Skip to content
Pilot Docs

Walking the attack graph

The All View is gorgeous but unreadable for daily work. This page covers the three productive modes — Canonical, Entry Point, Path Pair — and when to reach for each.

Canonical queries — start here

The Canonical mode has six pre-baked queries that cover the most common questions:

  1. Code-leak blast radius — repos with leaked credentials → cloud accounts → SaaS / data those creds unlock.
  2. Front-door pivots — public hosts with verified high-severity findings.
  3. Subdomains with live CVEs — discovered subdomains running fingerprinted software with a known CVE.
  4. Client-side JavaScript surface — every public host and the external JS bundles it ships to browsers.
  5. Identity provider blast radius — IdP compromise → federated SaaS → data classifications stored there.
  6. SaaS Matrix chains — catalogue-driven cross-vendor pivot chains (research mode, see SaaS Matrix).

Pick one, click. Pilot runs the path walker over your current scope’s graph and returns a ranked list (by impact desc → confidence desc → shortest first). Click any path in the list → the canvas highlights the participating nodes and dims everything else.

Entry Point — investigate a specific node

When you know which node you care about (a host, a repo, a leaked secret, a SaaS service), use Entry Point mode. Type or select the node, choose a hop depth (1 → just neighbours; 4 → broad neighbourhood), and Pilot renders just that subgraph.

This is how you answer questions like:

  • “What’s connected to api.acme.com?” → enter the host, depth 2.
  • “What downstream does Okta reach for this company?” → enter the idp node, depth 3.
  • “What did this leaked AWS key unlock?” → enter the secret node, depth 2 (you’ll see the cloud asset it AUTHENTICATES_TO and the speculative buckets that hang off that).

Double-click any node in the rendered subgraph to expand its neighbours in place — same motion as Bloodhound.

Path Pair — A → B chains

When you have a specific question — “can an attacker get from this repo to that S3 bucket?” — pick both endpoints and Pilot runs Yen’s-algorithm top-k shortest paths over its adversary-cost model.

The cost function weights:

  • Edge confidence (verified < inferred < speculative → cheaper pivot is preferred).
  • Destination severity (critical lands cheaper for the attacker).

So the top result is the most-realistic chain an attacker would pick.

The result list shows up to 5 paths between the two nodes; click one to highlight it on the canvas. If the list is empty, the two endpoints aren’t reachable from each other in the current graph — pick something further upstream or downstream.

Reading the canvas

The legend bottom-left (toggle open/closed) explains every colour:

  • Nodes coloured by kind (company, domain, host, IdP, SaaS, etc.).
  • Edges coloured by confidence (solid emerald = verified, dashed amber = inferred, dotted zinc = generic speculative, dotted emerald = SaaS Matrix catalogue chain).

Severity halos ring critical / high-severity nodes (red / orange).

The What-if tab

The What-if mode synthesises hypothetical attack scenarios using the SaaS Attack Matrix catalogue + an LLM riffing over your graph. Every card carries the if true: <severity> framing and links back to the catalogue.

Useful for blast-radius questions and tabletop prep. Not for daily triage — those scenarios are research leads, not findings.

All View — opt-in only

Capped at 2000 nodes; uses an aggressive force-directed layout to keep the picture legible. Useful for occasional sanity-checks (“does the big picture look right?”) and for screenshot-able executive views.

For routine work, the Canonical and Entry Point modes are faster and more focused.