Finding Chain Correlator
Purpose
Reveal compounding risk that isolated findings understate.
Inputs
finding_setapplication_contextauth_modeldata_sensitivity_map
Workflow
Phase 1: Normalization
- Standardize findings into capability statements.
- Extract prerequisites, required role, and affected assets.
Phase 2: Link Construction
- Connect findings where output of one enables next.
- Identify dependency order and branching options.
- Reject links lacking technical preconditions.
Phase 3: Chain Validation
- Validate each step is feasible in target context.
- Validate session and state transitions between steps.
- Validate operational reliability of full chain.
Phase 4: Impact Aggregation
- Evaluate confidentiality, integrity, and availability impact.
- Estimate blast radius and tenant crossover risk.
- Rank by attacker effort vs outcome.
Phase 5: Defensive Breakpoints
- Identify minimal controls that break the chain.
- Prioritize controls by implementation cost and risk reduction.
Chain Scoring Factors
- prerequisite complexity
- execution reliability
- privilege needed
- detectability
- business impact
Output Contract
{
"attack_chains": [],
"prerequisite_graph": [],
"aggregate_impact": [],
"defensive_breakpoints": [],
"priority_order": []
}
Constraints
- No speculative chain links.
- No additive severity without chain feasibility.
Quality Checklist
- Every link has evidence.
- Chain order is technically valid.
- Defensive breakpoints are practical.
Detailed Operator Notes
Consistency Rules
- Normalize terminology before scoring or chaining.
- Separate prerequisite uncertainty from exploit uncertainty.
- Treat environmental blockers independently from mitigation strength.
Risk Scoring Inputs
- attacker starting privilege
- required chain length
- probability of reliable execution
- blast radius if successful
Prioritization Output
immediate: low-effort high-impact chains/findings.next: moderate effort with clear payoff.watch: plausible but currently low confidence.
Reporting Rules
- Include one-line executive summary per chain/finding.
- Include exact blocker needed to move an inconclusive item forward.
- Include confidence rationale in plain technical language.
Quick Scenarios
Scenario A: Access Check Placement
- Trace data fetch point.
- Trace policy check point.
- Determine whether check occurs before use.
- Identify alternate path without check.
Scenario B: Sanitization Mismatch
- Map sink execution context.
- Map sanitizer type and location.
- Validate context compatibility.
- Find branch that bypasses sanitizer.
Scenario C: Adjacent Pattern Sweep
- Identify sibling handlers/sinks.
- Compare guard and validation parity.
- Flag inconsistent control patterns.
- Prioritize high-impact siblings.
Conditional Decision Matrix
| Condition | Action | Evidence Requirement |
|---|---|---|
| Finding signal unstable | downgrade confidence and add retest plan | repeated run variance log |
| Chain link missing prerequisite | split chain and mark dependency blocker | prerequisite graph |
| Impact appears low in isolation | evaluate chain amplification paths | chain-level impact narrative |
| Mitigation claim is partial | verify alternate path and state variants | mitigation bypass check |
| Environment blocker dominates | classify inconclusive with unblock requests | blocker evidence |
Advanced Coverage Extensions
- Add attack-path branching for multiple privilege starting points.
- Add defender-detection assumptions and likely monitoring signals.
- Add rollback/cleanup verification after proof steps.
- Add business-impact mapping to concrete assets and workflows.
- Add reproducibility score based on run-to-run consistency.