Meet the Hounds · toggle theme, then print
FENRIR crest
MEET THE HOUNDS

FENRIR

Attack Path
Fenrir Hound · Category: Correlation
“See the chains an attacker would follow — break them first.”

The great wolf fated to break every chain — Fenrir maps the chains an attacker would follow so you can break them first.

THE PROBLEM

Vulnerability lists and identity issues live in separate silos — nobody can see that an internet-exploitable box sits one hop from a crown-jewel server. Teams drown in thousands of findings with no sense of which chain actually gets an attacker to the crown jewels.

WHAT IT DOES

Fenrir chains exploitability × identity × reachability into ranked, breakable attack paths. It correlates exploitable and weak-auth footholds, same-subnet lateral movement (with credential pivots), and high-value crown-jewel targets (ACR ≥ 7) — then ranks every path by risk, so the first chain you break is the one that matters most.

KEY CAPABILITIES

  • Foothold detection — flags every asset an attacker could enter through: CISA-KEV or critical vulnerabilities, SSH password authentication, and default or blank credentials. The difference between “vulnerable” and “a way in.”
  • Reachability via /24 subnet adjacency — maps which footholds sit within reach of which targets, so a critical vuln on an isolated segment stops outranking a medium one sitting next to your crown jewels.
  • Credential-pivot boost — paths where reused or weak credentials let an attacker hop between hosts rank higher, mirroring how real intrusions actually move laterally.
  • Path risk score — combines target ACR, entry strength, pivot potential, and KEV status into one number per path, so triage starts from a defensible ranking instead of a debate.
  • 3-stage path table — every chain laid out entry → pivot → target: readable in one glance by an analyst, explainable in one slide to a CISO.
  • Gated “Attack Path” tags + CSV export — the endpoints of ranked paths become human-approved Entry/Target tags and exportable worklists that route straight into remediation.

HOW IT WORKS

Fenrir runs against the local navi.db built from your Tenable data: the vulns table (KEV cross-references, severity, plugins 149334 and 41028) and the assets table (IP, ACR). All writes are proposed, human-approved, and logged.

WHY IT'S DIFFERENT

  • Turns four separate agents' signals into one prioritized list — exploitability, credentials, criticality, and software risk compound instead of competing.
  • Honest about reachability: paths are inferred from subnet adjacency and credential signals, not observed network traffic — and Fenrir says so.
  • Ranked by your shared ACR criticality currency, so “crown jewel” means what your business says it means.
  • Gated, reviewable writes — Fenrir proposes tags; a human approves.

PROOF POINTS

  • In a reference environment of 268 assets, Fenrir mapped:
  • 156 exploitable / weak-auth entry points.
  • 67 crown-jewel targets (ACR ≥ 7).
  • 63 reachable attack paths connecting them — a ranked worklist instead of a wall of findings.

Illustrative results from a demo lab — not a guarantee. Reachability is inferred, not observed; signals depend on the relevant plugins being present, and blind or uncredentialed hosts are called out, not hidden.

WORKS BETTER WITH

Fenrir consumes Laelaps (KEV exploitability), Janus (credential weaknesses and identity pivots), Anubis (calibrated crown-jewel ACR), and Charon/Mimir (exploitable and EOL software) — the pack's correlation payoff in a single view.

WHO IT'S FOR

SOC and threat-led vulnerability teams; red and purple teams validating paths; CISOs who need exposure reporting that says “here's the chain, here's how we broke it.”

CALL TO ACTION

Ask Fenrir which chain reaches your crown jewels — then break it first.

THE HOUNDS — a human-in-the-loop security agent pack for Tenable VM / Tenable One.Gated writes · Evidence-first · Honest about coverage