Map unknown territory into nodes and attacker moves. The tool finds the shortest path from a foothold to an existential asset — that path is the kill chain — and sizes each node into a remediation quantum.
Add / edit nodeAn asset, foothold, identity, or system in the estate.
Nodes
Add attacker moveA directed step: "from here, an attacker can reach there."
Lower effort = easier for the attacker. The kill chain is the lowest-effort path to a crown jewel.
Moves
Discovering the chain in unknown territoryWhat to ask and run to surface the edges you can't see yet. Each answer becomes a node or a move.
1 · Find the entry points (reachability)
What does the internet see? External scan / Shodan / attack-surface mapping → every internet-facing service is a candidate entry node.
App registrations with RoleManagement.ReadWrite.Directory, Mail.ReadWrite — OAuth consent edges.
4 · Find the crown jewels (existential nodes)
Ask the business, not IT: "what stops the company operating?" ERP, payment rails, OT control, the customer DB.
Backups & recovery — are they reachable from the estate they protect? If yes, that's an edge into your lifeboat.
5 · Map blast radius (the edges between)
Flat network? NTLM relay, lateral movement → dense edges, short chains.
Segmentation, least privilege, T0 isolation → sparse edges, long chains. Note where they're missing.
Anything you can't characterise (reachable? unknown) becomes a dark quantum — capture the node anyway and mark reachability/exploit "unknown". An uncharacterised asset is the dangerous kind.
Attack graph & kill chain
entrycrown jewelon shortest chain (P0)on a chain (P1)off-chain (P2)
Assessment
Remediation quantaSized by time-to-existential-impact, not CVSS.