The Attack Paths page in BloodHound Enterprise provides a detailed view of the specific risks in your environment where a lower-privileged principal can gain access to a privileged asset.
These risks are represented as findings, which include prioritization data such as exposure and impact metrics to help you focus remediation efforts where they matter most.
The Attack Paths page combines two key views needed for prioritization:
- Metatree visualization: An aggregate view of the graph for a selected environment and privilege zone. This view simplifies large volumes of nodes and edges into a compact visualization optimized for readability, showing bottlenecks and key exposure points at a glance.
- Attack Paths data: An expandable list of Attack Paths showing a detailed finding description, severity, principals involved, impact, and remediation plan.
DELETE ME: Would like to use some kind of visual. How much of the UI can we show? Should we use an abstract image rather than an actual screenshot to avoid revealing findings?
Findings
An Attack Path is a chain of abusable privileges and user behaviors that creates direct or indirect connections between principals. A finding represents specific principals and relationships between principals that can be abused to reach a privileged asset. This distinction matters in day-to-day work:- You remediate findings.
- You track progress using both finding count and Attack Path count.
Finding types
BloodHound Enterprise groups findings into types to help you separate structural access risks from principal-level configuration risks.List-based finding
A finding for a specific principal where the vulnerability is related to the principal itself, such as a misconfiguration. Because of this nature, list-based findings do not necessarily have an exposure metric, but they will have an impact metric.Relationship-based finding
A finding for a pair of principals—a target that is privileged (such as belonging to Tier Zero) and a source/origin that is not—that can be compromised by one or more connections between principals. Each relationship-based finding may be composed of one or many individual Attack Paths. A relationship-based finding can have an exposure metric and an impact metric.Hygiene
A tier-agnostic finding that identifies issues not tied to a specific privilege tier. Similar to list-based findings, hygiene findings are related to specific principals and do not have an exposure metric. However, they do have an impact metric that quantifies the potential blast radius if the finding is abused. Examples include dangerous edges originating from broadly populated default groups. Hygiene findings are displayed separately in a dedicated filter view on the Attack Path and Posture pages.Exposure and impact
Each finding includes exposure and impact metrics. Use these metrics together when prioritizing remediation efforts. Findings with high exposure and high impact are typically the highest-priority remediation targets.Exposure
A risk measurement that quantifies the extent to which principals can reach a privileged asset through one or more Attack Paths. It encompasses both principals with one-step paths (UserA -[ForceChangePassword]-> TierZero), and multi-step paths (UserA -[ForceChangePassword]-> UserB -[GenericAll]-> TierZero).
Exposure is measured in two ways:
- Exposure count—The number of principals that can reach a privileged asset through one or more Attack Paths.
- Exposure percentage—The percentage of principals in an environment that have at least one Attack Path to a privileged asset.
Impact
A risk measurement that quantifies potential blast radius if a finding is abused. Impact is closely related to exposure, which measures how many principals can reach a privileged asset through one or more Attack Paths (as both count and percentage). Impact is measured in two ways:- Impact count—The number of principals that could be compromised through an Attack Path.
- Impact percentage—The percentage of the environment that could be impacted by a specific identity vulnerability.
Together, these metrics help organizations prioritize remediation by understanding which Attack Paths pose the greatest risk.
Analysis process
BloodHound Enterprise’s analysis process includes several key steps that work together to surface findings and prioritize risk.Metatree analysis
BloodHound Enterprise generates one metatree per environment, such as an Active Directory domain or Azure tenant. The metatree compresses complex graph relationships into a compact model so you can quickly spot where many risky paths converge.Exposure and impact metrics are calculated from this analysis and surfaced with findings.
Edges and zone boundaries
Attack Path analysis is edge-driven. BloodHound evaluates how traversable relationships (edges) connect principals across privilege boundaries. This includes boundaries between Tier Zero and user-defined Privilege Zones. A path that crosses zones can represent a stepping stone into higher-privilege assets, which is why zone-specific findings can differ in severity and priority.Post-processing
BloodHound does not rely only on directly collected relationships. During post-processing, it derives additional relationships that are relevant to Attack Path analysis. One result is a complex edge. A complex edge is a derived relationship between two nodes that represents multiple underlying privileges or behaviors working together. BloodHound uses complex edges to show Attack Paths that are not visible from a single relationship alone. For example, some attack techniques require a combination of permissions before they can be abused. For example, the DCSync edge requires a combination of permissions that, when held together, create an abusable path. BloodHound models this as a complex edge, which allows it to surface Attack Paths that would otherwise be invisible if analysis relied only on directly collected relationships.Show post-processed edges
Show post-processed edges
BloodHound creates the following edges during post-processing:
ADCSESC1ADCSESC3ADCSESC4ADCSESC6aADCSESC6bADCSESC9aADCSESC9bADCSESC10aADCSESC10bADCSESC13AddMemberAdminToAZAddOwnerAZMGAddMemberAZMGAddOwnerAZMGAddSecretAZMGGrantAppRolesAZMGGrantRoleAZRoleApproverCanPSRemoteCanRDPCoerceAndRelayNTLMToADCSCoerceAndRelayNTLMToLDAPCoerceAndRelayNTLMToLDAPSCoerceAndRelayNTLMToSMBDCSyncEnrollOnBehalfOfEnterpriseCAForExecuteDCOMExtendedByPolicyGoldenCertHasTrustKeysIssuedSignedByOwnsOwnsLimitedRightsProtectAdminGroupsSyncLAPSPasswordSyncedToADUserSyncedToEntraUserTrustedForNTAuthWriteOwnerWriteOwnerLimitedRights
Remediation
After reviewing findings on the Attack Paths page, you can:- Remediate to sever the edges that create the risk and improve your environment’s security posture.
- Accept when risk is known and temporarily tolerated.