What is an attack path in VeilScan?

An attack path is a step-by-step chain showing how an attacker could exploit multiple related findings to achieve a meaningful impact — credential theft, data breach, or full system access. VeilScan identifies when individual findings chain together and presents the combined risk as a narrative with the estimated business impact at the end of the chain.

Do all scans include attack path analysis?

Attack path analysis is included in all paid plan reports where multiple related verified findings exist. If a scan produces only isolated, unrelated findings, no attack paths are constructed. Attack paths are only shown when chaining is meaningful — when two or more findings combine to increase the overall exploitability beyond what each finding represents individually.

How is attack path analysis different from just listing vulnerabilities?

A finding list tells you what individual issues exist. An attack path tells you what an attacker can actually do with them. A single open RDP port might be a Medium finding. Combined with a credential exposure finding, it becomes an attack path that ends in full system access — a Critical business risk. Attack path analysis surfaces that combined risk rather than leaving you to infer it.

Feature

Attack Path Analysis: See How Findings Chain into Breach Scenarios

Quick Answer: VeilScan's attack path analysis identifies when multiple verified findings chain together into a realistic breach scenario. Instead of showing isolated vulnerabilities, it constructs a step-by-step narrative: initial access point, progression steps, and estimated business impact. This tells you which combination of findings is highest priority — not just which finding has the highest CVSS score.

Why does an individual CVSS score miss the full picture?

Standard vulnerability scanning assigns each finding a severity score — Critical, High, Medium, Low — based on the individual vulnerability in isolation. A CVSS score of 5.0 (Medium) might seem safe to defer. But in the context of your specific infrastructure, that Medium finding might be the final step in a chain that starts with a credential exposure discovered elsewhere and ends with database access.

Treating findings as independent misses the attacker's perspective. Attackers chain vulnerabilities. They use a subdomain takeover to establish a trusted position, then use that position to intercept authentication tokens, then use those tokens to access internal APIs. The individual CVSS scores would not reveal this risk — the attack path does.

How does VeilScan construct attack paths?

After the scan pipeline verifies individual findings, VeilScan analyzes whether any findings share an asset, a data flow, or a logical sequence that would allow an attacker to use one as a stepping stone to another. When a meaningful chain exists, VeilScan constructs an attack path:

Initial access vector — the first external entry point: an open port, a credential exposure, an exposed admin panel
Progression steps — the intermediate steps an attacker would take using subsequent findings in the chain
End impact — the estimated outcome: data exposure, account takeover, lateral movement, ransomware deployment
Business context — what the end impact means for the business: customer data at risk, regulatory exposure, service availability

What does an attack path look like in a report?

In your VeilScan dashboard, attack paths are shown in a dedicated section separate from the individual finding list. Each path includes:

A narrative description of the full chain in plain language
The individual findings involved, linked to their proof evidence
The sequence of steps an attacker would follow
The estimated business impact and Business Impact Score for the chain as a whole

In the PDF report, attack paths include a visual diagram showing the chain with arrows connecting each step to the next. This format is designed for board-level presentations and compliance discussions where technical finding lists are not appropriate.

How does attack path analysis help with remediation prioritisation?

When remediation resources are limited, you need to know which findings to fix first. Attack path analysis answers this by identifying the most dangerous chains. Fixing the first link in a chain — the initial access vector — breaks the entire path. Sometimes a single Medium fix eliminates a Critical attack path.

VeilScan's attack paths include remediation prioritisation guidance: which finding in the chain, if fixed, eliminates the highest risk. This is particularly useful for engineering teams balancing security work against product roadmap.

See: What is an Attack Path? · What Is Attack Path Analysis? · Business Impact Score feature

What are the most common questions?

Is attack path analysis available on the free plan?

Attack path analysis is available on paid plans only. The free plan shows individual Medium and Low findings. If your scan produces attack paths, a summary of the number of attack paths detected is shown but the full chains are locked until you upgrade. See all plans.

What if my scan has no attack paths?

If no chaining relationship exists between your findings, no attack paths are shown. This is not a failure — it means your findings are isolated issues rather than connected chains. Isolated findings are still prioritised by Business Impact Score and remediation guidance is still provided.

Does attack path analysis work for all vulnerability types?

Attack paths are constructed when findings logically chain — for example, a credential exposure and an open authenticated service, or a subdomain takeover and an authentication redirect. Not all vulnerability types chain. The analysis is applied automatically and conservatively — paths are only shown when the chain is realistic, not theoretical.

See your attack paths. Upgrade to a paid plan to unlock attack path analysis for your domain. View plans → · Back to all features