Every hop answers one question
Enablement chains, not a heap
Findings are linked by real keys: an internet-reachable exploit on a host, a credential that bridges endpoint to cloud, a standing cloud admin key, then the data. Every hop answers “how does the attacker advance?”
Staged on the kill chain
Each route is ordered by role: entry point → credential bridge → privilege escalation → impact. You read the whole story top to bottom instead of guessing which criticals connect.
Context amplifies, never a hop
Hygiene and detection gaps — no backups, logging switched off — make a path worse, so they’re surfaced as context that amplifies the route. They’re never counted as a step an attacker takes.
KEV-aware routing
Any route that chains a CISA Known Exploited Vulnerability is flagged, so a path built on something attackers are using in the wild jumps the queue.