A method for converting fragmented control findings into realistic attacker movement paths.
Purpose
Attack-path emulation helps teams prioritize by plausible movement rather than isolated severity labels. It connects identity, cloud, endpoint, SaaS, network, and third-party access into a single operational view.
MITRE ATT&CK provides a common language for adversary behavior, but the method adds local business context: crown jewels, trust relationships, privileged paths, and detection gaps.
Procedure
Cyberpert starts with crown-jewel systems and works backward through reachable identities, exposed services, administrative paths, supplier access, unmanaged devices, secrets, and monitoring blind spots.
The result is a path narrative: initial access, privilege expansion, lateral movement, target access, detection opportunities, containment options, and business impact.
Evidence requirements
Each path must be supported by evidence such as cloud IAM exports, EDR telemetry, network flows, SaaS admin logs, vulnerability data, identity-provider events, and configuration records.
Unsupported assumptions are labeled explicitly so leaders know whether they are funding a proven risk, a likely risk, or a research question.
Result
The output is a ranked path list that supports remediation planning, detection engineering, tabletop design, and executive investment decisions.
This method helps avoid the common trap where teams close low-risk findings quickly while leaving high-consequence paths intact.
Defence-sector framing
Attack-path emulation is especially useful for defence, public-sector, and critical-infrastructure environments because the highest risk is rarely one isolated finding. It is the chain: exposed system, weak identity, supplier route, cloud privilege, missing telemetry, and mission-service impact.
MITRE ATT&CK provides the adversary-behavior vocabulary, while Cyberpert adds local dependency data: crown jewels, trust relationships, privileged routes, supplier access, recovery constraints, and executive decision points.
Output format
Each path is written as a narrative with evidence: initial access, privilege expansion, lateral movement, target access, likely detection, containment option, and mission consequence. Unsupported assumptions are labeled so leadership knows where more telemetry or validation is required.
The result supports detection engineering, investment prioritization, cyber range design, tabletop injects, and supplier-risk conversations. It helps teams fund the path reductions that matter most.
