Confidence: highObserved
Edges directly extracted from configuration. An AWS IAM policy granting s3:GetObject to a specific role; a FortiGate policy allowing traffic from an IP range to a specific port. Confidence: high. Audit defensibility: direct.
Confidence: mediumDerived
Edges inferred from configuration patterns plus known capability semantics. An Entra Conditional Access exclusion list for service accounts implies those accounts skip MFA, which combined with a Defender exclusion can yield a credential-pivot path. Confidence: medium. Customer can confirm or remove the edge in-graph.
Confidence: lowInferred
Edges suggested by industry attack patterns when configuration is incomplete. Rendered as dashed lines with explanatory tooltips. The customer is told 'if your environment is typical, this path likely exists; verify by checking X.' Confidence: low. Always optional, never assumed by the report.
MITRE ATT&CK annotation
Every edge carries both a tactic code (e.g. TA0001 Initial Access, TA0008 Lateral Movement) and a technique code (e.g. T1078.004 Valid Accounts: Cloud Accounts, T1190 Exploit Public-Facing Application). The current edge-type → technique map covers 26 distinct techniques across 20 parent technique families, sourced from MITRE ATT&CK Enterprise v15+. Ambiguous mappings document the alternatives that were considered inline. The graph tooltip and PDF both render the technique code so SOC analysts and auditors can pivot from a path directly to the MITRE knowledge base.
Threat-actor attribution
Each path is matched against a library of 11 named threat groups (ransomware operators, financially motivated groups, and state-sponsored adversaries) segmented by industry + size band. Match strength is the count of group TTPs whose technique codes appear on the path edges; confidence is high if ≥50% of a group's TTPs match, medium if ≥2 match, otherwise low. Top-3 groups per path are surfaced in the panel + PDF.
Cross-vendor extractor coverage
The graph builder runs one extractor per vendor and stitches their output into a unified attack graph. Today 15 vendors have a graph extractor (identity, endpoint, network, edge/WAF, cloud-IAM, cloud- governance, email, SIEM). Inter-vendor stitches (e.g., Entra group → MDE endpoint group) are explicit dashed edges with the reason for the stitch surfaced in the tooltip — never fabricated.
Network-diagram parsing
Uploaded network diagrams are parsed into structured topology (strict-JSON output, deterministic post-processing, two diagram→JSON reference examples). Supported formats: PNG, JPG, draw.io. Visio support is metadata-only today (Visio (metadata-only)) until .vsdx shape extraction ships. Every topology node lands in the graph at confidence='inferred' until a real config upload promotes it to observed.
Document contradiction re-run
When an uploaded document contradicts an intake answer (severity info / warning / critical), the customer is shown a blocking modal for criticals (one at a time) and a non-blocking notice for warnings. The chosen resolution is recorded with an audit-log entry; for critical "use the document" resolutions the engine regenerates so the attack-path simulation reflects the corrected ground truth. Auto-mutating intake answers from free-text contradictions is deliberately deferred — the scan output can't yet point back to a specific intake question with certainty.