CyberTwin
Live demo · No signup · Real engine output

An interactive attack-path graph against Acme Capital.

Acme Capital is a fictional 200-person fintech. The graph below is real engine output from the same 15-vendor extractor engine that would parse your production configs, with every edge carrying its MITRE technique. Expand any path to walk its steps.

Modeled
up to $5.0M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: vpn-poolFortiGate zone: prod-paymentsAWS IAM user: cloudops-admin◆ Secrets Manager: stripe-live-keys
6 hops to Secrets Manager: stripe-live-keys · ~47m to data
Cheapest cut: CloudOps excluded from CA admin policy
Modeled
up to $5.0M
modeled
Phishing victim (Marketing user)Entra group: MarketingMDE: Corp Laptops device groupFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM role: PowerUserRole (overprovisioned)◆ S3 bucket: acme-customer-pii
6 hops to S3 bucket: acme-customer-pii · ~1h to data
Cheapest cut: MFA not enforced for Marketing group
Modeled
up to $5.0M
modeled
Exposed SSL-VPN portal (no MFA)FortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM role: PowerUserRole (overprovisioned)◆ RDS: prod-payments-db
4 hops to RDS: prod-payments-db · ~28m to data
Cheapest cut: SSL-VPN MFA not required
Show 12 more paths
Modeled
up to $5.0M
modeled
Legacy auth not blocked (IMAP / POP)Entra group: MarketingMDE: Corp Laptops device groupFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM role: PowerUserRole (overprovisioned)◆ S3 bucket: acme-customer-pii
6 hops to S3 bucket: acme-customer-pii · ~1h to data
Cheapest cut: Legacy auth not blocked tenant-wide
Modeled
up to $5.0M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM user: cloudops-admin◆ Secrets Manager: stripe-live-keys
6 hops to Secrets Manager: stripe-live-keys · ~53m to data
Cheapest cut: cloudops-admin user lacks MFA on console
Modeled
up to $4.5M
modeled
Internet (Cloudflare-fronted prod app)Cloudflare WAF for app.acme.io (custom skip rule for legacy partner)◆ Origin: app.acme.io (production payments API)
2 hops to Origin: app.acme.io (production payments API) · ~22m to data
Cheapest cut: Cloudflare custom rule with action=skip on managed ruleset
Modeled
up to $2.8M
modeled
Internet (post-drift exposure)◆ S3 reporting-snapshots (drift: s3-bucket-public-read-prohibited NON_COMPLIANT)
1 hop to S3 reporting-snapshots (drift: s3-bucket-public-read-prohibited NON_COMPLIANT) · ~18m to data
Cheapest cut: S3 bucket reporting-snapshots: public-read-prohibited NON_COMPLIANT
Modeled
up to $6.0M
modeled
Okta user: eng-lead@acme (Super Admin)Okta Super Admin roleEntra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: vpn-poolFortiGate zone: prod-paymentsAWS IAM user: cloudops-admin◆ Secrets Manager: stripe-live-keys
7 hops to Secrets Manager: stripe-live-keys · ~51m to data
Cheapest cut: Standing SUPER_ADMIN assignment without JIT
Modeled
up to $2.5M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsCrowdStrike Falcon: Engineering host group (200 hosts)◆ Falcon exclusion: rundll32 / appdata\Local\Temp\* permit
4 hops to Falcon exclusion: rundll32 / appdata\Local\Temp\* permit · ~35m to data
Cheapest cut: Falcon exclusion list contains rundll32 + temp paths
Modeled
up to $5.0M
modeled
Branch office Cisco ASA outside interface (sec-level 0)Branch office LAN (sec-level 100)FortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM role: PowerUserRole (overprovisioned)◆ S3 bucket: acme-customer-pii
5 hops to S3 bucket: acme-customer-pii · ~41m to data
Cheapest cut: Cisco ASA shadowed deny rule on branch-outside-in
Modeled
up to $1.8M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)Compromised mailbox (CFO auto-forward to personal)◆ External recipient — exfil destination
3 hops to External recipient — exfil destination · ~24m to data
Cheapest cut: External auto-forwarding allowed org-wide
Modeled
up to $7.5M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM user: cloudops-adminGCP SA: analytics-runner (proj-data)◆ GCP project "proj-prod-payments" admin scope (1 admin SA)
7 hops to GCP project "proj-prod-payments" admin scope (1 admin SA) · ~58m to data
Cheapest cut: Cross-project TokenCreator from analytics → prod
Modeled
up to $6.5M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM user: cloudops-adminAzure SP: deploy-bot◆ Azure subscription m365-ecosystem (Owner inherits to all RGs)
7 hops to Azure subscription m365-ecosystem (Owner inherits to all RGs) · ~56m to data
Cheapest cut: Standing Owner assignment at subscription scope (no JIT)
Modeled
up to $3.0M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)Adversary using stolen valid creds (Sentinel-prod blind to)◆ Undetected: Valid Accounts: Cloud Accounts (T1078.004)
3 hops to Undetected: Valid Accounts: Cloud Accounts (T1078.004) · ~31m to data
Cheapest cut: Coverage gap: T1078.004 has no enabled detection rule
Modeled
up to $6.5M
modeled
Okta IDP (from network diagram)Okta user: eng-lead@acme (Super Admin)Okta Super Admin roleEntra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM user: cloudops-admin◆ Secrets Manager: stripe-live-keys
8 hops to Secrets Manager: stripe-live-keys · ~1h to data
Cheapest cut: Standing SUPER_ADMIN assignment without JIT
Best single fix
Remediating entra-ca-exclude-001 breaks 9 of 28 paths.
generated 2026-05-07 · sample fixture · modeled

Want this for your real environment? Start your assessment →

What you're looking at

Real config data. Real attack paths. No mock-up.

Three things make this graph different from the marketing animations on most security vendor sites.

Real configurations

Acme Capital is fictional, but its stack is real configuration shapes — ingested exactly as your production configs would be, by the same extractor engine that covers 15 vendors.

Real stitching logic

26 MITRE techniques map to specific edge types, and each path is matched against 11 named threat groups — inferred edges are dashed and explained, never hand-waved.

Real cheapest-fix output

A breadth-first search runs from every entry point to every sensitive resource; the single change that breaks the most paths surfaces first.

How the graph is built, in full →

Your config, not ours

Want to try it on your own config?

Paste a FortiGate policy block into the sandbox and see one attack path, one choke-point fix, and an industry-default dollar estimate — same engine, your input.

Run the same analysis for your environment

Your stack. Your attack paths.
Your cheapest fix.

The Acme Capital graph is the demo. The Program tier runs the same analysis against your real environment — re-upload a fresh export any time and the engine re-checks your posture — re-parseable artifacts re-prove it.