A curated escalation chain encodes a well-understood attacker sequence — to file read to RCE, to cloud metadata, LFI to RCE via log poisoning. A dynamic chain is one Pentrova assembles at scan time because the target’s behaviour suggests a path the catalog does not already cover. Both are useful; neither is sufficient alone.
This post explains what each kind is good for, why they share one evidence bar, and how the mix shifts over the course of an engagement.
Curated chains: reliable coverage of known classes#
Curated chains give dependable coverage against known escalation classes with hand-reviewed sequences. Their strength is precision: each step is documented, the impact is understood, and the sequence has been validated against real targets before it ever runs. They are the backbone of the escalation catalog and they carry the bulk of an engagement’s coverage.
The trade-off is that a curated chain can only encode paths someone anticipated. On a mature target, the most interesting impact often lives outside any pre-registered template.
Dynamic chains: reaching the combinations nobody templated#
A dynamic chain lets Pentrova reach combinations that do not fit any pre-registered sequence. When the adaptive planner observes that two confirmed findings could compose — a tainted parameter here, an exposed internal endpoint there — it builds the connecting path at scan time. This is where Pentrova reaches escalations a static checklist would never assemble, the broader point made in how Pentrova turns single bugs into exploit chains.
One evidence bar for both#
The important part is that both kinds are held to the same standard. A chain is reported only when its impact is substantiated against the live target — whether it came from the catalog or was built on the fly — and reproduced under sandbox guardrails. That keeps the output a single, trustworthy queue rather than two queues with two different bars, and it is the same deterministic proof discipline the whole platform runs on. A buyer never has to ask “is this a real chain or a guessed one” — both are proven the same way.
How the mix shifts during an engagement#
In practice it plays out as a blend that changes over time:
- Early in an engagement, the curated catalog does most of the work, because the target is still mostly unknown and well-understood classes are the fastest path to confirmed impact.
- As Pentrova builds a richer picture of the target — more endpoints, more observed behaviour, more confirmed findings — dynamic chains take over more of the load, reaching the combinations specific to that application.
Key takeaways#
- Curated chains encode hand-reviewed, well-understood escalation sequences with high precision.
- Dynamic chains compose confirmed findings at scan time to reach paths no one templated.
- Both are verified against the live target and reproduced under guardrails — one evidence bar.
- The mix shifts from curated to dynamic as the engagement builds a richer picture of the target.
FAQ#
Why not just use a large curated catalog? Because no catalog can anticipate every application-specific combination. Curated chains cover known classes reliably; dynamic chains reach the rest. You need both for complete coverage on a mature target.
Are dynamic chains less trustworthy than curated ones? No. Both must be demonstrated against the live target before they are reported. The composition method differs; the evidence requirement is identical.
Which kind finds the most impactful bugs? It depends on target maturity. On well-hardened applications, the highest-impact paths are usually the application-specific combinations that only dynamic chaining reaches.
See how both chain types run in the platform pipeline, or start a free engagement.