A few weeks ago, my colleague and I discussed how Cognitive Load Theory applies to cybersecurity in a recent blog. The key takeaway from that discussion is that Vectra AI aims to design our user interface and workflow to minimize cognitive load and optimize information processing. Examples of how we have been doing that on the Vectra AI Platform can be seen in our Hunt page or Respond module.
Now, we’ve recently launched a new feature on the Vectra AI Platform that not only speaks to the Cognitive Load Theory, but also optimizes, streamlines, and accelerates attack and threat investigations for the modern security analyst. Vectra’s Attack Graphs is an integral part of protecting the modern network and is Vectra AI’s answer to the complexity of modern attacks.
Introducing Attack Graphs
Vectra AI’s Attack Graphs is a feature in the Vectra AI Platform that visualizes detections associated with a prioritized entity or entities spanning across the entire modern network, mapped to a timeline.
Vectra’s Attack Graphs take suspicious behaviors that represent malicious activity across multiple attack surfaces (I.e. multiple entities) and focuses it into a visualization that tells this full picture of a modern attack. It allows analysts to answer fundamental questions for investigating threats:
- Where did this attack come from?
- What's the impact of this?
- What was the order of events?
Vectra’s Attack Graphs answers these three questions by taking the detections and information gathered by the Vectra AI network, cloud, and identity technologies and consolidating them into a tree or hub view. The lines that connect each node, which represents a domain, account, server, host, or item, paint the picture of how a modern attacker utilizes each part of the modern network to conduct suspicious activities elusively and deep within modern networks.
The Vectra AI Platform offers three forms of visualizations: a tree view, a timeline view, and network-like view we call “attack graph.” These views ensure that analyzing the visualization will fit seamlessly into any analysts’ workflow.
With Attack Graphs, modern security teams can:
- Assess breadth of attack and its impact on AI prioritization.
- Visualize attack progression across networks, identities, and clouds.
- Trace threats back to the original actor for quicker response.
- Gather all the critical information about the prioritized threat in a single and simple pane of glass.
Gathering the above information in a timely manner that optimizes cognitive load is essential to rapidly and effectively investigate and respond to modern threats.
Accelerating investigations with Vectra’s Attack Graphs – a Multi-Domain Attack
In this example, we have our “marketing-collab” server with each prioritized alert visualized on a tree view of the attack graph. We automatically focus on the item that is prioritized in Red which ranks as High following Vectra’s Urgency Scoring.
The first question we’ll ask is, “where do they come from?” In this case, the prioritized entity has been targeted with a hidden HPS tunnel out an external domain called “minutemen.vault-tech.org.” With this, we immediately know that this could be patient zero or the initial source of the attack.
The next question we want to ask is “what else happened?” To investigate that, we follow the branches of the tree view to dive deeper into the attack. We can see the attacker conducted RPC Recon, Kerberoasting Targeted Weak Cipher, suspicious LDAP querying up to a domain controller “10.232.100.32,” and a suspicious remote execution. This remote execution was attempting a lateral movement to another account “jump-station5,” which has been prioritized as Medium on the Vectra Urgency Score.
The next step in our investigation is to look at the detections from a different angle. We can select the “attack graph view” where we can get more a modern network view of the attack.
This view gives us more clarity, specifically with the ability to move items around and see multiple items targeting one another.
Here, we can see that there are multiple detections targeting that domain controller or that “jump-station5” account, including RPC Recon or LDAP Query. The next part of the investigation is to understand the progression of the attack over time. We want to answer the question of “what was the order of events that happened? “ or “how did this attack develop?” This can be swiftly answered by pressing the play button on the Attack Graph, and the diagram will clearly show you where and when each detection occurred and how quickly the attack progressed through our environment.
Vectra’s Attack Graphs showcases critical information for thorough investigations in one simple view, streamlining the process for security analysts by depicting exactly what happens in an environment, reducing time spent investigating alerts by 50% (Source: 2025 IDC Business Value of Vectra AI Report). In this example, we were able to fully understand the breadth of the attack within minutes and understand the impact on threat prioritization immediately. Vectra’s Attack Graphs provides clarity into what kind of response an analyst might need to perform.
For more information Vectra’s Attack Graphs, please view our podcast.
To see Vectra’s Attack Graphs in action, please schedule a demo with us.