Exploit Path Graph
How WASViking materializes attack chains across findings and ranks them by chokepoint.
Individual findings often look medium-severity. Chains of findings are critical. The Exploit Path Graph materializes the chains and ranks them, so the team works on real compound risk instead of flat severity lists.
The model
A node in the graph is a finding. An edge represents a logical dependency: "to reach finding B, an attacker first uses finding A."
A path is an ordered sequence of nodes that ends at a high-value sink: an IAM token, a session secret, a privileged endpoint, a database boundary.
Example path:
auth weakness ────┐
├─▶ internal SSRF ─▶ metadata svc ─▶ IAM token
no egress filter ──┘ │
▼
chokepoint score: 92
Chokepoint score
The chokepoint score asks: if we remediate this node, how many paths collapse? Nodes that sit on many distinct paths score higher. The score is what the team triages on; one fix at a chokepoint clears more risk than three fixes at leaves.
How chains are produced
A materializer engine runs over the findings store and produces:
- The set of valid paths under the current finding graph.
- The chokepoint score per node.
- Path validity flags (the chain still holds; the chain broke because a node was fixed).
The materializer is deterministic. Same input findings produce the same graph. No LLM in the loop.
The page
/portal/exploit-paths/ lists paths ranked by chokepoint score, with
the underlying findings and remediation guidance per node.
What is and is not in scope
The graph models chains across findings WASViking detected. It does not fabricate exposures. The signal a path produces is only as good as the underlying findings; that is why depth in the analyzer catalog matters.
A second design point: the model is conservative. Paths that require an assumption the platform cannot verify do not appear. The platform would rather show fewer high-confidence paths than many speculative ones.