Ask Pilot agentOpt-in only. The agent calls matrix tools when the operator’s question explicitly asks for hypotheticals, blast radius, or “what if X were compromised”.

What it does NOT do

  • It does not raise alerts.
  • It does not appear on the “What’s urgent” panel.
  • It does not claim “this happened” or “this is exposed”. A matrix entry is a research lead. The catalogue says “IF Cloudflare were compromised AND the org uses CF for DNS, THEN MX records could be hijacked.” The IF is the whole point.

When to use the matrix

  • Blast-radius questions. “What’s the worst case if our Okta admin token leaked?” Walk the Okta-origin matrix paths in the Attack Graph.
  • Vendor risk assessments. “We’re about to onboard Snowflake — what’s the catalogue say about Snowflake-specific attacker tradecraft?” Open the SaaS Matrix browser, filter to Snowflake.
  • Tabletop exercises. “Walk our team through a credible cross-vendor breach chain.” Pick a chain from the Canonical view, use the technique hop list as the script.
  • Coverage gap analysis. “Which catalogue chains apply to our detected vendors?” The Canonical view shows exactly that.

When NOT to use the matrix

  • Daily triage. Stick to Verified findings and Secrets.
  • Posture summaries for non-security stakeholders. Lead with verified intel.
  • Executive reporting. Same — speculative content needs careful framing or it sounds like fearmongering.

The catalogue exists because operators asked for it. It just doesn’t belong in places that expect “fix this” urgency.