Module SDD-06 — Cloud Attack-Path Tooling

Cloud Attack-Path Tooling

Graph-based reasoning for IAM escalation, reachable assets, and lateral movement — pmapper, CloudFox/FoxMapper, BloodHound, Cartography.

45
minutes
8
artifacts
3
sub-sections
The tools that turn cloud configuration into a graph and answer the question check-based CSPMs cannot: what is the shortest chain of abusable permissions from a low-privilege principal to admin? pmapper encodes the 21 Rhino Security Labs escalation methods as graph edges; BloodHound brought the graph-abstraction insight from Active Directory to hybrid identity; Cartography maps multi-cloud asset relationships. The unique capability in the roster — and a study in how an agent harness consumes graph output to reason over escalation chains.
Key Claims
Load-Bearing Claims

Privilege escalation is a graph traversal problem. An attacker does not need a direct path to admin — they need a connected chain of abusable relationships. Check-based tools test single permissions; graph tools find the chains. This is the BloodHound insight applied to the cloud.

The detection logic is encoded human knowledge, not re-derived. pmapper's 21 Rhino Security Labs escalation methods are encoded as graph edges. The traversal finds chains of these edges automatically. This is the expert's escalation playbook, automated.

A graph path is a hypothesis, not a confirmed exploit. The path is valid against configuration at ingest time. It requires live verification (with authorization) before acting. Treating a graph path as a confirmed exploit is a failure mode.

The tools are dual-use and governed by authorization. The same escalation-path output serves a defender (close the path) and an attacker (exploit the path). Building the graph against a target's config without authorization is an offense (Course 2A S00).

After This Module
01
Frame cloud attack-path analysis as a graph traversal problem (nodes, edges, traversal).
02
Distinguish the canonical tools (pmapper, CloudFox/FoxMapper, BloodHound, Cartography) and when to reach for each.
03
Explain the 21 AWS IAM escalation methods as encoded graph edges and how traversal automates finding them.
04
Map how an agent harness (SDD-01/SDD-02) consumes attack-path output via a graph-query tool.
05
Score the category on the 12-module rubric (28/45) and identify the agent-query interface, continuous refresh, and cross-cloud federation as the build-on list.
Artifacts