Attack Surface — Graph & Heatmap
The Attack Surface page gives you a visual map of your organization's external exposure. It combines an interactive attack graph, a MITRE ATT&CK heatmap, and an AI-generated executive brief into a single view designed for both security engineers and C-level stakeholders.
Two Visualization Modes
Attack Graph
The graph view displays your discovered assets (repositories, packages, domains, cloud resources, secrets) as nodes, connected by edges that represent relationships and attack paths.
| Element | What It Shows |
|---|---|
| Nodes | Each asset BleedWatch has discovered — repos, npm packages, Docker images, domains, databases, cloud buckets, secrets, etc. |
| Edges | Relationships between assets — a repo publishing an npm package, a package containing a leaked secret, a domain exposing an origin IP |
| Severity color | Each node is color-coded by the highest severity finding attached to it |
| Critical glow | Nodes with critical or high findings have a pulsing indicator to draw attention |
| Attack path edges | Edges that form an active attack path are highlighted in blue with a flow animation |
Interacting with the Graph
- Click a node to open the detail panel showing all findings attached to that asset, with severity badges and remediation steps
- Search assets by name using the search bar
- Filter by severity to focus on critical or high-severity nodes only
- Zoom and pan with mouse wheel and drag
- Fullscreen mode for presentations or deep investigation
- MiniMap in the bottom-right corner for orientation in large graphs
Detail Panel
When you click a node, a detail panel slides in from the right showing:
- Asset name and type — What kind of asset this is (repo, package, domain, etc.)
- Risk severity — The overall severity badge
- Finding count — How many security findings are attached
- Finding list — Each finding with its title, severity, type, status, and remediation steps displayed in a monospace code block
ATT&CK Heatmap
The heatmap tab maps your findings to the MITRE ATT&CK framework. Each cell represents a tactic/technique combination, and the color intensity indicates how many findings map to that technique.
| Column | Meaning |
|---|---|
| Tactic | The attacker's objective (Initial Access, Execution, Persistence, etc.) |
| Technique | The specific method (Valid Accounts, Supply Chain Compromise, etc.) |
| Cell intensity | Number of findings mapped to this technique — darker = more exposure |
This view is particularly useful for:
- Gap analysis — Identify which ATT&CK techniques you have coverage against and where blind spots exist
- Risk communication — Show leadership exactly which attack vectors are exposed using industry-standard terminology
- Compliance mapping — Map your security posture to frameworks that reference MITRE ATT&CK (NIST CSF, CIS Controls)
Hover over any cell to see the exact finding count and severity breakdown.
AI Executive Brief
At the top of the page, an AI-generated executive brief summarizes your attack surface in natural language. It covers:
- Key risk areas — The most critical exposure points
- Attack path analysis — How an attacker could chain multiple findings together
- Priority recommendations — What to fix first for maximum risk reduction
The brief is cached for 5 minutes and can be regenerated on demand.
Use the fullscreen button + AI brief to create instant board-level presentations. The graph provides the visual context, and the brief provides the narrative.
Export Options
Export your attack surface data for external tools or reports:
| Format | Contents |
|---|---|
| CSV | Flat table of all nodes with severity, type, and finding count |
| JSON | Full graph structure with nodes, edges, and metadata |
| PDF Report | Comprehensive report with graph screenshot, heatmap, and AI brief |
How Data Is Populated
The attack graph is built automatically from your BleedWatch findings. Every finding creates or updates a node, and relationships between findings create edges. Sources include:
- Shield — Repository secrets and CI/CD findings
- Sentinel — Continuous scan findings
- Dark Web — Credential leaks and mentions
- Supply Chain — Third-party script risks
- Dependencies — Vulnerable packages
- Origin Exposure — WAF bypass and exposed origins
- Honeytokens — Triggered canary tokens
No manual configuration is required — the graph grows as BleedWatch discovers more about your attack surface.
Troubleshooting
Graph Is Empty
If the graph shows no nodes, verify that:
- You have assets configured in Assets
- At least one scan has completed (check Sentinel or Shield)
- Findings exist in your account (check Findings)
Graph Is Too Dense
For organizations with many assets, the graph can become crowded. Use severity filtering to show only critical/high nodes, or use the search bar to focus on specific assets.
AI Brief Not Loading
The executive brief requires an active subscription (Starter plan or above). If it shows an error, check your plan status in Settings.
Related
- Findings — View all findings in a flat list
- Compliance — Map findings to compliance frameworks
- Reports — Include attack surface data in executive reports