FEATURE HIGHLIGHT: ATTACK CHAINS

by Cyver | Jun 18, 2025 | New Features

Attack Chains are Cyver Core’s way of modelling how a real-world attacker might combine separate vulnerabilities and misconfigurations to reach a goal. Instead of looking at isolated findings, pentesters can build a sequence of steps – following the MITRE ATT&CK® framework – to show how adversaries move laterally through a target’s environment. The result is a narrative that makes risks concrete, clarifies root causes and helps clients prioritise mitigation.

What Are Attack Chains?

An Attack Chain is a graph-based model describing an adversary’s actions, mitigations and outcomes. Cyver Core allows you to assemble steps, evidence, and goals into a chain that mirrors the path an attacker would take. This is not a static diagram; it is generated from dynamic data in your project. You can customise severity, assign relevant MITRE ATT&CK tactics and techniques and map countermeasures for each step. Because the chains are created from your findings, they reflect the unique context of every pentest rather than generic examples.

Activate Attack Chains

Attack Chains are optional so you can tailor each project. To enable them:

  1. Add the Attack Chains tab to a project or template. Administrators turn the feature on in project settings or templates so that pentesters see the tab in their portal.

  2. Open the Attack Chains tab in the Pentester Portal. You’ll find an interface for creating scenarios and building chains.

Activating the tab makes Attack Chains available in the pentest project; the tab can be hidden again if you don’t need it.

Building Your First Attack Chain

Cyver Core guides you through creating a chain via a series of steps, each representing part of the attacker’s path.

1. Create scenarios

Begin by defining scenarios that separate distinct chains. For example, you might build one chain for gaining Domain Admin privileges and another for accessing payment data. Scenarios ensure clarity when multiple attack paths exist.

2. Add attack steps

Attack steps are the core of the chain. You can create a blank step (when modelling actions not directly tied to a specific finding) or link a step to an existing finding. Blank steps include fields for title, description, assets, severity, relevant MITRE ATT&CK tactics and techniques, related findings, mitigation links, the next step in the chain, supporting facts, a goal flag and a timestampsupport.cyver.io. When you link to a finding, the step pre-fills details such as the vulnerability title and allows you to specify how that finding fits into the chain (mitigations, next step, facts, goal and timestamp).

3. Add mitigation steps

After modelling attack steps, describe how defenders can disrupt the chain. Mitigation steps may be blank or linked to a finding. For blank steps, you specify a title, description, assets, MITRE ATT&CK mitigations, related findings, response actions, the next step, facts, goals and timestampsupport.cyver.io. Linking mitigations to a finding pulls the finding’s details and allows you to record the response, next step, goal and timestamp.

4. Add goals and facts

Finally, specify goals – the attacker’s high‑value objectives (title, description and assets) and facts – additional notes or observations that support the chain. Facts record details such as how an exploit was performed, what tool was used, or metadata about the environment. When creating a fact, you capture a title, description, assets, any mitigating findings, the next step and the goal it relates to. These details ensure that your chain tells a complete story.

Visualising Attack Chains

Cyver Core automatically converts your steps and links into an Attack Chain Diagram. The diagram shows each step as a node and draws arrows to illustrate how actions and mitigations connect. This visual representation makes it easy to communicate the attacker’s progression and the relationships between vulnerabilities and defences. Because it is built from the steps and relationships you define, the diagram accurately reflects the unique attack path for each project.

Attack Chain Report Tokens

Once you’ve built a chain, you can include it in your pentest report using Attack Chain report tokens. Tokens are placeholders that pull data from the chain directly into your report template, ensuring consistency and eliminating manual copy‑paste. The support article lists four tokens:

  • Attack Chain Attack Steps – inserts a table that lists each attack step with its MITRE ATT&CK tactics, techniques and severitysupport.cyver.io. This provides clients with a succinct summary of the attack path.

  • Attack Chain Details – outputs a narrative summary of the chain, including the primary scenario and key tasks.

  • Attack Chain Diagram – embeds the visual diagram into the report, allowing stakeholders to see the chain at a glance.

  • Attack Chain Timelog – provides a chronological list of steps with timestamps, illustrating how the attack unfolds over time.

Each token has a dedicated syntax article explaining parameters and customisation options (sorting, filtering, etc.). By combining tokens with Cyver’s Dynamic Report Tokens feature, you can fully customise how chains appear in your final report, grouping or filtering steps to highlight the most important information.

Why Use Attack Chains?

  • Highlight risk in context – Attack chains show how seemingly minor issues combine into a serious breach, making it easier for stakeholders to understand real‑world impact.

  • Prioritise mitigations – Linking steps to findings and mitigations helps teams see where defences break and where to focus remediation efforts.

  • Communicate clearly – Visual diagrams and narrative tokens make technical information accessible to non‑technical stakeholders, bridging the gap between pentesters and business leaders.

  • Streamline reporting – With report tokens, attack chain data automatically populates your templates, eliminating manual work and ensuring accuracy.

Get Started

To experience Attack Chains:

  1. Enable the Attack Chains tab in your project or template settings.

  2. Open the tab from your Pentester Portal and build your first chain following the steps above.

  3. Insert report tokens into your report template to visualise the chain for clients.

Attack Chains combine dynamic modelling with automated reporting to tell a more compelling story about risk. They help your clients see what matters most and enable you to deliver a report that goes beyond isolated findings. Try them in your next project to reveal how attackers could chain vulnerabilities together – and demonstrate how to break those chains.

Read More

Blog

Case Studies

New Features

Press Releases