Skip to content

[18] Advanced correlation with attack graphs #47

Description

@rfunix

Problem

`correlate_findings` has only 6 hardcoded attack chains. No graph-based path analysis from initial access to full compromise.

Implementation Steps

  1. Read `src/tengu/tools/analysis/correlate.py` — understand current 6 chains
  2. Create `src/tengu/resources/data/attack_chains.json` with 50+ chains mapped from MITRE ATT&CK:
    • Each chain: `{id, name, techniques, prerequisites, impact}`
  3. Create `src/tengu/analysis/attack_graph.py`:
    • Graph data structure: nodes=findings, edges=causal relationships
    • Path finding: identify complete attack chains from initial access to impact
    • Cumulative risk scoring along each path
    • Optionally use Anthropic embeddings for semantic similarity between findings and technique descriptions
  4. Update `correlate_findings` to use the attack graph engine

Files to Modify

  • New: `src/tengu/analysis/attack_graph.py`
  • New: `src/tengu/resources/data/attack_chains.json`
  • `src/tengu/tools/analysis/correlate.py`

Dependencies

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:agentLangGraph agent and autonomyarea:toolsPentesting tools wrapperseffort:XLExtra-large effort (> 4 weeks)priority:P2Normal priority

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions