Piscium
blog

Attack Graph Engines: Moving Beyond Flat Vulnerability Lists

How dynamic attack graph analysis transforms vulnerability data into actionable intelligence by mapping real-world attack paths through your environment.

By David Montero

The Limitation of Vulnerability Lists

Security teams drown in CVEs. A typical enterprise vulnerability scan returns thousands of findings, each with a CVSS score that says nothing about whether the vulnerability is reachable, exploitable in context, or actually dangerous to your business.

The result? Alert fatigue, misallocated resources, and a false sense of security.

What Is an Attack Graph?

An attack graph is a mathematical model that represents all possible ways an attacker can move through your environment to reach a target. Unlike flat vulnerability lists, attack graphs capture:

  • Reachability — Can the attacker actually reach this vulnerability from their entry point?
  • Chaining — Which vulnerabilities can be combined into multi-step attack paths?
  • Convergence — Which assets appear in the most attack paths (critical chokepoints)?

A Simple Example

Consider three findings from a vulnerability scan:

  1. Exposed SSH service on a jump server (CVSS 7.5)
  2. Privilege escalation on an engineering workstation (CVSS 6.8)
  3. Unpatched HMI in the OT network (CVSS 5.4)

Individually, these look like medium-severity items. But an attack graph reveals they form a chain: SSH → workstation → HMI — a direct path from the internet to operational technology.

That chain is critical. The individual CVEs are not.

Dynamic vs. Static Analysis

Traditional attack graph tools generate graphs from scan data and network topology — a static snapshot. Dynamic attack graph engines continuously update as your environment changes:

  • New assets appearing on the network
  • Configuration changes that open or close paths
  • Patches that eliminate specific edges
  • New threat intelligence that highlights active exploitation

This continuous recalculation means your risk picture is always current.

Business Context Weighting

The real power of attack graphs emerges when combined with business context. Not all targets are equal:

  • A path to the CEO's email has compliance and reputational impact
  • A path to the SCADA historian has operational intelligence impact
  • A path to the safety instrumented system has safety impact

By weighting graph edges and targets with business context, security teams can answer the question that matters: "What should we fix first to reduce the most business risk?"

Implications for OT Security

In OT/ICS environments, attack graph analysis is particularly valuable because:

  1. IT/OT convergence creates unexpected paths — Lateral movement from IT to OT often traverses jump servers, historians, and engineering workstations that appear innocuous in isolation
  2. Patching is constrained — You can't always patch the most critical vulnerability, so you need alternatives (network segmentation, compensating controls)
  3. Safety is paramount — Understanding which attack paths lead to safety-critical systems changes the entire prioritization calculus

Want to see attack graph analysis applied to your environment? Schedule a technical demo.