Skip to content

keit-devsecops/azure-attack-path-visualizer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 

Repository files navigation

PathFinder — Azure Identity Attack Path Visualizer

Designed & Built by Tory Keit — Systems IT Architect Lead

An interactive tool that computes and visualizes how ordinary, individually-harmless permissions chain together into an attack path an adversary can walk from a compromised identity to sensitive data.

Live demo: https://ashy-wave-052dac30f.7.azurestaticapps.net


The Problem

Over 80% of cloud breaches trace back to compromised credentials and misconfiguration — not zero-day exploits. The damage rarely comes from a single bad permission. It comes from combinations: an over-permissioned identity, a trust relationship, and a reachable resource that together form a path to impact, without exploiting any vulnerability.

Most security tooling stops at listing findings — "here are 500 things wrong." What defenders actually need is to understand reachability: which combination of permissions creates a viable path to something that matters. This is the direction the industry is moving (attack-path / reachability analysis), and it's exactly what PathFinder demonstrates.

What It Does

  • Renders a modeled Azure identity environment as a clear, labeled diagram (Identities → Roles / Permissions → Resources).
  • Lets you pick a compromised entry point and a sensitive target, then computes the attack path between them using a real graph path-finding algorithm.
  • Animates the breach path hop-by-hop and explains each step in plain language.
  • Lets you edit permissions — add or remove a permission and watch a safe target become reachable, or an attack path break. This is the core lesson made interactive.
  • Surfaces a plain-language verdict ("A compromised Dev User can reach customer-data in 5 steps — no vulnerability required").

The Engineering (What's Real)

  • Graph model & path-finding: a real depth-first search with cycle detection over a directed permission graph, decoupled from the rendering layer. This is genuine graph theory, not a scripted animation.
  • RBAC-accurate modeling: the permission chains reflect how real Azure privilege escalation works (e.g., a Contributor role that can self-assign Key Vault access, secrets that unlock storage).
  • Path scoring: ranks paths by length and target sensitivity to surface the most dangerous route first.

Honesty Line (What's Modeled)

This tool is a simulation. It runs on a sample modeled environment with example identities and resources — it is not connected to any real Azure tenant and uses no live data. What is real is the engine: the same path-finding logic shown here is how attack-path analysis works in production, where it would run continuously against live identity data from Azure Resource Graph and Microsoft Entra ID.

Architecture

  • Pure client-side — HTML, CSS, and vanilla JavaScript. All computation and rendering run in the browser.
  • Zero backend — hosted as an Azure Static Web App on the Free tier. The heavy lifting (graph traversal) happens on the client, so it runs at zero infrastructure cost.
  • Responsive — desktop and mobile layouts, since most traffic is mobile.

Part of a Portfolio Arc

PathFinder is the third project in a cloud identity-exposure and security architecture portfolio:

  1. ShieldInbound — application-layer security (adversarial prompt guardrail engine)
  2. Secure Azure Landing Zone — secure infrastructure as code (Terraform)
  3. PathFinder — identity attack-path / reachability analysis

Modeled environment. Real path-finding engine. Runs on Azure free-tier infrastructure.

About

Interactive Azure identity attack-path visualizer — computes how chained permissions reach sensitive data. Real path-finding engine, runs on Azure free tier.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages