I get your point but I think pentesters are perfectly capable of thinking in graphs, including web security. Bug chains are the immediate example, where a couple of CVSS 4-7 vulns can be turned into a full rce/whatever 9.8 equivalent. This bug chaining fundamentally occurs via elements of compromise i.e a graph traversal.
Bloodhound is great, and a nice visual tool for people to conceptualise attack graphs but it’s just a part of the process of understanding the target domain from an attackers perspective. No nice tool like bloodhound exists for web pentesting because a chain of compromise can’t simply be reduced into tool form there because a chain is often specific to the app and not an underlying framework, unlike AD where the security boundaries are well(ish) understood and codified.
Pentest reports include stuff like SMB signing and “don’t admin everything with your DA account ” because they are glowing hot nodes very early in a chain of compromise, meaning that is often how stuff gets popped IRL. It’s (hopefully) not that the pentester doesn’t understand graph thinking, it’s just the the first node in the graph represents effectively complete compromise, so why traverse?
Bloodhound is great, and a nice visual tool for people to conceptualise attack graphs but it’s just a part of the process of understanding the target domain from an attackers perspective. No nice tool like bloodhound exists for web pentesting because a chain of compromise can’t simply be reduced into tool form there because a chain is often specific to the app and not an underlying framework, unlike AD where the security boundaries are well(ish) understood and codified.
Pentest reports include stuff like SMB signing and “don’t admin everything with your DA account ” because they are glowing hot nodes very early in a chain of compromise, meaning that is often how stuff gets popped IRL. It’s (hopefully) not that the pentester doesn’t understand graph thinking, it’s just the the first node in the graph represents effectively complete compromise, so why traverse?