Cloud Attack-Path Tooling
Graph-based reasoning for IAM escalation, reachable assets, and lateral movement — pmapper, CloudFox/FoxMapper, BloodHound, Cartography.
Privilege escalation is a graph traversal problem. An attacker does not need a direct path to admin — they need a connected chain of abusable relationships. Check-based tools test single permissions; graph tools find the chains. This is the BloodHound insight applied to the cloud.
The detection logic is encoded human knowledge, not re-derived. pmapper's 21 Rhino Security Labs escalation methods are encoded as graph edges. The traversal finds chains of these edges automatically. This is the expert's escalation playbook, automated.
A graph path is a hypothesis, not a confirmed exploit. The path is valid against configuration at ingest time. It requires live verification (with authorization) before acting. Treating a graph path as a confirmed exploit is a failure mode.
The tools are dual-use and governed by authorization. The same escalation-path output serves a defender (close the path) and an attacker (exploit the path). Building the graph against a target's config without authorization is an offense (Course 2A S00).