search

Probable Attack Paths

hashtag
Purpose

This deliverable models probable attacker progressions using only scan findings:

  • Vuln → Vuln chains (capability progression)

  • Asset → Asset pivots (hypotheses requiring assumptions)

It is designed to communicate “how an attacker could chain what we found” without claiming exploitation.

hashtag
Output

  • Per scan: output/<scan_name>/attack-paths.html

Optional model artifact (only when metadata export is enabled):

  • output/<scan_name>/attack_paths.json

Model JSON is written when notifications.include_run_metadata: true.

hashtag
How to generate

miyabi-qualys-ai-triage-pack run --config config/config.yaml

hashtag
Configuration

Enable/disable:

  • reports.attack_paths.enabled: true|false

UI options:

  • reports.attack_paths.ui.top_k_paths

  • reports.attack_paths.ui.max_paths_per_type

  • reports.attack_paths.ui.max_asset_hops

  • reports.attack_paths.ui.max_depth_nodes

  • reports.attack_paths.ui.max_evidence_chars

Optional redaction:

  • reports.attack_paths.redaction.enabled

  • reports.attack_paths.redaction.fields (e.g., ip, dns, fqdn, netbios)

Optional LLM narrative (guardrailed / JSON-only):

  • reports.attack_paths.llm.enabled

  • reports.attack_paths.llm.model

  • reports.attack_paths.llm.max_paths_for_llm

  • reports.attack_paths.llm.strict_json_only

hashtag
Data sources (Qualys CSV fields)

Primary:

  • QID, Title, Severity, Category

  • evidence hints from Exploitability, Threat, Impact, Results, Instance

  • asset identifiers: FQDN/DNS/NetBIOS/IP

circle-info

Interpretation notes

  • Asset pivots are hypotheses (e.g., “if reachable and credentials permit”). The report explicitly calls out assumptions.

  • LLM output (when enabled) is narrative only and must not be interpreted as proof of attacker activity.

PreviousTrend DashboardNextVulnerabilities × MITRE ATT&CK