And ultimately, what is inside your pentest report ? Not a graph, a list of things to do:
- SMB signing.
- Don't use the domain admin to manage every machine.
- ...
The main reason this phrase is so popular, is that it panders to the hacker community: "We are the smart guys, all the defenders do is excel sheets."
IMHO, the nugget of truth in this is that defenders can spend considerable amounts of time on things that don't matter. Like doing CIS benchmark by hand on all servers. While missing the low-hanging fruits that would give them a strong security posture.
In a lot of companies, the defenders are just sysadmins that don't have any idea of what they should focus on.
I get your point but I think pentesters are perfectly capable of thinking in graphs, including web security. Bug chains are the immediate example, where a couple of CVSS 4-7 vulns can be turned into a full rce/whatever 9.8 equivalent. This bug chaining fundamentally occurs via elements of compromise i.e a graph traversal.
Bloodhound is great, and a nice visual tool for people to conceptualise attack graphs but it’s just a part of the process of understanding the target domain from an attackers perspective. No nice tool like bloodhound exists for web pentesting because a chain of compromise can’t simply be reduced into tool form there because a chain is often specific to the app and not an underlying framework, unlike AD where the security boundaries are well(ish) understood and codified.
Pentest reports include stuff like SMB signing and “don’t admin everything with your DA account ” because they are glowing hot nodes very early in a chain of compromise, meaning that is often how stuff gets popped IRL. It’s (hopefully) not that the pentester doesn’t understand graph thinking, it’s just the the first node in the graph represents effectively complete compromise, so why traverse?
Apart from Bloodhound, I can't think of any tools where we have graphs.
For web security, I can't think of something where "graph thinking" applies. But we have a pretty huge list of attacks to test https://portswigger.net/web-security/all-topics.
And ultimately, what is inside your pentest report ? Not a graph, a list of things to do:
- SMB signing.
- Don't use the domain admin to manage every machine.
- ...
The main reason this phrase is so popular, is that it panders to the hacker community: "We are the smart guys, all the defenders do is excel sheets."
IMHO, the nugget of truth in this is that defenders can spend considerable amounts of time on things that don't matter. Like doing CIS benchmark by hand on all servers. While missing the low-hanging fruits that would give them a strong security posture.
In a lot of companies, the defenders are just sysadmins that don't have any idea of what they should focus on.