Attack chain synthesis
Attack chains are the difference between a scanner that produces a CSV and a platform that actually tells you what's at risk. Two mechanisms produce them.
Rule engine
23 hand-written rules encode common escalation patterns. Each rule:
- Matches a set of predicates against the findings list.
- Produces an ordered stage template.
- Outputs a chain with combined impact + severity.
Representative rules:
| Rule | Stages |
|---|---|
| Default creds → takeover | default creds found → admin interface access → full tenant access |
| Path traversal → source | LFI via ../../etc/passwd → read application source → extract secrets |
| Path traversal → SSH keys | LFI → read ~/.ssh/id_rsa → SSH lateral |
| Path traversal → /proc/environ | LFI → read env vars → DB password / API keys |
| SSRF → cloud metadata | SSRF → 169.254.169.254/latest/meta-data → IAM creds |
| Open redirect → phishing | Open redirect → craft phishing URL → steal creds |
| File upload → RCE | Unrestricted upload → upload .php/.jsp → execute |
| File upload → stored XSS | Upload → SVG with embedded script → XSS on every view |
| IDOR → bulk PII | IDOR on /user/{id} → iterate IDs → dump dataset |
| JWT weak → admin | Weak signing secret → forge admin JWT → admin access |
| Mass assignment → admin | Submit role=admin → account promoted silently |
| XSS + missing cookie flags → hijack | Stored XSS fires → exfils session cookie (no HttpOnly) |
| Info disclosure → CVE | Banner leaks version → EDB candidate → exploit |
| CORS misconfig + creds | Overly permissive CORS → cross-origin credential exfil |
| Deserialisation → RCE | .NET BinaryFormatter / Java Ser → chained gadget → RCE |
Every rule is audit-able — the rationale field on the chain explains which findings triggered it.
LLM synthesis (Pro+)
After the rule engine runs, Claude reads the entire findings list + target context and proposes additional chains the rules missed. Output passes two safeties:
- Stage validation — each stage in a Claude-proposed chain must reference an actual finding (or a directly-observable behaviour in the trace). No fabricated links.
- Rationale check — the chain must include an explicit
why this worksparagraph referencing evidence.
Chains that fail validation are dropped. Typical AI add is 2–5 chains per medium-complexity scan.
Deduplication
Rule-based and LLM chains can overlap. Pentestas dedupes by:
- Exact stage set match → LLM chain dropped in favour of rule-based.
- Subset match → LLM chain kept only if it adds a stage the rule didn't.
Severity of a chain
Computed as:
chain_severity = max(stage_severity) + 1_step (if chain ends at critical impact)
Where "critical impact" is: RCE, account takeover (admin or arbitrary user), unauthenticated data exfil, full PII dump, credential extraction at scale.
Display
- Scan detail page → mindmap tab. Horizontal XMind-style layout, drill-down-on-click, drag-to-pan when expanded beyond viewport.
- Executive report (PDF) → one page per chain with stages + consolidated impact.
- API →
GET /api/scans/{id}/graphreturns the chain list.
Reading a chain
Each chain has:
- Title — short path summary:
Path traversal → SSH keys → lateral movement. - Severity — combined.
- Combined impact — what an attacker gets at the end.
- Rationale — why the stages link.
- Stages — ordered finding references with per-stage impact.
See also
- Attack chains (user guide)
- Claude analysis
- Severity scale — how combined severity lands