Skip to content

Creating Attack Trees

Attack trees allow you to create complex, multi-stage security testing scenarios with conditional logic and branching.

Overview

Attack trees are advanced testing workflows that support: - Conditional execution - Parallel execution - Branching logic - Multi-stage attacks - Complex scenarios

Creating an Attack Tree

Step 1: Plan Your Attack Tree

Define: - Objective: What are you simulating? - Stages: What are the phases? - Conditions: What triggers each stage? - Branches: What are the alternatives?

Step 2: Create in Web UI

  1. Navigate to Attack Platform → Attack Trees
  2. Click Create Attack Tree
  3. Set name and description
  4. Add root node
  5. Add child nodes
  6. Configure conditions
  7. Test and save
📸 Screenshot: Attack tree builder

Attack Tree Structure

graph TD
    A[Root: Initial Access] --> B{Port 80 Open?}
    B -->|Yes| C[Web Exploitation]
    B -->|No| D[Try Port 443]
    C --> E[Privilege Escalation]
    D --> E
    E --> F[Lateral Movement]

Node Types

Action Nodes

Execute security testing modules: - Port scanning - Vulnerability scanning - Exploitation - Data collection

Condition Nodes

Branch based on results: - Port open/closed - Vulnerability found - Service detected - Authentication success

Parallel Nodes

Execute multiple paths simultaneously: - Scan multiple targets - Try multiple exploits - Gather different data

Example Attack Trees

Example 1: Web Application Attack

attack_tree:
  name: "Web App Compromise"

  nodes:
    - id: "recon"
      type: "action"
      module: "subdomain_enum"

    - id: "scan"
      type: "action"
      module: "web_scan"
      depends_on: "recon"

    - id: "check_vulns"
      type: "condition"
      condition: "vulnerabilities_found"
      depends_on: "scan"

    - id: "exploit"
      type: "action"
      module: "web_exploit"
      depends_on: "check_vulns"
      condition: "true"

Example 2: Network Penetration

attack_tree:
  name: "Network Penetration"

  nodes:
    - id: "discovery"
      type: "action"
      module: "host_discovery"

    - id: "port_scan"
      type: "parallel"
      children:
        - "tcp_scan"
        - "udp_scan"
      depends_on: "discovery"

    - id: "service_enum"
      type: "action"
      module: "service_detection"
      depends_on: "port_scan"

Best Practices

✅ Start Simple: Begin with basic trees
✅ Test Stages: Validate each node
✅ Document Logic: Explain conditions
✅ Handle Errors: Plan for failures
✅ Optimize: Reduce unnecessary steps

Troubleshooting

Tree Won't Execute

Check: - Node dependencies - Condition syntax - Module configuration - Target accessibility

Unexpected Branching

Review: - Condition logic - Node dependencies - Execution order - Logs

Related: Attack Trees Overview | Runbooks | Modules