"What is the core abstraction of cloud attack-path analysis?" Privilege escalation is a GRAPH TRAVERSAL problem, not a single-permission check. An attacker does not need a direct path to admin — they need a connected chain of abusable relationships (the BloodHound insight, applied to the cloud). Nodes = principals/resources; edges = permissions/trusts; traversal finds the chains. course2a::sdd06::analysis "Name the 4 canonical attack-path tools and each one's scope." (1) pmapper (NCC Group) — AWS IAM + Organizations. (2) CloudFox + FoxMapper (Bishop Fox) — AWS + GCP offensive enumeration + graphs. (3) BloodHound (SpecterOps) — AD + Entra ID hybrid identity. (4) Cartography (Lyft) — multi-cloud asset relationships on Neo4j. course2a::sdd06::recall "What are the '21 Rhino methods' and how does pmapper use them?" Rhino Security Labs cataloged 21 AWS IAM privilege escalation methods (PassRole abuse, AssumeRole chains, CreatePolicy self-grant, etc.). pmapper ENCODES each as a graph edge: if the permissions exist, the edge exists. The traversal then finds chains of these edges automatically. This is knowledge-as-graph — the expert playbook automated. course2a::sdd06::analysis "Prowler's correlation vs attack-path traversal — what is the difference?" Prowler CORRELATES related findings ('these 3 findings form a path EXISTS'). Attack-path tools TRAVERSE a graph ('shortest escalation A → admin IS these edges'). Correlation = shallow, accessible, built into CSPM. Traversal = deep, requires modeling, delivers the specific chain. Prowler is the start; these tools are the depth. course2a::sdd06::analysis "Why is a graph path a 'hypothesis,' not a confirmed exploit?" The path is valid against the CONFIGURATION AT INGEST TIME. It may not be exploitable live — a permission revoked, a role deleted, a network path closed. The tools do not verify exploitability. Treating a graph path as a confirmed exploit without live verification (with authorization) is a failure mode. course2a::sdd06::analysis "What is 'graph freshness' and why is it the critical variable?" The graph's accuracy depends on ingestion recency. Stale config = missed paths (a new escalation introduced since ingest is invisible). Incomplete ingestion = silent under-coverage. The graph must be refreshed (scheduled or event-driven re-ingest) to keep paths valid. course2a::sdd06::analysis "State the attack-path category's score on the 12-module rubric and its strongest/weakest modules." 28/45 (9 scored, 3 n/a). Strongest: Memory (4, the graph as persistent queryable state) and Tool Design (4). Weakest: Verification (2, path is a hypothesis) and Error Handling (2, silent under-coverage from ingestion gaps). Value is unique capability, not rubric breadth. course2a::sdd06::analysis "How does an agent harness (SDD-01/SDD-02) consume the attack-path graph?" The agent emits a tool_use (find_escalation_paths principal: X), a schema-first wrapper queries the graph, structured paths return. The agent reasons: 'I have a credential for X, a path exists, attempt the chain (with auth).' The critical last step: live-verify exploitability — the path was a hypothesis. course2a::sdd06::analysis "Name 3 things attack-path tooling does BETTER than any other harness in the roster." (1) Graph reasoning over escalation chains (unique — check-based tools test single permissions, not chains). (2) Encoding human escalation knowledge as edges (pmapper's Rhino methods, BloodHound's AD edges — knowledge-as-graph). (3) The graph as persistent, queryable memory (survives between queries without re-ingesting). course2a::sdd06::recall "Name 3 things you would fix if you built on this category." (1) Add an agent-queryable interface (a harness tool the agent calls for structured paths). (2) Add continuous graph refresh (scheduled/event-driven re-ingest to keep paths valid). (3) Cross-cloud graph federation (federated graph across AWS+Azure+GCP identity to find cross-cloud escalation via federated identity abuse). course2a::sdd06::application "What is the dual-use nature of attack-path tools, and what governs it?" The same output (an escalation path) serves a DEFENDER (find and close the path) and an ATTACKER (find and exploit the path). This dual-use is why authorization (Course 2A S00) governs their use. Building the graph against a target's config without authorization is an offense. course2a::sdd06::analysis "State the category's Architect's Verdict in one line." Cloud attack-path tooling turns config into a graph and answers the question check-based CSPMs cannot (shortest chain from low-priv to admin), but the output is a hypothesis requiring live verification and the graph is only as good as its freshness — build on it by giving an agent a graph-query interface to reason over escalation chains during an engagement. course2a::sdd06::recall