Attack-Path Graph
A list of findings is not an attack. Attackers chain them: a low-severity leak feeds a misconfiguration that enables a critical RCE. A flat table hides that story — the graph tells it, anchored to evidence.
/spectra-attack-path
Nodes → exploitation primitives → impact. Labelled edges. Blue detection overlay: which technique was seen, which was missed.
Evidence over assumption
Every finding node carries its evidence references, resolved against the registry. A finding whose references do not resolve is marked unverified — surfaced, never silently trusted.
Honest measurement
With a Duel ledger, edges are labelled detected or missed from Blue telemetry only — never from prior knowledge of the Red plan. Missed techniques are the detection-gap backlog.
Modeling only
It MODELS authorized attack paths from recorded results. It never connects to a target, never executes anything, never modifies a host. Read-only over engagement artifacts.
A path without resolved evidence is a hypothesis
A finding reaches integrity_verified only when its references resolve against the evidence registry AND the registry integrity is VERIFIED. Everything weaker is flagged in the report.
Chronicle for reporting, Referee to credit chained Red outcomes and quantify detection coverage, Specter for rapid impact framing. The graph is a serializable artifact (spectra.attack-path/v1) plus a Mermaid render for the report.