Problem
`correlate_findings` has only 6 hardcoded attack chains. No graph-based path analysis from initial access to full compromise.
Implementation Steps
- Read `src/tengu/tools/analysis/correlate.py` — understand current 6 chains
- Create `src/tengu/resources/data/attack_chains.json` with 50+ chains mapped from MITRE ATT&CK:
- Each chain: `{id, name, techniques, prerequisites, impact}`
- Create `src/tengu/analysis/attack_graph.py`:
- Graph data structure: nodes=findings, edges=causal relationships
- Path finding: identify complete attack chains from initial access to impact
- Cumulative risk scoring along each path
- Optionally use Anthropic embeddings for semantic similarity between findings and technique descriptions
- Update `correlate_findings` to use the attack graph engine
Files to Modify
- New: `src/tengu/analysis/attack_graph.py`
- New: `src/tengu/resources/data/attack_chains.json`
- `src/tengu/tools/analysis/correlate.py`
Dependencies
Problem
`correlate_findings` has only 6 hardcoded attack chains. No graph-based path analysis from initial access to full compromise.
Implementation Steps
Files to Modify
Dependencies