Toxic Combinations module
The Toxic Combinations page is the prioritised view most security teams spend their day on. Every row is a complete attack chain, not a single finding.
Columns
| Column | Notes |
|---|---|
| Severity | CRITICAL / HIGH / MEDIUM / LOW. |
| Risk score | 0 to 100, computed from severity + chain length + asset value. |
| Title | E.g. Public VM with critical CVE leaks DB credentials to a PII database. |
| Resources | The cloud resources that participate in the chain. |
| Found | First-seen. |
Filters
- Severity, Status.
- Category: Exposure, Privilege escalation, Data leak, Identity, Configuration, Multi-cloud.
- Cloud provider, narrow to chains involving one cloud.
- Resource, find chains that touch a specific resource.
Detail panel
The detail panel for a toxic combination is two tabs:
Attack Path tab
A React Flow graph rendering the chain visually. Nodes are colour-coded by type
(Compute = blue, Storage = green, Identity = pink, Secret = red, etc.). Edges carry the
relationship name (CAN_REACH, CONTAINS, GRANTS_ACCESS, CONTAINS_PII, ...).
Click any node to open its resource detail panel. Click any edge to see the underlying finding(s).
A summary card overlays the graph showing:
- Total number of nodes / edges.
- Number of CRITICAL findings on the path.
- Suggested break-point (the lowest-cost edge to close).
Findings tab
The flat list of every finding on the path, with severity and status badges. Useful for auditing or for exporting alongside the chain.
How to break a chain
Every toxic combination is a path. Closing any single edge breaks the chain. The detail panel suggests the cheapest break-point, but you may pick a different one based on operational constraints.
Common break-points by category:
| Chain category | Cheapest break-point |
|---|---|
| Exposure | Remove public exposure (private the bucket / restrict the SG). |
| Privilege escalation | Drop the wildcard action or rotate the over-privileged role. |
| Data leak | Move the data behind a non-public access path or remove it. |
| Identity (cross-cloud) | Add MFA / conditional access on the bridging identity. |
| Configuration | Rotate or remove the shared key. |
After you apply a fix, the underlying finding moves to RESOLVED on the next scan and the toxic combination
recomputes on the next scan; if any edge is broken, the chain disappears automatically.
Tips
- Prioritise CRITICAL chains that touch DSPM. Those are real-data-exposure paths.
- Watch for re-opens. A chain that re-opens has a recurring cause; investigate the root cause, not just the most recent finding.
- Custom chains. Write your own toxic combination using graph,
What's next
- Toxic combinations concept
- Resolve a toxic combination, the runbook
- The security graph, the underlying model