SPECTRA FIELD MANUAL
EN/IT
EVIDENCE-ANCHORED · spectra-attack-path

Attack-Path Graph

A list of findings is not an attack. Attackers chain them: a low-severity leak feeds a misconfiguration that enables a critical RCE. A flat table hides that story — the graph tells it, anchored to evidence.

/spectra-attack-path
ENTRYAttacker
FINDING · LOWInfo leakdetected
FINDING · MEDMisconfigmissed
IMPACTRCEcritical

Nodes → exploitation primitives → impact. Labelled edges. Blue detection overlay: which technique was seen, which was missed.

THREE PRINCIPLES

Evidence over assumption

Every finding node carries its evidence references, resolved against the registry. A finding whose references do not resolve is marked unverified — surfaced, never silently trusted.

Honest measurement

With a Duel ledger, edges are labelled detected or missed from Blue telemetry only — never from prior knowledge of the Red plan. Missed techniques are the detection-gap backlog.

Modeling only

It MODELS authorized attack paths from recorded results. It never connects to a target, never executes anything, never modifies a host. Read-only over engagement artifacts.

EVIDENCE STATE

A path without resolved evidence is a hypothesis

no_reference referenced_unresolved resolved_unverified integrity_verified

A finding reaches integrity_verified only when its references resolve against the evidence registry AND the registry integrity is VERIFIED. Everything weaker is flagged in the report.

CONSUMED BY

Chronicle for reporting, Referee to credit chained Red outcomes and quantify detection coverage, Specter for rapid impact framing. The graph is a serializable artifact (spectra.attack-path/v1) plus a Mermaid render for the report.