Most security tools hand you a list of findings and leave the hard part — “can an attacker actually reach something that matters?” — to you. Pentrova answers that question directly by chaining findings into the path an attacker would walk.
This post explains why the chain, not the finding, is the unit that communicates real risk, how Pentrova composes chains from both a curated catalog and dynamic paths, and why every link has to be demonstrated.
Why chains matter more than findings#
A finding in isolation rarely tells you whether an attacker can reach something that matters. A chain does. When an SSRF can be combined with a cloud metadata endpoint, and those credentials can be combined with a misconfigured IAM role, the impact is not three medium findings — it is one critical exposure. The only way to communicate that clearly is to walk the chain end to end.
This is also why severity scores mislead: three “medium” findings can compose into tenant compromise, a point we make in from CVSS to evidence. The chain is what turns scattered scores into a single story.
Coverage that adapts to the target#
Pentrova does not run a fixed checklist. The adaptive planner builds a picture of the target as it goes — reachable endpoints, observed auth modes, tainted parameters, captured canaries — and concentrates effort where the attack surface is richest. As confirmed findings accumulate, it looks for the combinations that escalate them into real impact.
A curated escalation catalog, plus dynamic paths#
Pentrova ships a curated catalog of escalation chains that encode well-understood attacker sequences:
- → file read → RCE
- → cloud metadata → credential theft
- LFI → RCE via log poisoning
- XXE → SSRF → internal service access
- → RCE
- Authorization bypass → privilege escalation
When two findings can be combined in a way the catalog does not already encode, Pentrova builds the chain dynamically at scan time. Both kinds are held to the same evidence bar — the distinction is covered in curated vs dynamic attack chains.
Every link is demonstrated#
Each step of a chain has to be demonstrated against the live target — a request, a response, captured evidence. A chain that cannot be completed simply is not reported. That discipline is what keeps the output a single trustworthy queue instead of a pile of maybe-issues, and it runs under sandbox guardrails so reproduction never harms the target. The result is the same deterministic proof that defines every Pentrova finding.
What the engineer sees#
A single artifact: the chain, the steps that contributed, the requests and responses, and the final impact — reproducible on demand. One story, not a triage queue of maybe-issues. The fix conversation starts from “here is the path an attacker walks”, which is far more actionable than a list of disconnected severities.
Key takeaways#
- A finding in isolation rarely communicates real risk; a chain that reaches impact does.
- Pentrova adapts coverage to the target and composes confirmed findings into escalation paths.
- Chains come from a curated catalog and from dynamic scan-time composition, held to one evidence bar.
- Every link is demonstrated against the live target, so an incomplete chain is never reported.
FAQ#
What is an exploit chain? A sequence of individually-confirmed findings composed into a single attack path that reaches meaningful impact — for example to cloud-metadata to IAM-role takeover. The chain communicates risk that the individual findings cannot.
How is a dynamic chain different from a catalog chain? A catalog chain encodes a well-understood, hand-reviewed sequence. A dynamic chain is composed at scan time when the observed findings suggest a path the catalog does not already cover. Both are verified against the live target identically.
Does chaining increase false positives? The opposite. Because every link must be demonstrated against the target, an incomplete chain is dropped — so chaining filters out theoretical combinations rather than inventing them.
See the escalation catalog in the platform pipeline, or start a free engagement.