Attack chain synthesis
Attack chains are the difference between a scanner that produces a CSV and a platform that actually tells you what's at risk. Two mechanisms produce them.
Rule engine
23 hand-written rules encode common escalation patterns. Each rule:
- Matches a set of predicates against the findings list.
- Produces an ordered stage template.
- Outputs a chain with combined impact + severity.
Representative rules:
| Rule | Stages |
|---|---|
| Default creds β takeover | default creds found β admin interface access β full tenant access |
| Path traversal β source | LFI via ../../etc/passwd β read application source β extract secrets |
| Path traversal β SSH keys | LFI β read ~/.ssh/id_rsa β SSH lateral |
| Path traversal β /proc/environ | LFI β read env vars β DB password / API keys |
| SSRF β cloud metadata | SSRF β 169.254.169.254/latest/meta-data β IAM creds |
| Open redirect β phishing | Open redirect β craft phishing URL β steal creds |
| File upload β RCE | Unrestricted upload β upload .php/.jsp β execute |
| File upload β stored XSS | Upload β SVG with embedded script β XSS on every view |
| IDOR β bulk PII | IDOR on /user/{id} β iterate IDs β dump dataset |
| JWT weak β admin | Weak signing secret β forge admin JWT β admin access |
| Mass assignment β admin | Submit role=admin β account promoted silently |
| XSS + missing cookie flags β hijack | Stored XSS fires β exfils session cookie (no HttpOnly) |
| Info disclosure β CVE | Banner leaks version β EDB candidate β exploit |
| CORS misconfig + creds | Overly permissive CORS β cross-origin credential exfil |
| Deserialisation β RCE | .NET BinaryFormatter / Java Ser β chained gadget β RCE |
Every rule is audit-able β the rationale field on the chain explains which findings triggered it.
LLM synthesis (Pro+)
After the rule engine runs, Claude reads the entire findings list + target context and proposes additional chains the rules missed. Output passes two safeties:
- Stage validation β each stage in a Claude-proposed chain must reference an actual finding (or a directly-observable behaviour in the trace). No fabricated links.
- Rationale check β the chain must include an explicit
why this worksparagraph referencing evidence.
Chains that fail validation are dropped. Typical AI add is 2β5 chains per medium-complexity scan.
Deduplication
Rule-based and LLM chains can overlap. Pentestas dedupes by:
- Exact stage set match β LLM chain dropped in favour of rule-based.
- Subset match β LLM chain kept only if it adds a stage the rule didn't.
Severity of a chain
Computed as:
chain_severity = max(stage_severity) + 1_step (if chain ends at critical impact)
Where "critical impact" is: RCE, account takeover (admin or arbitrary user), unauthenticated data exfil, full PII dump, credential extraction at scale.
Display
- Scan detail page β mindmap tab. Horizontal XMind-style layout, drill-down-on-click, drag-to-pan when expanded beyond viewport.
- Executive report (PDF) β one page per chain with stages + consolidated impact.
- API β
GET /api/scans/{id}/graphreturns the chain list.
Reading a chain
Each chain has:
- Title β short path summary:
Path traversal β SSH keys β lateral movement. - Severity β combined.
- Combined impact β what an attacker gets at the end.
- Rationale β why the stages link.
- Stages β ordered finding references with per-stage impact.
See also
- Attack chains (user guide)
- Claude analysis
- Severity scale β how combined severity lands