NEXUS
Documentation menu

Docs · SecOps

Nexus Atlas — Attack-path Graph & Blast Radius

Attackers don't stop at the first host — they pivot. Nexus Atlas maps how your fleet is actually connected, from real telemetry, so you can answer the question that matters during an incident: if this host is compromised, what can the attacker reach next?

Topic
Attack-path analysis · Exposure
Built from
Enrolled hosts · NDR flows · alerts
Method
Blast-radius BFS, cycle-safe
API
/atlas/graph · /atlas/blast

What it does

Atlas builds a graph of your environment entirely from real data — nothing is synthesized. Each enrolled host is a node, the network connections actually observed between them are edges, and a node's risk is derived from that host's own alerts. From that graph it computes blast radius and ranks the hosts most exposed to lateral movement.

  • Nodes — enrolled hosts, plus external endpoints seen in traffic.
  • Edges — observed network connections, drawn from NDR flows, deduplicated and weighted.
  • Node risk — derived from that host's alerts, so the riskiest hosts stand out.
  • Real data only — the graph reflects what your telemetry has actually seen.

Blast radius

Blast radius answers "if this host falls, what's reachable?" It walks the graph outward from a starting node with a breadth-first search over the edges, and it is cycle-safe — so a looping topology won't trip it up. The result is the set of hosts an attacker could reach by pivoting from the node you named.

bash
nexus-cli atlas-blast --node <host_id>

How to use it

1
Build the graph
Generate the current attack-path graph from your fleet.
bash
nexus-cli atlas-graph
2
Compute a blast radius
Pick a host and see everything reachable from it.
bash
nexus-cli atlas-blast --node <host_id>
3
Rank the most-exposed hosts
List the hosts that sit at the center of the most attack paths.
bash
nexus-cli atlas-exposed --limit 10
4
Read the summary
Pull node/edge counts and overall graph statistics.
bash
nexus-cli atlas-stats

REST API

endpoints
GET /atlas/graph?window=     # build the graph (optional time window)
GET /atlas/blast?node=       # blast radius from a host
GET /atlas/exposed?limit=    # rank the most-exposed hosts
GET /atlas/stats             # graph summary statistics

How it fits the pipeline

Atlas sits on top of the data the fleet already produces. Edges come from NDR network flows and node risk comes from the alert store, so as detection improves the map sharpens with it. Use blast radius during triage to prioritize containment — isolate the host whose compromise would reach the most ground first.

Tips

  • Run atlas-exposed regularly — the most-exposed hosts are where hardening pays off most.
  • During an incident, compute the blast radius of the affected host before deciding what to isolate.
  • Narrow ?window= to focus the graph on recent activity rather than all history.
See the pivot before it happens. A flat list of hosts hides the paths between them. Atlas makes lateral movement visible — so you can cut the edges that matter before an attacker walks them. A visual Cytoscape graph view is planned for the GUI; the data and API are available now.
PreviousNexus Aware (phishing sim)Next Ask Nexus (local AI)