Interactive Tool

Attack Tree Builder

Visually map attack paths, analyze threat scenarios, and identify defensive gaps with this interactive attack tree modeling tool.

💡 What is an Attack Tree?

Attack trees are conceptual diagrams showing how an asset or target might be attacked. The root node is the attacker's goal, with child nodes representing ways to achieve that goal.

AND gates mean all children must succeed; OR gates mean any path works. This helps identify the easiest attack paths and where to focus defensive efforts.

📂 Import

📊 Tree Statistics

Total Nodes:14Attack Steps:6AND Gates:1OR Gates:3Mitigations:0Avg Difficulty:2.7/5Avg Probability:0%Est. Cost:$1k

➕ Add Node

Node Type

Label

Description (optional)

Difficulty

Cost

Detectability

MITRE ATT&CK ID

Probability %

💡 Tips & Shortcuts

• Drag nodes to reposition
• Connect nodes by dragging from handles
• Click a node to edit/delete
• AND = all children required
• OR = any child path works
• Ctrl+Z = Undo
• Ctrl+Y = Redo
• Delete = Remove selected node

React Flow

🎨 Node Types

🎯

Goal - Ultimate objective

📍

Sub-Goal - Intermediate step

⚔️

Attack - Specific technique

AND

AND Gate - All required

OR Gate - Any path works

🛡️

Mitigation - Defense control

📖 How to Use

1. Load a template or start blank
2. Add nodes using the panel
3. Connect by dragging handles
4. Set attributes (difficulty, cost)
5. Export as JSON to share

Tip: Click nodes to edit. Drag to reposition. Use scroll to zoom.

💼 Use Cases

▸

Pentest Planning - Map attack paths before engagement

▸

Threat Modeling - Identify threats in SDLC

▸

Red Team Ops - Develop attack strategies

▸

Defense Gaps - Find missing controls

▸

Risk Analysis - Quantify attack feasibility

📊 Attack Path Analysis

The tool calculates average difficulty across all attack steps. Use this to identify the "path of least resistance" - the attack chain with the lowest combined difficulty.

AND gates = All children required (high barrier)
OR gates = Any path works (attacker chooses easiest)

📚 Further Reading

📄 Schneier's Original Paper 🔗 MITRE ATT&CK 📋 OWASP Threat Modeling 📖 Our Threat Modeling Guide